PAW-PATRULES_VULN.rules

#                          KXK00OOkxxkO00KX0            
#                   ,NXKxo:,'...        ...';cdOXN:     
#                   l;. ..,:ldxkOOOOOOkkxol:,..  .o     
#                  dk  lOOOOOOkkkkkkkkkkkOOOOOOx  dk    
#              KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
#              x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
#              d. o0Okkkkkkkkkkkkk.   okkkkkkkkkkOO0k  x
#              l. c0kkkkkkko. .ckk    .kd..'xkkkkkk0x .o
#              ;, ;0kkkkkkkc    ;ko. .dk.   :kkkkkk0l ':
#              .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
#               l  o0kkkk:..'dkkk.    .;okkkkkkkkk0x  l 
#               .: .OOkkk;    xk,         .:kkkkkO0; ;. 
#                ;. :0kkkko;,cko            :kkkk0d .:  
#                 :  oOkkkkkkkk            .dkkk0k. :   
#                  :  dOkkkkkkk      .:odxkkkkkOk. ;    
#                   ;  oOkkkkkkx:,,ckkkkkkkkkkOx. ,     
#                    '. ;OOkkkkkkkkkkkkkkkkkOOc  '      
#                      ' .lOOkkkkkkkkkkkkkOOd. .        
#                        . .lOOkkkkkkkkkOOo' ..         
#                          ' .;dOOOkOOOx:. .            
#                            .. .,lxo;. ..              
#                                .. ..                  
#                                         
# ____   ___        __  ____       _              _           
#|  _ \ / \ \      / / |  _ \ __ _| |_ _ __ _   _| | ___  ___ 
#| |_) / _ \ \ /\ / /  | |_) / _` | __| '__| | | | |/ _ \/ __|
#|  __/ ___ \ V  V /   |  __/ (_| | |_| |  | |_| | |  __/\__ \
#|_| /_/   \_\_/\_/    |_|   \__,_|\__|_|   \__,_|_|\___||___/
#                                                             
# IDS Rules for Suricata
# 📜 Charles BLANC-ROLIN ⠵ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# ⚠ Vulnérabilités

###################### Protocole HTTP ######################

### Navigateur Web Google Chrome non Windows ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for computer 💻 other than Windows (🐧🍏) potentially vulnerable if stable version < 126 or Extended Stable Channel version < 124"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:!"connectivitycheck.gstatic.com"; nocase; http.user_agent; content:!"Mozilla/5.0 |28|X11|3B| Linux x86_64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/60.0.3112.32 Safari/537.36"; nocase; content:"Mozilla/5.0 |28|"; nocase; content:!"Windows"; nocase; content:!"Android"; nocase; content:"AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:!"Chrome/126"; distance:-7; content:!"Chrome/124"; content:"Safari/537.36"; endswith; nocase; reference:url,https://chromereleases.googleblog.com/search/label/Desktop%20Update+Stable%20updates; metadata:created_at 2022_08_02, updated_at 2024_06_12; sid:3300000; rev:47; classtype:policy-violation;)
### Navigateur Web Google Chrome pour Windows ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 10 or 11 X64 potentially vulnerable if stable version < 125 or Extended Stable Channel version < 124"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3B| Win64|3B| x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:!"Chrome/126"; distance:-7; content:!"Chrome/124";  content:"Safari/537.36"; endswith; nocase; reference:url,https://chromereleases.googleblog.com/search/label/Desktop%20Update+Stable%20updates; metadata:created_at 2021_05_12, updated_at 2024_06_12; sid:3300001; rev:47; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 10 or 11 X86 potentially vulnerable if stable version < 125 or Extended Stable Channel version < 124"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:!"Chrome/126"; distance:-7; content:!"Chrome/124"; content:"Safari/537.36"; endswith; nocase; reference:url,https://chromereleases.googleblog.com/search/label/Desktop%20Update+Stable%20updates; metadata:created_at 2021_05_12, updated_at 2024_06_12; sid:3300002; rev:47; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 7 X64 unsupported 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 6.1|3B| Win64|3B| x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:"Safari/537.36"; endswith; nocase; reference:url,https://support.google.com/chrome/thread/185534985/sunsetting-support-for-windows-7-8-1-in-early-2023; metadata:created_at 2021_05_12, updated_at 2023_02_08; sid:3300003; rev:31; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 7 X86 unsupported 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:"Safari/537.36"; endswith; nocase; reference:url,https://support.google.com/chrome/thread/185534985/sunsetting-support-for-windows-7-8-1-in-early-2023; metadata:created_at 2021_05_12, updated_at 2023_02_08; sid:3300004; rev:31; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 8.1 X64 unsupported 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 6.3|3B| Win64|3B| x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:"Safari/537.36"; endswith; nocase; reference:url,https://support.google.com/chrome/thread/185534985/sunsetting-support-for-windows-7-8-1-in-early-2023; metadata:created_at 2021_05_12, updated_at 2023_02_08; sid:3300005; rev:31; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 for Windows 8.1 X86 unsupported 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 6.3|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/"; fast_pattern; content:"Safari/537.36"; endswith; nocase; reference:url,https://support.google.com/chrome/thread/185534985/sunsetting-support-for-windows-7-8-1-in-early-2023; metadata:created_at 2021_05_12, updated_at 2023_02_08; sid:3300006; rev:31; classtype:policy-violation;)
### Navigateur Web Mozilla Firefox pour Windows ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Firefox 🦊 for Windows 🪟 potentially vulnerable if ESR version < 115 or non-ESR version < 127"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; nocase; content:"Windows"; nocase; content:"Firefox/"; nocase; content:!"Firefox/115"; nocase; content:!"Firefox/127"; nocase; content:!"Trident"; nocase; reference:url,https://www.mozilla.org/fr/firefox/organizations/notes/; reference:url,https://wiki.mozilla.org/Release_Management/Calendar; metadata:created_at 2021_03_22, updated_at 2024_06_12; sid:3300007; rev:55; classtype:policy-violation;)
### Navigateur Web Mozilla Firefox non Windows ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Firefox 🦊 other than Windows (🐧🍏) potentially vulnerable if ESR version < 115 or non-ESR version < 127"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; nocase; content:!"Windows"; nocase; content:"Firefox/"; nocase; content:!"Firefox/115"; nocase; content:!"Firefox/127"; nocase; reference:url,https://www.mozilla.org/fr/firefox/organizations/notes/; reference:url,https://wiki.mozilla.org/Release_Management/Calendar; metadata:created_at 2022_05_04, updated_at 2024_06_12; sid:3300008; rev:55; classtype:policy-violation;)
### Navigateur Web Microsoft Edge ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Microsoft Edge 🌐 for 🪟 Windows potentially vulnerable if Stable Channel version < 124 or Extended Stable Channel version < 126 "; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"Windows"; content:"Edg/"; content:!"126"; distance:0; content:"Edg/"; content:!"124"; distance:0; reference:url,https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security; reference:url,https://msrc.microsoft.com/update-guide/vulnerability/; metadata:created_at 