alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Cross-Site POST Requests Without a Content-Type Header"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"Content-Length|0d 0a|"; content:!"Content-Type|0d 0a|"; http.header; content:"Sec-Fetch-Site|3a 20|cross-site"; fast_pattern; reference:url,nastystereo.com/security/cross-site-post-without-content-type.html; classtype:web-application-attack; sid:2059760; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_29, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_01_29; target:dest_ip;)