alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26, reviewed_at 2024_03_06;)