alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; threshold:type both, track by_src, count 100, seconds 300; http.uri; content:"/?"; fast_pattern; depth:2; content:"="; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/"; http.header; content:"Keep|2d|Alive|3a|"; content:"Connection|3a| keep|2d|alive"; content:"Cache|2d|Control|3a|"; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/m"; content:"Accept|2d|Encoding|3a|"; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:4; metadata:created_at 2014_03_05, deprecation_reason Performance, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_08;)