alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; fast_pattern; pcre:"/\.php\?\d{1,4}$/i"; http.header; content:"/index.php?ss="; classtype:exploit-kit; sid:2023289; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, malware_family Exploit_Kit, malware_family BleedingLife, confidence High, signature_severity Major, tag BleedingLifeEK, tag CISA_KEV, updated_at 2024_03_04;)