[Emerging-Sigs] Another IP check

Jason Taylor jastaylor at emergingthreats.net
Mon May 11 02:11:31 HDT 2020

Thanks Fran!

Will get this in for QA today


On Sun, May 10, 2020 at 1:12 PM Francis Trudeau <trudeauf at gmail.com> wrote:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (address . works)"; flow:to_server,established; content:"address.works"; http_host; isdataat:!1,relative; fast_pattern; sid:3003031; rev:2;)
> alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (address . works in TLS SNI)"; flow:established,to_server; tls_sni; content:"address.works"; isdataat:!1,relative; nocase; classtype:policy-violation; sid:3303032; rev:2;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

More information about the Emerging-sigs mailing list