alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)