alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:exploit-kit; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, confidence High, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2019_07_26;)