alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Empty Location Header from CloudFlare Server 2024-12-05"; flow:established,to_client; http.stat_code; content:"302"; http.header.raw; content:"|4c 6f 63 61 74 69 6f 6e 3a 20 0d 0a|"; fast_pattern; http.server; content:"cloudflare"; nocase; reference:url,stackoverflow.com/questions/21311671/http-responses-with-code-3xx-and-empty-location-header; reference:url,github.com/whatwg/fetch/issues/669; classtype:unknown; sid:2058074; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_05, deployment SSLDecrypt, confidence High, signature_severity Informational, updated_at 2024_12_05, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1036, mitre_technique_name Masquerading; target:src_ip;)