alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_27, reviewed_at 2024_10_14;)