Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Permissions-Policy Geolocation Directive"; flow:established,to_client; http.header_names; content:"|0d 0a|permissions-policy|0d 0a|"; nocase; http.header; content:"permissions-policy|3a 20|"; nocase; content:"geolocation|3d 28|"; distance:0; nocase; fast_pattern; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/geolocation; classtype:misc-activity; sid:2067642; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_02_12, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Unknown, updated_at 2026_02_13; target:dest_ip;)