alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:5; metadata:created_at 2014_01_10, confidence Medium, signature_severity Informational, updated_at 2020_09_22;)