alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; http.uri; content:!".swf"; nocase; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/"; http.header_names; content:"|0d 0a|x-flash-version|0d 0a|"; fast_pattern; http.referer; content:".php?"; pcre:"/^[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/"; classtype:exploit-kit; sid:2020584; rev:4; metadata:created_at 2015_03_03, confidence High, signature_severity Major, updated_at 2024_02_23;)