alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,to_client; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".jar|0d 0a|"; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/m"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:5; metadata:created_at 2015_04_23, confidence High, signature_severity Major, updated_at 2024_03_03;)