Those two entries have the exact same fingerprint. They should be merged into one entry. Actually, the second entry pretty much covers the first so the first should be removed altogether.
As a side note: I'm having numerous hits on this rule on the proxy traffic of a botnet I'm tracking. There is automation involved so I think it is also the fingerprint of a popular library but don't know which yet. User-Agents are spoofed so I can't correlate with that.
Those two entries have the exact same fingerprint. They should be merged into one entry. Actually, the second entry pretty much covers the first so the first should be removed altogether.
As a side note: I'm having numerous hits on this rule on the proxy traffic of a botnet I'm tracking. There is automation involved so I think it is also the fingerprint of a popular library but don't know which yet. User-Agents are spoofed so I can't correlate with that.