alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, confidence High, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_07_26;)