alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP URI Path Normalization Bypasses & Escapes M1"; flow:established,to_server; http.uri; content:"|2e 2e 3b 2f|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf; classtype:web-application-attack; sid:2058076; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)