alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)