alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,to_client; flowbits:set,SunDown.EK; http.content_type; content:"text/html|3b|"; startswith; http.header; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; fast_pattern; http.server; content:"nginx"; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:exploit-kit; sid:2023480; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, confidence High, signature_severity Major, updated_at 2024_03_05;)