alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_07_26;)