alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE Memory Corruption Inbound (CVE-2013-3893)"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_27;)