alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:established,to_server; http.uri; content:"/main.html"; endswith; fast_pattern; endswith; http.header; content:"/index.html"; http.cookie; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/"; classtype:exploit-kit; sid:2020392; rev:7; metadata:created_at 2015_02_11, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_03;)