alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)