This detection rule aims to identify potential HTTP request smuggling attempts targeting IIS servers, specifically leveraging a Windows quirk linked to reserved device names such as '/con', '/prn', and more. The rule is predicated on the behavior of how IIS responds to these reserved names. When a request is made to one of these reserved names, IIS may send an early response before the complete request body is received. This behavior combined with Content-Length desynchronization can cause confusion in request parsing between the frontend and backend systems. The rule utilizes logs from Suricata to detect these risky behaviors and provides a comprehensive method for mitigation and validation of false positives. The implementation requires careful logging setup and adherence to best practices to enhance efficacy.