alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<!--|20|Lord|20|EK|20|-|20|Landing|20|page"; depth:60; nocase; fast_pattern; classtype:exploit-kit; sid:2027791; rev:2; metadata:created_at 2019_08_02, deployment Perimeter, malware_family LordEK, performance_impact Low, confidence High, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)