2021_04_18, updated_at 2024_06_27; sid:3300009; rev:112; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Microsoft Edge 🌐 outdated 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"Windows"; content:"Edge/"; content:!"Cortana"; nocase; reference:url,https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security; reference:url,https://msrc.microsoft.com/update-guide/vulnerability/; metadata:created_at 2021_04_30, updated_at 2023_02_03; sid:3300010; rev:10; classtype:policy-violation;)
### Navigateur Web Internet Explorer ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Internet Explorer 🌐 outdated (version < 11) 👴 and vulnerable"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/"; content:"Trident/"; nocase; content:!"Trident/7.0"; nocase; content:!"Outlook"; nocase; reference:url,https://docs.microsoft.com/fr-fr/lifecycle/faq/internet-explorer-microsoft-edge; metadata:created_at 2021_04_30, updated_at 2022_06_14; sid:3300011; rev:11; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Internet Explorer 11 🌐 deprecated 👴 and vulnerable (🪟 Windows < 10)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; content:!"Windows NT 10.0"; content:"|54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f|"; fast_pattern; endswith; content:!"Outlook"; nocase; reference:url,https://docs.microsoft.com/fr-fr/lifecycle/faq/internet-explorer-microsoft-edge; metadata:created_at 2022_06_14, updated_at 2023_01_30; sid:3300012; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Internet Explorer 11 🌐 deprecated 👴 and vulnerable (🪟 Windows 10)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; content:"Windows NT 10.0"; content:"|54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f|"; fast_pattern; endswith; reference:url,https://docs.microsoft.com/fr-fr/lifecycle/faq/internet-explorer-microsoft-edge; metadata:created_at 2022_06_16, updated_at 2022_11_28; sid:3300013; rev:3; classtype:policy-violation;)
### Powershell ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from Powershell 🕵‍♂️"; flow:to_server, stateless; http.user_agent; content:"WindowsPowerShell/"; nocase; metadata:created_at 2021_05_08, updated_at 2022_06_11; sid:3300014; rev:7; classtype:policy-violation;)
### Systèmes d'exploitation Windows obsolètes ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible 🪟 Windows XP or Windows Server 2003"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 5.1"; fast_pattern; nocase; content:!"compatible|3B| FCT"; nocase; reference:url,https://www.microsoft.com/fr-fr/microsoft-365/windows/end-of-windows-xp-support; metadata:created_at 2021_03_22, updated_at 2023_10_30; sid:3300015; rev:8; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible 🪟 Windows 2000"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 5.0"; nocase; reference:url,https://techcommunity.microsoft.com/t5/ask-the-performance-team/heads-up-end-of-life-support-for-windows-2000-and-windows-xp-sp2/ba-p/374486; metadata:created_at 2021_04_30, updated_at 2022_06_11; sid:3300016; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible 🪟 Windows 98"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows 98"; nocase; reference:url,https://web.archive.org/web/20160106223642/https://support.microsoft.com/en-us/lifecycle?sort=ES&alpha=Windows%2098; metadata:created_at 2021_03_22, updated_at 2022_06_11; sid:3300017; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible 🪟 Windows 7 or Windows Server 2008"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 6.1"; fast_pattern; nocase; reference:url,https://learn.microsoft.com/en-us/lifecycle/products/windows-7?branch=live; metadata:created_at 2023_01_30, updated_at 2023_08_25; sid:3300018; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible (if not LTSC version) unsupported 🪟 Windows 10 version 1507"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.10240"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300019; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1511"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.10586"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300020; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 possible (if not LTSC version) unsupported 🪟 Windows 10 version 1607"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.14393"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_10_04; sid:3300021; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1703"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.15063"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300022; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1709"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.16299"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300023; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1803"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.17134"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300024; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported (if not LTSC version) 🪟 Windows 10 version 1809"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.17763"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300025; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1903"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.18362"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300026; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 1909"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.18363"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300027; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 2004"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.19041"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300028; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 2004"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.19041"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300029; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 unsupported 🪟 Windows 10 version 21H1"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.19043"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300030; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 👴 soon to be unsupported (2023/05/09) 🪟 Windows 10 version 20H2"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Windows NT 10.0"; fast_pattern; nocase; content:"10.0.0.0.19042"; nocase; reference:url,https://en.wikipedia.org/wiki/Windows_10_version_history; reference:url,https://endoflife.date/windows; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300031; rev:1; classtype:policy-violation;)
### Ordinateurs non Windows ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 Linux"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"Linux"; nocase; content:!"Mozilla/5.0 |28|X11|3B| Linux x86_64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/60.0.3112.32 Safari/537.36"; metadata:created_at 2021_04_26, updated_at 2023_10_30; sid:3300032; rev:7; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 FreeBSD"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"FreeBSD"; nocase; metadata:created_at 2022_05_03, updated_at 2023_10_30; sid:3300033; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 