alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:established,to_server; http.uri; content:"/"; content:".php"; endswith; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; content:"|0d 0a|Cache-Control|0d 0a|"; classtype:exploit-kit; sid:2019672; rev:3; metadata:created_at 2014_11_07, confidence Medium, signature_severity Major, updated_at 2024_02_23;)