alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; threshold:type threshold, track by_src, count 20, seconds 120; http.method; content:"POST"; http.cookie; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/"; http.accept_enc; content:"gzip"; depth:4; http.content_type; content:"application/octet-stream"; fast_pattern; nocase; bsize:24; http.header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:6; metadata:created_at 2016_03_28, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_03;)