alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, confidence High, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)