alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Suspicious HTTP Connection Header Observed"; flow:established,to_server; http.connection; content:!"upgrade"; nocase; content:!"keep-alive"; nocase; content:!"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|"; fast_pattern; nocase; classtype:misc-activity; sid:2036551; rev:2; metadata:created_at 2022_05_06, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_09;)