-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPAW-PATRULES_SPECIAL_DOMAIN_EXTENSIONS.rules
132 lines (131 loc) Β· 31.8 KB
/
PAW-PATRULES_SPECIAL_DOMAIN_EXTENSIONS.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# KXK00OOkxxkO00KX0
# ,NXKxo:,'... ...';cdOXN:
# l;. ..,:ldxkOOOOOOkkxol:,.. .o
# dk lOOOOOOkkkkkkkkkkkOOOOOOx dk
# KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
# x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
# d. o0Okkkkkkkkkkkkk. okkkkkkkkkkOO0k x
# l. c0kkkkkkko. .ckk .kd..'xkkkkkk0x .o
# ;, ;0kkkkkkkc ;ko. .dk. :kkkkkk0l ':
# .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
# l o0kkkk:..'dkkk. .;okkkkkkkkk0x l
# .: .OOkkk; xk, .:kkkkkO0; ;.
# ;. :0kkkko;,cko :kkkk0d .:
# : oOkkkkkkkk .dkkk0k. :
# : dOkkkkkkk .:odxkkkkkOk. ;
# ; oOkkkkkkx:,,ckkkkkkkkkkOx. ,
# '. ;OOkkkkkkkkkkkkkkkkkOOc '
# ' .lOOkkkkkkkkkkkkkOOd. .
# . .lOOkkkkkkkkkOOo' ..
# ' .;dOOOkOOOx:. .
# .. .,lxo;. ..
# .. ..
#
# ____ ___ __ ____ _ _
#| _ \ / \ \ / / | _ \ __ _| |_ _ __ _ _| | ___ ___
#| |_) / _ \ \ /\ / / | |_) / _` | __| '__| | | | |/ _ \/ __|
#| __/ ___ \ V V / | __/ (_| | |_| | | |_| | | __/\__ \
#|_| /_/ \_\_/\_/ |_| \__,_|\__|_| \__,_|_|\___||___/
#
# IDS Rules for Suricata
# π Charles BLANC-ROLIN β ΅ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# Extensions π de domaines non standards
###DNS###
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .cyou π extension"; flow:to_server, stateless; dns.query; content:".cyou"; nocase; endswith; classtype:bad-unknown; sid:3300989; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_14, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns any any -> any any (msg:"πΎ - π DNS request π to .ru π·πΊ extension"; flow:to_server, stateless; dns.query; content:".ru"; nocase; endswith; classtype:bad-unknown; sid:3300990; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_28, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .lol π extension"; flow:to_server, stateless; dns.query; content:".lol"; nocase; endswith; classtype:bad-unknown; sid:3300991; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .work π· extension"; flow:to_server, stateless; dns.query; content:".work"; nocase; endswith; classtype:bad-unknown; sid:3300992; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_14, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .cc π¨π¨ extension"; flow:to_server, stateless; dns.query; content:".cc"; nocase; endswith; classtype:bad-unknown; sid:3300993; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .xyz π€ extension"; flow:to_server, stateless; dns.query; content:".xyz"; nocase; endswith; classtype:bad-unknown; sid:3300994; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .biz π² extension"; flow:to_server, stateless; dns.query; content:".biz"; nocase; endswith; classtype:bad-unknown; sid:3300995; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .world πΊ extension"; flow:to_server, stateless; dns.query; content:".world"; nocase; endswith; classtype:bad-unknown; sid:3300996; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .xxx π―π extension"; flow:to_server, stateless; dns.query; content:".xxx"; nocase; endswith; classtype:bad-unknown; sid:3300997; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .tv πΊ extension"; flow:to_server, stateless; dns.query; content:".tv"; nocase; endswith; classtype:bad-unknown; sid:3300998; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .ninja π₯· extension"; flow:to_server, stateless; dns.query; content:".ninja"; nocase; endswith; classtype:bad-unknown; sid:3300999; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .dev π¨βπ§ extension"; flow:to_server, stateless; dns.query; content:".dev"; nocase; endswith; classtype:bad-unknown; sid:3301000; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .click π± extension"; flow:to_server, stateless; dns.query; content:".click"; nocase; endswith; classtype:bad-unknown; sid:3301001; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .gay π³οΈβπ extension"; flow:to_server, stateless; dns.query; content:".gay"; nocase; endswith; classtype:bad-unknown; sid:3301002; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .one β extension"; flow:to_server, stateless; dns.query; content:".one"; nocase; endswith; classtype:bad-unknown; sid:3301003; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .digital π₯ extension"; flow:to_server, stateless; dns.query; content:".digital"; nocase; endswith; classtype:bad-unknown; sid:3301004; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .fun π₯³ extension"; flow:to_server, stateless; dns.query; content:".fun"; nocase; endswith; classtype:bad-unknown; sid:3301005; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2023_09_22;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .pw π΅πΌ extension"; flow:to_server, stateless; dns.query; content:".pw"; nocase; endswith; classtype:bad-unknown; sid:3301006; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .hk ππ° extension"; flow:to_server, stateless; dns.query; content:".hk"; nocase; endswith; classtype:bad-unknown; sid:3301007; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .in β¬ extension"; flow:to_server, stateless; dns.query; content:".in"; nocase; endswith; classtype:bad-unknown; sid:3301008; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .guru π± extension"; flow:to_server, stateless; dns.query; content:".guru"; nocase; endswith; classtype:bad-unknown; sid:3301009; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .chat π¬ extension"; flow:to_server, stateless; dns.query; content:".chat"; nocase; endswith; classtype:bad-unknown; sid:3301010; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .network π§ extension"; flow:to_server, stateless; dns.query; content:".network"; nocase; endswith; classtype:bad-unknown; sid:3301011; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .online π extension"; flow:to_server, stateless; dns.query; content:".online"; nocase; endswith; classtype:bad-unknown; sid:3301012; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .live βΊοΈ extension"; flow:to_server, stateless; dns.query; content:".live"; nocase; endswith; classtype:bad-unknown; sid:3301013; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .tech π§ extension"; flow:to_server, stateless; dns.query; content:".tech"; nocase; endswith; classtype:bad-unknown; sid:3301014; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_06;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .tw πΉπΌ extension"; flow:to_server, stateless; dns.query; content:".tw"; nocase; endswith; classtype:bad-unknown; sid:3301015; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .su π΄ extension"; flow:to_server, stateless; dns.query; content:".su"; nocase; endswith; classtype:bad-unknown; sid:3301016; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_10_29;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .ml π²π± extension"; flow:to_server, stateless; dns.query; content:".ml"; nocase; endswith; classtype:bad-unknown; sid:3301017; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_10;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .life πΌ extension"; flow:to_server, stateless; dns.query; content:".life"; nocase; endswith; classtype:bad-unknown; sid:3301018; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_10;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .onion π§
