alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,to_client; http.server; bsize:5; content:"nginx"; http.header; content:"X-Powered-By|3a 20|PHP"; content:"text/javascript"; file.data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:4; metadata:created_at 2014_09_16, confidence High, signature_severity Major, updated_at 2024_02_23;)