alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GrandSoft PDF Payload Download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.user_agent; content:"http|3a|//"; fast_pattern; startswith; http.start; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; classtype:exploit-kit; sid:2016764; rev:19; metadata:created_at 2013_04_17, signature_severity Major, updated_at 2020_11_05;)