[Emerging-Sigs] Another IP check

Francis Trudeau trudeauf at gmail.com
Sun May 10 08:12:26 HDT 2020


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check
Domain (address . works)"; flow:to_server,established;
content:"address.works"; http_host; isdataat:!1,relative; fast_pattern;
sid:3003031; rev:2;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check
Domain (address . works in TLS SNI)"; flow:established,to_server; tls_sni;
content:"address.works"; isdataat:!1,relative; nocase;
classtype:policy-violation; sid:3303032; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200510/fbc4af4c/attachment.html>


More information about the Emerging-sigs mailing list