alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347)"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2013_05_04, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag Web_Client_Attacks, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)