alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; within:120; content:"|27 2c|_c|3d 27|"; within:120; content:"|27 2c|e|3d|"; within:120; content:"|2c|t|3d|"; within:10; content:"|2c|n|3d|"; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, signature_severity Minor, updated_at 2020_11_19;)