alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)