alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:exploit-kit; sid:2025914; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, confidence High, signature_severity Major, tag Underminer_EK, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)