alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; http.method; content:"GET"; http.uri; byte_test:1,>,64,1; byte_test:1,<,91,1; content:".xml"; endswith; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/"; http.header_names; content:"|0d 0a|x-flash-version|0d 0a|"; fast_pattern; http.referer; content:".swf"; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/"; classtype:exploit-kit; sid:2021764; rev:4; metadata:created_at 2015_09_14, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_03;)