alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_24;)