alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2019_07_26;)