alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern; classtype:exploit-kit; sid:2023513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Redirector, updated_at 2022_03_17;)