alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_07_26;)