alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_24;)