extension"; flow:to_server, stateless; dns.query; content:".onion"; nocase; endswith; classtype:bad-unknown; sid:3301019; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_12_01;)
alert dns $HOME_NET any -> any any (msg:"πΎ - π DNS request π to .fit π€Έ extension"; flow:to_server, stateless; dns.query; content:".fit"; nocase; endswith; classtype:bad-unknown; sid:3301020; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_12_01;)
###HTTP###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π .cyou extension observed"; flow:to_server, stateless; content:".cyou"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_09_28, updated_at 2021_11_15; sid:3301021; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π·πΊ .ru extension observed"; flow:to_server, stateless; content:".ru"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_09_28, updated_at 2021_11_15; sid:3301022; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π .lol extension observed"; flow:to_server, stateless; content:".lol"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301023; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π· .work extension observed"; flow:to_server, stateless; content:".work"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301024; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π¨π¨ .cc extension observed"; flow:to_server, stateless; content:".cc"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301025; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π€ .xyz extension observed"; flow:to_server, stateless; content:".xyz"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301026; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π² .biz extension observed"; flow:to_server, stateless; content:".biz"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301027; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to πΊ .world extension observed"; flow:to_server, stateless; content:".world"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301028; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π―π .xxx extension observed"; flow:to_server, stateless; content:".xxx"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301029; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to πΊ .tv extension observed"; flow:to_server, stateless; content:".tv"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301030; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π₯· .ninja extension observed"; flow:to_server, stateless; content:".ninja"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301031; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π¨βπ§ .dev extension observed"; flow:to_server, stateless; content:".dev"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301032; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π± .click extension observed"; flow:to_server, stateless; content:".click"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301033; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π³οΈβπ .gay extension observed"; flow:to_server, stateless; content:".gay"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301034; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to β .one extension observed"; flow:to_server, stateless; content:".one"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301035; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π₯ .digital extension observed"; flow:to_server, stateless; content:".digital"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301036; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π₯³ .fun extension observed"; flow:to_server, stateless; content:".fun"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301037; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π΅πΌ .pw extension observed"; flow:to_server, stateless; content:".pw"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301038; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to ππ° .hk extension observed"; flow:to_server, stateless; content:".hk"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301039; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to β¬ .in extension observed"; flow:to_server, stateless; content:".in"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301040; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π± .guru extension observed"; flow:to_server, stateless; content:".guru"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301041; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π¬ .chat extension observed"; flow:to_server, stateless; content:".chat"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301042; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π§ .network extension observed"; flow:to_server, stateless; content:".network"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301043; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π .online extension observed"; flow:to_server, stateless; content:".online"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301044; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to βΊοΈ .live extension observed"; flow:to_server, stateless; content:".live"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301045; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π§ .tech extension observed"; flow:to_server, stateless; content:".tech"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_11_15; sid:3301046; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to πΉπΌ .tw extension observed"; flow:to_server, stateless; content:".tw"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_29, updated_at 2021_11_15; sid:3301047; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π΄ .su extension observed"; flow:to_server, stateless; content:".su"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_10_29, updated_at 2021_11_15; sid:3301048; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π²π± .ml extension observed"; flow:to_server, stateless; content:".ml"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_11_15, updated_at 2021_11_15; sid:3301049; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to πΌ .life extension observed"; flow:to_server, stateless; content:".life"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_11_15, updated_at 2021_11_15; sid:3301050; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP trying connection to π§
