alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT [TW] Possible MSXMLHTTP Request"; flow:established,to_server; flowbits:set,TW.MS.MSIE7; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2053705; rev:1; metadata:attack_target Client_and_Server, created_at 2024_06_17, deployment Perimeter, deprecation_reason Performance, performance_impact Significant, confidence Low, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_18; target:dest_ip;)