alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Usage of Non-Alphanumeric Javascript Obfuscation M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"_=|28|[![]]+{}|29|[+!+[]+[+[]]]+|28|[]+[]+{}|29|[+!+[]]+|28|[]+[]+[][[]]|29|[+!+[]]+|28|![]+[]|29|[!+[]+!+[]+!+[]]+|28|!![]+[]|29|[+[]]+|28|!![]+[]|29|[+!+[]]+|28|!![]+[]|29|[!+[]+!+[]]+|28|[![]]+{}|29|[+!+[]+[+[]]]+|28|!![]+[]|29|[+[]]+|28|[]+[]+{}|29|[+!+[]]+|28|!![]+[]|29|[+!+[]]|3b|"; fast_pattern; reference:url,businessinfo.co.uk/labs/talk/Nonalpha.pdf; reference:url,github.com/cilame/unjsfuck; reference:url,unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/; reference:url,jsfuck.com/; reference:url,github.com/aemkei/jsfuck; classtype:misc-activity; sid:2063156; rev:4; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_06_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, tag JavaScript, updated_at 2025_06_25;)