alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,to_client; http.server; content:"nginx"; http.content_len; pcre:"/^\d{2,3}$/mi"; file.data; content:"document.write|28|"; depth:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Redirector, updated_at 2024_02_28;)