alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,to_client; http.content_type; content:"application/javascript|3b|"; startswith; file.data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; fast_pattern; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, confidence High, signature_severity Major, tag Redirector, updated_at 2024_02_26;)