alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure VPN IF-T/TLS HTTP Request"; flow:established,to_server; xbits:set,ET.IFTTLS.HTTPRequest,track ip_pair,expire 30; noalert; http.method; content:"GET"; http.content_type; content:"EAP"; http.header; content:"Upgrade|3a 20|IF-T/TLS"; fast_pattern; reference:url,gitlab.com/openconnect/openconnect/-/blob/master/pulse.c; classtype:web-application-activity; sid:2059170; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_13, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_01_13; target:dest_ip;)