alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTTP-TUNNEL detected"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?crap"; startswith; fast_pattern; threshold:type limit, track by_src,count 5, seconds 30; classtype:policy-violation; sid:2030886; rev:1; metadata:created_at 2020_09_17, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_17;)