alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_08;)