alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET HUNTING Office UA Retrieving Content on Unusually High Port"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2038899; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_09_19, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_09_19;)