alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Keitaro TDS Redirect"; flow:established,from_server; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; nocase; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/s"; http.content_type; content:"text/html|3b 20|charset=utf-8"; depth:24; endswith; classtype:exploit-kit; sid:2022466; rev:7; metadata:created_at 2016_01_28, confidence Medium, signature_severity Major, tag TDS, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_05;)