OpenBSD"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"OpenBSD"; nocase; metadata:created_at 2022_05_03, updated_at 2023_10_30; sid:3300034; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 Ubuntu"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"Ubuntu"; nocase; metadata:created_at 2022_05_03, updated_at 2023_10_30; sid:3300035; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 Debian"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"Debian"; nocase; metadata:created_at 2022_05_03, updated_at 2023_10_30; sid:3300036; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from ☀ SunOS"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"SunOS"; nocase; metadata:created_at 2022_05_03, updated_at 2023_10_30; sid:3300037; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 Mageia Linux"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"aria2/"; nocase; http.uri; content:"/mageia"; fast_pattern; nocase; reference:url,https://www.mageia.org/fr/; metadata:created_at 2021_04_30, updated_at 2024_02_15; sid:3300038; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Parrot Linux"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"parrot.sh"; fast_pattern; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://parrotlinux.org/; metadata:created_at 2021_05_08, updated_at 2023_01_29; sid:3300039; rev:10; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Kali Linux"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"kali.org"; http.user_agent; content:"APT-HTTP|2F|"; fast_pattern; nocase; reference:url,https://kali.org/; metadata:created_at 2021_05_08, updated_at 2023_07_25; sid:3300040; rev:11; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🍏 macOS"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Macintosh|3B|"; nocase; metadata:created_at 2021_04_26, updated_at 2022_06_11; sid:3300041; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Raspberry Pi - Raspbian"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"raspberrypi.org"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://www.raspberrypi.org/; metadata:created_at 2022_03_19, updated_at 2022_06_11; sid:3300042; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 👨‍💻 Metasploit"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"downloads.metasploit.com"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://www.metasploit.com/; metadata:created_at 2022_03_19, updated_at 2022_06_11; sid:3300043; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Linux Mint"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"packages.linuxmint.com"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://linuxmint.com/; metadata:created_at 2022_03_19, updated_at 2022_06_11; sid:3300044; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Debian"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"deb.debian.org"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://www.debian.org/; metadata:created_at 2022_03_20, updated_at 2022_06_11; sid:3300045; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 📦 Docker"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"download.docker.com"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://www.docker.com/; metadata:created_at 2022_05_06, updated_at 2022_06_11; sid:3300046; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🪟 Microsoft repository"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"packages.microsoft.com"; http.user_agent; content:"APT-HTTP|2F|"; nocase; reference:url,https://docs.microsoft.com/en-us/windows-server/administration/linux-package-repository-for-microsoft-software; metadata:created_at 2022_06_11, updated_at 2022_06_11; sid:3300047; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🐧 Linux 👣 GNOME"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"GNOME Shell"; nocase; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321267; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 IPFinder 👣 GNOME extension"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|X11|3B|"; fast_pattern; nocase; content:"GNOME Shell"; nocase; content:"IP_Finder"; nocase; reference:url,https://extensions.gnome.org/extension/2983/ip-finder/; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321268; rev:1; classtype:policy-violation;)
### Terminaux mobiles ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 iOS 🍏 15 vulnerable if version < 15.7.9"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"itunesstored/"; nocase; startswith; fast_pattern; content:"iOS/15"; nocase; content:!"iOS/15.7.9"; nocase; metadata:created_at 2022_09_25, updated_at 2023_09_13; sid:3300048; rev:11; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 📱 BlackBerry"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"BlackBerry"; nocase; metadata:created_at 2021_05_12, updated_at 2022_06_11; sid:3300049; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 📱 Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Linux"; fast_pattern; nocase; content:"Android"; nocase; metadata:created_at 2021_05_12, updated_at 2023_10_30; sid:3300050; rev:8; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Android 🤖 outdated 👴 and vulnerable version"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Linux"; fast_pattern; nocase; content:"Android"; nocase; content:!"Android|3b|"; nocase; content:!"Android 10"; nocase; content:!"Android 11"; nocase; content:!"Android 12"; nocase; content:!"Android 13"; nocase; reference:url,https://developer.android.com/about/versions/; reference:url,https://en.wikipedia.org/wiki/Android_version_history; metadata:created_at 2022_08_07, updated_at 2023_10_30; sid:3300051; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connectivity Check from 📱 Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"connectivitycheck"; nocase; http.user_agent; content:"Mozilla/5.0"; nocase; content:"Linux"; nocase; content:"Chrome/60.0.3112.32"; fast_pattern; nocase; content:"Safari/537.36"; endswith; metadata:created_at 2022_03_18, updated_at 2023_10_30; sid:3300052; rev:10; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connectivity Check from 📱 iPhone, iPad or iPod 🍏"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"captive.apple.com"; nocase; http.user_agent; content:"CaptiveNetworkSupport"; fast_pattern; startswith; nocase; metadata:created_at 2022_05_20, updated_at 2023_10_30; sid:3300053; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 📱 iPhone 🍏"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|iPhone|3B| CPU iPhone OS"; nocase; metadata:created_at 2021_05_12, updated_at 2022_06_11; sid:3300054; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ from 📱 iPod 🍏"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"iPod"; nocase; metadata:created_at 2021_05_12, updated_at 2022_06_11; sid:3300055; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ from 📱 iPad 🍏"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|iPad|3B| CPU OS"; nocase; metadata:created_at 2021_05_12, updated_at 2022_06_11; sid:3300056; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ from 📱 BlackBerry PlayBook"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|PlayBook|3B| U|3B|"; nocase; metadata:created_at 2021_05_12, updated_at 2022_06_11; sid:3300057; rev:5; classtype:policy-violation;)
### Consoles