alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:3; metadata:created_at 2016_06_12, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)