alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"document.createElement|28 22|"; content:".width=|22|1px|22|"; within:30; content:".height=|22|1px|22|"; within:30; content:"atob|28 22|aHR0cHM6Ly9"; within:100; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027817; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)