alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded 2 byte ROL Windows OS Name in HTTP Header"; flow:established,to_server; http.header; content:"XaW5kb3dz"; fast_pattern; pcre:"/^Q?(?:YDE(w|x)A)?\x3d{2}/R"; threshold:type limit,count 1,seconds 300,track by_src; reference:md5,f5ef5f40922113c2dfb32c202ae2b3f5; classtype:misc-activity; sid:2067864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_02_20, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, updated_at 2026_02_20, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information; target:src_ip;)