de jeu ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🎮 Playstation"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|PlayStation"; nocase; metadata:created_at 2021_04_29, updated_at 2023_10_30; sid:3300058; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🎮 Xbox"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; nocase; content:"XBOX"; nocase; metadata:created_at 2021_04_29, updated_at 2023_10_30; sid:3300059; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP Connection ➡ Internet from 🕹 Nintendo"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0 |28|Nintendo"; nocase; metadata:created_at 2021_04_29, updated_at 2023_10_30; sid:3300060; rev:5; classtype:policy-violation;)
### WebTV ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Application 📺 Molotov"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"molotov/"; nocase; reference:url,https://www.molotov.tv/; metadata:created_at 2021_04_29, updated_at 2023_10_30; sid:3300061; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Application 📺 CapTVty"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Captvty/"; nocase; reference:url,http://captvty.fr/; metadata:created_at 2021_09_11, updated_at 2022_06_11; sid:3300062; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Device 📺 Chromecast"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"crkey/"; nocase; reference:url,https://store.google.com/product/chromecast; metadata:created_at 2021_05_09, updated_at 2023_10_30; sid:3300063; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Device 📺 Dreambox"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"Dreambox"; nocase; reference:url,https://www.dreambox.com/; metadata:created_at 2021_05_09, updated_at 2023_10_30; sid:3300064; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Device 📺 AppleTV"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"AppleCoreMedia/"; fast_pattern; content:"Apple TV"; nocase; reference:url,https://www.apple.com/tv/; metadata:created_at 2021_05_09, updated_at 2023_10_30; sid:3300065; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Device 📺 Mi Box"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"MIBOX"; nocase; reference:url,https://www.mi.com/us/mibox/; metadata:created_at 2021_05_09, updated_at 2023_10_30; sid:3300066; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 WebTV Device 📺 iiyama ProLite TE8603MIS-B1AG"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"W86IC-LGA511A-G"; nocase; reference:url,https://iiyama.com/fr_fr/produits/prolite-te8603mis-b1ag/; metadata:created_at 2021_06_03, updated_at 2023_10_30; sid:3300067; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows 7"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 6.0"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300068; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 TV Pack"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 5.1"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300069; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows Vista"; flow:to_server, stateless;threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 5.0"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300070; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows XP"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 4.0"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300071; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows XP"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 3.0"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300072; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows XP"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center PC 2.8"; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2022_06_11; sid:3300073; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Media Center 📺 Windows XP"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Media Center"; fast_pattern; nocase; content:!"Media Center PC"; distance:-13; nocase; reference:url,https://docs.microsoft.com/en-us/previous-versions/windows/desktop/windows-media-center-sdk/ms815274(v=msdn.10); metadata:created_at 2021_07_20, updated_at 2023_10_30; sid:3300074; rev:5; classtype:policy-violation;)
### Applications ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Application iTunes 🍎 for Windows 🪟"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"iTunes"; nocase; content:"windows"; fast_pattern; content:!"ios"; nocase; content:!"mac"; nocase; reference:url,https://www.apple.com/itunes/; metadata:created_at 2021_05_09, updated_at 2023_05_14; sid:3300075; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Skype for Business / Enterprise 💬 ➡ external connection"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"OC/"; nocase; content:"Skype for Business"; fast_pattern; nocase; reference:url,https://fr.wikipedia.org/wiki/Skype_Entreprise; metadata:created_at 2021_07_14, updated_at 2023_10_30; sid:3300076; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Lync (Skype for Business / Enterprise) 💬 ➡ external connection"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"OC/"; nocase; content:"Microsoft Lync"; fast_pattern; nocase; reference:url,https://fr.wikipedia.org/wiki/Skype_Entreprise; metadata:created_at 2021_07_14, updated_at 2023_10_30; sid:3300077; rev:7; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Pidgin 💬 ➡ external connection"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Purple/"; fast_pattern; nocase; content:"Sipe/"; nocase; reference:url,https://www.pidgin.im; metadata:created_at 2021_07_14, updated_at 2023_10_30; sid:3300078; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 NetTime - ⏲ NTP Tool for Windows"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"www.timesynctool.com"; nocase; http.user_agent; content:"Mozilla/3.0 |28|compatible|29|"; fast_pattern; nocase; reference:url,https://www.timesynctool.com/; metadata:created_at 2021_07_26, updated_at 2023_10_30; sid:3300079; rev:6; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Microsoft Office 2007 📚 - outdated and vulnerable version"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; content:"MSOffice 12"; nocase; reference:url,https://docs.microsoft.com/en-us/lifecycle/announcements/office-2007-end-of-support; metadata:created_at 2021_11_08, updated_at 2023_10_30; sid:3300080; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Microsoft Office 2010 📚 - outdated and vulnerable version"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; content:"MSOffice 14"; nocase; reference:url,https://docs.microsoft.com/en-us/deployoffice/endofsupport/office-2010-end-support-roadmap; metadata:created_at 2021_11_08, updated_at 2023_10_30 ; sid:3300081; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Microsoft Office 2010 📚 - outdated and vulnerable version"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Microsoft Office/14.0"; nocase; reference:url,https://docs.microsoft.com/en-us/deployoffice/endofsupport/office-2010-end-support-roadmap; metadata:created_at 2021_11_08, updated_at 2022_06_11 ; sid:3300082; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Thunderbird 🕊 Email client 📧 potentially vulnerable if version < 