alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var"; pcre:"/^\s*(?P<worker>[A-Za-z0-9_-]{1,20})\s*=\s*null\x3b.{1,300}(?P=worker)\s*=\s*document\.getElementById\([\x22\x27](?P=worker)[\x22\x27]\)\x3b.{1,300}\.addEventListener\([\x22\x27]DOMNodeInserted[\x22\x27]\s*,\s*(?P<callback0>[A-Za-z0-9_-]{1,20}).{0,300}(?P=worker)(?P<worker_ext>(\.\w{1,20})+)\s*=\s*\d+\x3b.{1,300}function\s*(?P=callback0)\([^\)]+\)\s*\{\s*.{1,300}\.requestAnimationFrame\((?P<callback>[A-Za-z0-9_-]{1,20})\)\x3b.{1,300}function\s*(?P<garbagecollector>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*.{0,100}for\s*\(let\s*(?P<gc_counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=gc_counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=gc_counter)(?:\+{2}|-{2})\s*\)\s*.{1,300}function\s*(?P=callback)\([^\)]+\)\s*\{\s*.{1,300}(?P=garbagecollector)\(\)\s*\x3b\s*.{1,300}\((?P=worker)(?P=worker_ext)\)/Rs"; content:"document.getElementById|28|"; content:".addEventListener|28 22|DOMNodeInserted"; content:"window.requestAnimationFrame"; fast_pattern; reference:cve,2021-1879; classtype:attempted-admin; sid:2033781; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2021_1879, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_24;)