alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, signature_severity Major, updated_at 2020_08_20;)