115.12"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; nocase; content:"Thunderbird/"; fast_pattern; nocase; content:!"Thunderbird/115.12"; nocase; reference:url,https://www.thunderbird.net/; metadata:created_at 2022_02_15, updated_at 2024_06_27; sid:3300083; rev:53; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Ngrok SSL Tunnel tool 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team / Conti Group 👿"; flow:to_server, stateless; http.host.raw; content:"crl.ngrok.com"; http.user_agent; content:"Go-http-client/"; fast_pattern; nocase; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2022_10_21, updated_at 2022_10_31; sid:3300084; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Windows Cortana assistant enabled"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; content:"Windows"; content:"Edge/"; content:"Cortana"; nocase; reference:url,https://support.microsoft.com/en-us/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825; reference:url,https://www.thewindowsclub.com/disable-turn-off-cortana-windows-10; metadata:created_at 2023_02_03, updated_at 2023_02_03; sid:3300085; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 SoftPerfect Network Scanner"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"www.softperfect.com"; nocase; http.uri; content:"/products/networkscanner/version.txt"; fast_pattern; nocase; reference:url,https://www.softperfect.com/products/networkscanner/; metadata:created_at 2023_06_28, updated_at 2024_02_15; sid:3300086; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 VLC Media Player 🎬 potentially vulnerable if version < 3.0.21"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"update.videolan.org"; endswith; fast_pattern; http.user_agent; content:"VLC/"; nocase; content:!"3.0.21";reference:url,https://www.videolan.org/security/; metadata:created_at 2023_07_11, updated_at 2024_06_12; sid:3300087; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP connexion to Internet 🌐 initiated from Microsoft Excel 📗 - Possible malicious link 👿"; flow:to_server, stateless; http.user_agent; content:"Microsoft Office Excel"; fast_pattern; startswith; nocase; http.method; content:"HEAD"; metadata:created_at 2023_08_09, updated_at 2023_08_09 ; sid:3300088; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP connexion to Internet 🌐 initiated from Microsoft Word 📘 - Possible malicious link 👿"; flow:to_server, stateless; http.user_agent; content:"Microsoft Office Word"; fast_pattern; startswith; nocase; http.method; content:"HEAD"; metadata:created_at 2023_08_09, updated_at 2023_08_09 ; sid:3300089; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 HTTP connexion to Internet 🌐 initiated from Microsoft PowerPoint 📙 - Possible malicious link 👿"; flow:to_server, stateless; http.user_agent; content:"Microsoft Office PowerPoint"; fast_pattern; startswith; nocase; http.method; content:"HEAD"; metadata:created_at 2023_08_09, updated_at 2023_08_09 ; sid:3300090; rev:1; classtype:policy-violation;)
### Portable Apps ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 PortableApps 💾 Update"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"portableapps.com"; fast_pattern; nocase; http.user_agent; content:"Wget/"; nocase; reference:url,https://portableapps.com/; metadata:created_at 2021_04_29, updated_at 2022_11_24; sid:3300091; rev:12; classtype:policy-violation;)
### Outils offensifs ###
alert http any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻 (HTTP)"; flow:to_server, stateless; http.user_agent; content:"Mozilla/5.0 |28|compatible|3B| Nmap Scripting Engine"; nocase; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300092; rev:6; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 MASSCAN 👨‍💻 (HTTP)"; flow:to_server, stateless; http.user_agent; content:"masscan/"; nocase; reference:url,https://github.com/robertdavidgraham/masscan; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300093; rev:6; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 HTTP 🕵 scan 🎩 Faraday 👨‍💻"; flow:to_server, stateless; http.user_agent; content:"Faraday"; nocase; reference:url,https://faradaysec.com/; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3300094; rev:1; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 HTTP 🕵 scan 🎩 WPScan 👨‍💻"; flow:to_server, stateless; http.user_agent; content:"WPScan"; nocase; reference:url,https://wpscan.com/wordpress-security-scanner; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3300095; rev:1; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 Possible HTTP 🕵 scan 🎩 WebApp Information Gatherer (WIG) 👨‍💻"; flow:to_server, stateless; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 33 37 2e 30 2e 32 30 34 39 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36|"; reference:url,https://github.com/jekyc/wig; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3300096; rev:2; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 Possible HTTP 🕵 scan 🎩 Joomscan 👨‍💻"; flow:to_server, stateless; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 31 2e 38 2e 30 2e 35 29 20 47 65 63 6b 6f 2f 32 30 30 36 30 37 31 39 20 46 69 72 65 66 6f 78 2f 31 2e 35 2e 30 2e 35|"; reference:url,https://github.com/OWASP/joomscan; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3300097; rev:1; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 PCHunter - Suspicious Windows 🪟 administration toolkit 🧰 - liked by Lockbit group 👿"; flow:to_server, stateless; http.user_agent; content:"PCHunter"; reference:url,https://www.majorgeeks.com/files/details/pc_hunter.html; reference:url,https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html; reference:url,https://unit42.paloaltonetworks.com/lockbit-2-ransomware/; metadata:created_at 2022_09_18, updated_at 2022_09_18; sid:3300098; rev:1; classtype:policy-violation;)
alert http any any -> any any (msg:"🐾 - 🚨 Possible HTTP 🕵 scan 🎩 Nikto 👨‍💻"; flow:to_server, stateless; http.user_agent; content:"Nikto/"; nocase; reference:url,https://cirt.net/nikto2; metadata:created_at 2022_11_24, updated_at 2022_11_24; sid:3300099; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨  Update attempt for 🎩 Nikto 👨‍💻"; flow:to_server, stateless; http.header; content:"User-Agent|3a 20 0d 0a|"; fast_pattern; http.host.raw; content:"cirt.net"; endswith; nocase; http.uri; content:"/nikto"; reference:url,https://cirt.net/nikto2; metadata:created_at 2022_11_24, updated_at 2022_11_24; sid:3300100; rev:1; classtype:policy-violation;)
### TOR et VPN ###
alert http any any -> any any (msg:"🐾 - 🚨 Suspicious connection ➡ Torifier 🐸 - TOR bundle tool for Windows 🕶"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.user_agent; content:"Torifier"; nocase; reference:url,https://torifier.com/faq.html#q1; metadata:created_at 2021_08_17, updated_at 2022_06_11; sid:3300101; rev:4; classtype:policy-violation;)
alert udp any 500 -> any 500 (msg:"🐾 - 🚨 Deprecated IKEv1 established connection"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 60; content:"|01 10|"; content:"|4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f|"; fast_pattern; endswith; reference:url,https://datatracker.ietf.org/doc/html/rfc3947; reference:url,https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-ipsec-pour-la-protection-des-flux-reseau/; metadata:created_at 2022_08_08, updated_at 2022_11_24; sid:3300102; rev:2; classtype:policy-violation;)
