alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,to_client; flowbits:isset,ET.Keitaro; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|LOCATION|0d 0a|"; classtype:exploit-kit; sid:2022465; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, confidence High, signature_severity Major, tag Redirector, updated_at 2024_03_04;)