alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspected Pentesting Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/T1"; pcre:"/^[0-9]{3}(?:(\.|\x20|\/)?)/R"; http.host; content:"atomicredteam.io"; fast_pattern; endswith; classtype:misc-activity; sid:2052266; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_04_25, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_25; target:src_ip;)