### Autres navigateurs ###
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Lynx text Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Lynx/"; nocase; reference:url,https://lynx.browser.org/; metadata:created_at 2021_08_03, updated_at 2022_06_13; sid:3300103; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Elinks text Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"ELinks/"; nocase; reference:url,http://elinks.cz/; metadata:created_at 2021_08_03, updated_at 2022_06_13; sid:3300104; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Netscape 👴 Navigator 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Netscape/"; nocase; reference:url,https://fr.wikipedia.org/wiki/Netscape_Navigator; metadata:created_at 2021_08_03, updated_at 2022_06_13; sid:3300105; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Opera Browser 🌐 Old version 👴"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Opera/"; nocase; reference:url,https://www.opera.com/; metadata:created_at 2021_08_03, updated_at 2022_06_13; sid:3300106; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Opera Browser 🌐 Old version 👴"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:" Opera "; nocase; reference:url,https://www.opera.com/; metadata:created_at 2021_10_01, updated_at 2022_06_13; sid:3300107; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Opera Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/5.0"; fast_pattern; nocase; content:"Chrome/"; nocase; content:"OPR/"; nocase; reference:url,https://www.opera.com/; metadata:created_at 2021_08_03, updated_at 2023_10_30; sid:3300108; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Curl User Agent 🌐"; flow:to_server, stateless; http.user_agent; content:"curl/"; nocase; reference:url,https://curl.se/; metadata:created_at 2021_08_04, updated_at 2022_06_13; sid:3300109; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Wget Client 🌐"; flow:to_server, stateless; http.user_agent; content:"Wget/"; nocase; reference:url,https://fr.wikipedia.org/wiki/GNU_Wget; metadata:created_at 2021_08_09, updated_at 2022_06_13; sid:3300110; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Go HTTP Client 🌐"; flow:to_server, stateless; http.user_agent; content:"Go-http-client/"; nocase; reference:url,https://golangexample.com/http-client-for-golang/; metadata:created_at 2021_08_21, updated_at 2022_06_13; sid:3300111; rev:5; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Python 🐍 urllib module 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"python-urllib"; nocase; reference:url,https://docs.python.org/fr/3/library/urllib.html; metadata:created_at 2021_08_25, updated_at 2022_06_13; sid:3300112; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Python 🐍 requests module 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"python-requests/"; nocase; reference:url,https://docs.python-requests.org/en/master/index.html; metadata:created_at 2021_08_28, updated_at 2022_06_13; sid:3300113; rev:3; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Rclone HTTP connection to Internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; http.user_agent; content:"rclone/"; nocase; reference:url,https://rclone.org/; metadata:created_at 2022_10_10, updated_at 2022_10_10; sid:3300114; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Rclone Upload data to mega.nz - File Sharing solution 🗃 - Possible file exfiltration 🗃 - Leak 🚱"; flow:to_server, stateless; http.method; content:"POST"; http.user_agent; content:"rclone/"; nocase; http.host.raw; content:"userstorage.mega.co.nz"; fast_pattern; endswith; reference:url,https://rclone.org/; reference:url,https://mega.nz/; target:src_ip; metadata:created_at 2023_08_23, updated_at 2023_08_23; sid:3300115; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious BITSAdmin HTTP connection"; flow:to_server, stateless; http.header; content:"Microsoft BITS"; fast_pattern; nocase; http.host.raw; content:!"microsoft.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"gvt1.com"; endswith; nocase; content:!"windowsupdate.com"; endswith; nocase; content:!"google.com"; endswith; reference:url,https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/; reference:url,https://learn.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool; metadata:created_at 2023_04_12, updated_at 2023_06_28; sid:3300116; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious Windows Installer HTTP connection (non MSI download)"; flow:to_server, stateless; http.method; content:"GET"; http.user_agent; content:"Windows Installer"; depth:17; endswith; fast_pattern; http.uri; content:!".msi"; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; metadata:created_at 2023_05_18, updated_at 2023_06_26; sid:3300117; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious WebDAV HTTP connection to Internet 🌐 - Possible malicious 👾 trafic from Microsoft Office document 📘"; flow:to_server, stateless; http.user_agent; content:"DavClnt"; nocase; reference:url,https://learn.microsoft.com/en-us/windows/win32/api/davclnt/; reference:url,https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/; reference:url,https://attack.mitre.org/techniques/T1221/; metadata:created_at 2023_06_02, updated_at 2023_06_26; sid:3300118; rev:3; classtype:policy-violation;)
### Serveurs ###
alert http any any -> any any (msg:"🐾 - 🚨 Suspicious Python 🐍 HTTP Server - Spear Attack Possible"; flow:to_client, stateless; http.server; content:"SimpleHTTP/"; fast_pattern; nocase; content:"Py"; nocase; reference:url,https://docs.python.org/3/library/http.server.html; metadata:created_at 2021_09_14, updated_at 2022_12_21; sid:3300119; rev:4; classtype:policy-violation;)
###################### Protocole TCP ######################
alert tcp-pkt any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Windows 🪟 (WCF) Net.TCP Port Sharing to Internet (seen in 😈 RedLine Stealer attacks)"; flow:to_server, stateless; content:"|00 01 00 01 02 02|"; content:"|6e 65 74 2e 74 63 70 3a 2f 2f|"; fast_pattern; distance:1; content:"|2f 03 08 0c|"; endswith; reference:url,https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing; reference:url,https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update; reference:url,https://muha2xmad.github.io/malware-analysis/fullredline/; target:src_ip; metadata:created_at 2023_08_15, updated_at 2023_08_17; sid:3300120; rev:3; classtype:policy-violation;)
###################### Protocole SSH ######################
