alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Usage of Non-Alphanumeric Javascript Obfuscation M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"$=String.fromCharCode("; fast_pattern; content:"+"; pcre:"/^(?:\x5b\x5d[^a-zA-Z0-9]+?){5,10}/R"; reference:url,businessinfo.co.uk/labs/talk/Nonalpha.pdf; reference:url,github.com/cilame/unjsfuck; reference:url,unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/; reference:url,jsfuck.com/; reference:url,github.com/aemkei/jsfuck; classtype:misc-activity; sid:2063161; rev:4; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_06_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, tag JavaScript, updated_at 2025_06_25;)