alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Redirect Chain With Image Filetype in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/(?:png|jpg|jpeg)/"; content:"|3f|response|2d|content|2d|type|3d|"; fast_pattern; within:36; content:!"X-Amz-Algorithm="; classtype:misc-activity; sid:2057440; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_11_13, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_13;)