alert ssh any any -> any any (msg:"🐾 - 🚨 Putty 👨‍💻 potentially vulnerable if version < 0.81"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"putty_release_"; fast_pattern; nocase; content:!"0.81"; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; metadata:created_at 2021_03_29, updated_at 2024_04_19; sid:3300121; rev:17; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 Putty 👨‍💻 unstable (snapshot) 🚧 version "; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"putty_snapshot"; nocase; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; metadata:created_at 2021_03_29, updated_at 2022_06_10; sid:3300122; rev:7; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 Putty 👨‍💻 unstable 🚧 and outdated 👴 version"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"putty_local"; nocase; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; metadata:created_at 2021_04_29, updated_at 2022_06_10; sid:3300123; rev:5; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Putty / Plink SSH connection to Internet 🌐 - 👀 used including by Play & Lockbit ransomware group 👿"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.software; content:"putty_"; fast_pattern; nocase; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; reference:url,https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/; reference:url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a; metadata:created_at 2022_12_21, updated_at 2023_07_09; sid:3300124; rev:2; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 WinSCP 📂 potentially vulnerable if stable version < 6.3.4"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"WinSCP_release_"; fast_pattern; nocase; content:!"6.3.4"; reference:url,https://winscp.net/eng/docs/history; metadata:created_at 2021_04_29, updated_at 2024_06_27; sid:3300125; rev:24; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious WinSCP 📂 SSH/SFTP connection to Internet 🌐 - 👀 used including by Lockbit ransomware group 👿"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.software; content:"WinSCP_"; fast_pattern; nocase; reference:url,https://winscp.net/; reference:url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a; metadata:created_at 2023_07_09, updated_at 2023_07_09; sid:3300126; rev:1; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 SSH Service Scan 🕵‍♂️"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"check_ssh"; nocase; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300127; rev:4; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Rclone SSH connection to Internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ssh.software; content:"rclone/"; nocase; reference:url,https://rclone.org/; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300128; rev:5; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 NMAP 🎩 SSH Scan 🕵‍♂️"; flow:to_server, stateless; ssh.software; content:"Nmap"; nocase; reference:url,https://nmap.org/; metadata:created_at 2021_11_22, updated_at 2022_06_10; sid:3300129; rev:4; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 6.7 or 7.0"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"8b5f8d3ec0ecb097f9e954493f95a1ff"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300130; rev:1; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 6.0 or 6.5"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"6f7b0a0f2e83fd47b6e916beb9cd6fa0"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300131; rev:1; classtype:policy-violation;)
alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 5.0 or 5.5"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"cdf1719c7d2bf7eb69b5b87d98640d41"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300132; rev:1; classtype:policy-violation;)
###################### Protocole RDP ######################
alert tcp any any -> any any (msg:"🐾 - 🚨 RDP Connection 🦸 Administrateur Account"; flow:to_server, stateless; content:"cookie"; nocase; content:"mstshash"; nocase; content:"administrateur"; fast_pattern; nocase; metadata:created_at 2021_05_15, updated_at 2022_11_13; sid:3300133; rev:8; classtype:policy-violation;)
alert tcp any any -> any any (msg:"🐾 - 🚨 RDP Connection 🦸 Administrator Account"; flow:to_server, stateless; content:"cookie"; nocase; content:"mstshash"; nocase; content:"administrator"; fast_pattern; nocase; metadata:created_at 2021_05_15, updated_at 2022_11_13; sid:3300134; rev:8; classtype:policy-violation;)
###################### Protocole SMB ######################
alert tcp any any -> any any (msg:"🐾 - 🚨 SMB Authentification 🦸 Administrateur Account"; flow:to_server, stateless; content:"|fe 53 4d 42|"; content:"|4e 54 4c 4d 53 53 50 00|"; content:"|03 00 00 00|"; content:"a|00|d|00|m|00|i|00|n|00|i|00|s|00|t|00|r|00|a|00|t|00|e|00|u|00|r|00|"; fast_pattern; nocase; content:!"55 00 73 00 65 00 72 00 73 00 5c"; metadata:created_at 2021_07_30, updated_at 2023_12_27; sid:3300135; rev:10; classtype:policy-violation;)
alert tcp any any -> any any (msg:"🐾 - 🚨 SMB Authentification 🦸 Administrator Account"; flow:to_server, stateless; content:"|fe 53 4d 42|"; content:"|4e 54 4c 4d 53 53 50 00|"; content:"|03 00 00 00|"; content:"a|00|d|00|m|00|i|00|n|00|i|00|s|00|t|00|r|00|a|00|t|00|o|00|r|00|"; fast_pattern; nocase; content:!"55 00 73 00 65 00 72 00 73 00 5c"; metadata:created_at 2021_07_30, updated_at 2023_12_27; sid:3300136; rev:10; classtype:policy-violation;)
alert tcp any 445 -> any any (msg:"🐾 - 🚨 Deprecated SMBv1 protocol 👴 in use (SMBv1 server response)"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; content:"|ff 53 4d 42 32 00 00 00 00 80|"; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; metadata:created_at 2022_02_13, updated_at 2022_06_15; sid:3300137; rev:5; classtype:policy-violation;)
alert tcp any 445 -> any any (msg:"🐾 - 🚨 Deprecated SMBv1 protocol 👴 available (SMBv1 negociate protocol response)"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; content:"|ff 53 4d 42 72 00 00 00 00|"; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; metadata:created_at 2022_07_27, updated_at 2022_07_27; sid:3300138; rev:1; classtype:policy-violation;)
###################### Protocole NTLM ######################
alert tcp any any -> any 445 (msg:"🐾 - 🚨 Deprecated NTLMv1 authentication protocol 👴 in use"; flow:to_server, stateless; threshold: type limit, track by_dst,count 1, seconds 3600; content:"|4e 54 20 4c 41 4e 4d 41 4e 20 31 2e 30 00|"; reference:url,https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73; metadata:created_at 2022_06_01, updated_at 2022_06_15; sid:3300139; rev:6; classtype:policy-violation;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious 👀 NTLM Secure Service Provider setup response from Internet (NTLMSSP Challenge) - Possible Responder 🎩 credentials capturing 🥷 - S0174"; flow:to_client, stateless; threshold: type limit, track by_dst,count 1, seconds 60; content:"|4e 54 4c 4d 53 53 50 00|"; fast_pattern; content:"|02 00 00 00|"; reference:url,https://en.wikipedia.org/wiki/NTLMSSP; reference:url,https://g-laurent.blogspot.com/; reference:url,https://github.com/lgandx/Responder; reference:url,https://attack.mitre.org/software/S0174/; target:dest_ip; metadata:created_at 2022_08_10, updated_at 2024_02_18; sid:3300140; rev:5; classtype:credential-theft;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious 👀 HTTP NTLM Authentication requested from Internet)"; flow:to_client, stateless; threshold: type limit, track by_dst,count 1, seconds 60; content:"|57 57 57 2d 41 75 74 68 65 6e 74 69 63 61 74 65 3a 20 4e 54 4c 4d 0d 0a|"; metadata:created_at 2022_08_10, updated_at 2024_02_18; sid:3300141; rev:3; classtype:credential-theft;)
alert tcp any any -> any 445 (msg:"🐾 - 🚨 Deprecated NTLMv1 authentication performed [Obsolete Windows 🪟 XP or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv1 hash capturing 🥷 - S0174"; flow:to_server, stateless; content:"|ff 53 4d 42 73 00 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; content:"|00 00 00 00|"; distance:4; content:"|d4 00 00 00|"; distance:0; content:!"|01 01|"; content:!"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; reference:url,https://g-laurent.blogspot.com/; reference:url,https://github.com/lgandx/Responder; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4; reference:url,https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73; metadata:created_at 2023_08_04, updated_at 2024_02_18; sid:3300142; rev:6; classtype:credential-theft;)
