alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; within:25; content:"|20|EXECNUM|3d|"; within:25; content:"|20|FEEDBACKADDR|3d|"; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2020_11_19;)