alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Header in Response (Expired:)"; flow:established,to_client; http.header; content:"|0d 0a|Expired|3a 20|"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.fox-it.com/2023/11/15/the-spelling-police-searching-for-malicious-http-servers-by-identifying-typos-in-http-responses; classtype:misc-activity; sid:2049208; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_11_15, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_15;)