alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, confidence High, signature_severity Major, updated_at 2019_07_26;)