.onion extension observed"; flow:to_server, stateless; content:".onion"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_12_01, updated_at 2021_12_01; sid:3301051; rev:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π HTTP connection to π€Έ .fit extension observed"; flow:to_server, stateless; content:".fit"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; metadata:created_at 2021_12_01, updated_at 2021_12_01; sid:3301052; rev:7;)
###TLS###
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π .cyou extension observed"; flow:to_server, stateless; tls_sni; content:".cyou"; endswith; classtype:bad-unknown; metadata:created_at 2021_09_28, updated_at 2021_10_29; sid:3301053; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π·πΊ .ru extension observed"; flow:to_server, stateless; tls_sni; content:".ru"; endswith; metadata:created_at 2021_09_28, updated_at 2021_09_28; sid:3301054; rev:4; classtype:bad-unknown;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π .lol extension observed"; flow:to_server, stateless; tls_sni; content:".lol"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301055; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π· .work extension observed"; flow:to_server, stateless; tls_sni; content:".work"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301056; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π¨π¨ .cc extension observed"; flow:to_server, stateless; tls_sni; content:".cc"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301057; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π€ .xyz extension observed"; flow:to_server, stateless; tls_sni; content:".xyz"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301058; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π² .biz extension observed"; flow:to_server, stateless; tls_sni; content:".biz"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301059; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) πΊ .world extension observed"; flow:to_server, stateless; tls_sni; content:".world"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301060; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π―π .xxx extension observed"; flow:to_server, stateless; tls_sni; content:".xxx"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301061; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) πΊ .tv extension observed"; flow:to_server, stateless; tls_sni; content:".tv"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301062; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π₯· .ninja extension observed"; flow:to_server, stateless; tls_sni; content:".ninja"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301063; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π¨βπ§ .dev extension observed"; flow:to_server, stateless; tls_sni; content:".dev"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301064; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π± .click extension observed"; flow:to_server, stateless; tls_sni; content:".click"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301065; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π³οΈβπ .gay extension observed"; flow:to_server, stateless; tls_sni; content:".gay"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301066; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) β .one extension observed"; flow:to_server, stateless; tls_sni; content:".one"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301067; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π₯ .digital extension observed"; flow:to_server, stateless; tls_sni; content:".digital"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301068; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π₯³ .fun extension observed"; flow:to_server, stateless; tls_sni; content:".fun"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301069; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π΅πΌ .pw extension observed"; flow:to_server, stateless; tls_sni; content:".pw"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301070; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) ππ° .hk extension observed"; flow:to_server, stateless; tls_sni; content:".hk"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301071; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) β¬ .in extension observed"; flow:to_server, stateless; tls_sni; content:".in"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301072; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π± .guru extension observed"; flow:to_server, stateless; tls_sni; content:".guru"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301073; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π¬ .chat extension observed"; flow:to_server, stateless; tls_sni; content:".chat"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301074; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π§ .network extension observed"; flow:to_server, stateless; tls_sni; content:".network"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301075; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π .online extension observed"; flow:to_server, stateless; tls_sni; content:".online"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301076; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) βΊοΈ .live extension observed"; flow:to_server, stateless; tls_sni; content:".live"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301077; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π§ .tech extension observed"; flow:to_server, stateless; tls_sni; content:".tech"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_06, updated_at 2021_10_29; sid:3301078; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) πΉπΌ .tw extension observed"; flow:to_server, stateless; tls_sni; content:".tw"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_29, updated_at 2021_10_29; sid:3301079; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π΄ .su extension observed"; flow:to_server, stateless; tls_sni; content:".su"; endswith; classtype:bad-unknown; metadata:created_at 2021_10_29, updated_at 2021_10_29; sid:3301080; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π²π± .ml extension observed"; flow:to_server, stateless; tls_sni; content:".ml"; endswith; classtype:bad-unknown; metadata:created_at 2021_11_10, updated_at 2021_11_10; sid:3301081; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) πΌ .life extension observed"; flow:to_server, stateless; tls_sni; content:".life"; endswith; classtype:bad-unknown; metadata:created_at 2021_11_10, updated_at 2021_11_10; sid:3301082; rev:4;)
alert tls any any -> any any (msg:"πΎ - π TLS connection to (sni) π€Έ .fit extension observed"; flow:to_server, stateless; tls_sni; content:".fit"; endswith; classtype:bad-unknown; metadata:created_at 2021_12_01, updated_at 2021_12_01; sid:3301083; rev:4;)