alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect on ActiveXObject support"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<script>"; content:"if|20 28|window.ActiveXObject"; distance:0; content:"ActiveXObject|22 20|in window"; within:40; fast_pattern; content:"window|2e|location|2e|href|3d 22|"; within:35; content:"|7d|else|7b|"; within:100; content:"window|2e|location|2e|href|3d 22|"; within:35; classtype:exploit-kit; sid:2028833; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_10_15;)