alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Possible Redkit 1-4 char JNLP request"; flow:established,to_server; urilen:<11; http.uri; content:".jnlp"; endswith; nocase; fast_pattern; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; classtype:exploit-kit; sid:2016811; rev:8; metadata:created_at 2013_05_03, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_18;)