alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"document.getelementbyid|28|"; nocase; content:".scroll"; nocase; fast_pattern; content:"Set"; nocase; pcre:"/^\s*(?P<obj>[\w\-]{1,20})\s*=\s*document\.getElementById\(.{1,500}Class\s*(?P<class>[\w\-]{1,20}).{1,500}End\s*Class.{1,500}set\s*(?P=obj)\.scroll((Left|Top)(Max)?|Height|Width)\s*=\s*New\s*(?P=class)/Rsi"; reference:cve,2019-0752; classtype:attempted-user; sid:2034578; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_03;)