alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Sinkhole banner"; flow:established,to_client; http.header; content:"Server|3a 20|You got served|21|"; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2013/12/30/detecting-sinkholed-domains-in-your-environment; classtype:trojan-activity; sid:2018117; rev:5; metadata:created_at 2014_02_12, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_07_12;)