alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; pcre:"/\/win\.html$/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/si"; classtype:exploit-kit; sid:2021292; rev:4; metadata:created_at 2015_06_18, signature_severity Major, updated_at 2020_10_01;)