alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ING Banking Credential Phish Landing Page 2022-12-12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>ING-DiBa Internetbanking + Brokerage</title>"; content:"name=|22|fName|22| "; distance:0; content:"name=|22|lName|22|"; distance:0; content:"name=|22|telepin|22| "; distance:0; content:"name=|22|telepinV|22|"; distance:0; fast_pattern; content:"name=|22|dob|22|"; distance:0; content:"name=|22|numberID|22|"; distance:0; reference:md5,6a1c9d34c63f22af42fc21f9e3ca6f82; classtype:credential-theft; sid:2042660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_12_12, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_31;)