alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:established,to_server; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; fast_pattern; threshold:type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:7; metadata:created_at 2014_08_21, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_08;)