Below are some uri fields you can look for which are commonly used in redirecting to exploit kits.
this is also useful
HTTP Request Type = GET
HTTP Status Code = 302
HTTP URI = *.cgi?*
and regex on the HTTP URI for “\.cgi\?\d+?$”