alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2019_07_26;)