alert tcp any any -> any 445 (msg:"🐾 - 🚨 Deprecated NTLMv2 basic (no SSP) authentication performed [Obsolete Windows 🪟 10 or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv2 hash capturing 🥷 - S0174"; flow:to_server, stateless; content:"|ff 53 4d 42 73 00 00 00 00|";  content:"|d4 00 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|01 01|"; distance:16; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; reference:url,https://g-laurent.blogspot.com/; reference:url,https://github.com/lgandx/Responder; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4; reference:url,https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers; metadata:created_at 2023_08_04, updated_at 2024_02_18; sid:3300143; rev:6; classtype:credential-theft;)
###################### Protocole LLMNR ######################
alert udp any 5355 -> any any (msg:"🐾 - 🚨 LLMNR query response observed 👀 - Possible Poisoning Attack 🥷 to Windows 🪟 - T1557.001"; flow:stateless; content:"|80 00 00 01 00 01 00 00 00 00|"; reference:url,https://www.microsoft.com/en-us/research/publication/link-local-multicast-name-resolution-llmnr/; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2022_07_16, updated_at 2022_12_21; sid:3300144; rev:9; classtype:policy-violation;)
alert udp any any -> 224.0.0.252 5355 (msg:"🐾 - 🚨 LLMNR protocol 🤕 in use - Multicast query from Windows 🪟 observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|00 01|"; endswith; reference:url,https://www.microsoft.com/en-us/research/publication/link-local-multicast-name-resolution-llmnr/; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2022_07_19, updated_at 2022_11_13; sid:3300145; rev:2; classtype:policy-violation;)
###################### Protocole Netbios Name Service ######################
alert udp any 137 -> any 137 (msg:"🐾 - 🚨 NBT-NS query response observed 👀 - Possible Poisoning Attack 🥷 to Windows 🪟 - T1557.001"; flow:stateless; content:"|85 00 00 00 00 01 00 00 00 00|"; fast_pattern; content:"|00 20 00 01|"; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2022_07_20, updated_at 2022_12_21; sid:3300146; rev:4; classtype:policy-violation;)
alert udp any 137 -> any 137 (msg:"🐾 - 🚨 NBT-NS protocol 🤕 in use - Broadcast query from Windows 🪟 observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|01 10 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|00 20 00 01|"; endswith; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2022_07_20, updated_at 2022_11_13; sid:3300147; rev:2; classtype:policy-violation;)
###################### Protocole MDNS ######################
alert udp any 5353 -> ff02::fb 5353 (msg:"🐾 - 🚨 MDNS query response over IPv6 observed 👀 - 2 ways to attack 🥷 Windows 🪟 device"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|84 00 00 00 00 01 00 00 00 00|"; fast_pattern;  reference:url,https://www.crowe.com/cybersecurity-watch/poisoning-attacks-round-2-beyond-netbios-llmnr; metadata:created_at 2023_03_20, updated_at 2023_03_27; sid:3300148; rev:2; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 MDNS protocol 🤕 in use - Broadcast query observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:!"|5f 74 63 70|"; content:!"|77 70 61 64 05 6c 6f 63 61 6c|"; content:!"|5f 75 64 70|"; content:!"|5f 6d 69 63 72 6f 73 6f 66 74 5f 6d 63 63 04 5f 74 63 70 05 6c 6f 63 61 6c|"; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2023_03_20, updated_at 2023_11_06; sid:3300149; rev:7; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 Google Chrome / Chromium 🌐 Google Cast enabled (mDNS query observed)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|0b 5f 67 6f 6f 67 6c 65 63 61 73 74 04 5f 74 63 70 05 6c 6f 63 61 6c 00|"; content:"|00 0c 00 01|"; reference:url,https://pawpatrules.fr/references/chrome_chromium_disable_google_cast.html; metadata:created_at 2023_03_24, updated_at 2023_03_28; sid:3300150; rev:2; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 WPAD via MDNS protocol 🤕 observed - Broadcast query from Windows 🪟 observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|77 70 61 64 05 6c 6f 63 61 6c|"; reference:url,https://trelis24.github.io/2018/08/03/Windows-WPAD-Poisoning-Responder/; reference:url,https://www.sentinelone.com/blog/in-the-wild-wpad-attack-how-threat-actors-abused-flawed-protocol-for-years/; reference:url,https://www.blumira.com/integration/disable-llmnr-netbios-wpad-lm-hash/; metadata:created_at 2023_04_04, updated_at 2023_04_06; sid:3300151; rev:2; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 NMEA 0183 ⛵ based solution (mDNS query observed)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|5f 6e 6d 65 61 2d 30 31 38 33 04 5f 74 63 70 05 6c 6f 63 61 6c 00|"; content:"|00 0c 00 01|"; reference:url,https://en.wikipedia.org/wiki/NMEA_0183; metadata:created_at 2023_04_14, updated_at 2023_04_14; sid:3300152; rev:1; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 MDNS for TCP service 🤕 in use - Broadcast query observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|5f 74 63 70|"; content:"|00 0c 00 01|"; content:!"|5f 67 6f 6f 67 6c 65 63 61 73 74|"; content:!"|5f 6d 69 63 72 6f 73 6f 66 74 5f 6d 63 63 04 5f 74 63 70 05 6c 6f 63 61 6c |"; reference:url,https://github.com/eldraco/Sapito/blob/master/mDNS-services.txt; metadata:created_at 2023_05_29, updated_at 2023_11_23; sid:3300153; rev:3; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 MDNS for UDP service 🤕 in use - Broadcast query observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|5f 75 64 70|"; content:"|00 0c 00 01|"; reference:url,https://github.com/eldraco/Sapito/blob/master/mDNS-services.txt; metadata:created_at 2023_05_29, updated_at 2023_10_05; sid:3300154; rev:2; classtype:policy-violation;)
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 Microsoft Connected Cache for Internet Service Providers (early preview) - Possible Windows 11 🪟"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|5f 6d 69 63 72 6f 73 6f 66 74 5f 6d 63 63 04 5f 74 63 70 05 6c 6f 63 61 6c|"; reference:url,https://learn.microsoft.com/en-us/windows/deployment/do/mcc-isp; metadata:created_at 2023_11_06, updated_at 2023_11_06; sid:3301089; rev:1; classtype:policy-violation;)
###################### Protocole MSMQ ######################
alert tcp any 1801 -> any any (msg:"🐾 - 🚨 Microsoft MSMQ server reply - Legacy Windows 🪟 Service enabled - potentially vulnerable to CVE-2023-21554"; flow:to_client, stateless; content:"|10 5a 0b 00 4c 49 4f 52 3c 02 00 00 ff ff ff ff 00 00|"; content:"|10|"; distance:38; content:"|00 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a|"; fast_pattern; distance:1; reference:url,https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms703216(v=vs.85); reference:url,https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/; reference:url,https://gist.github.com/goncalor/a01ba66927c0dc704000d7bf1327d36e; reference:url,https://censys.io/cve-2023-21554/; metadata:created_at 2023_04_16, updated_at 2023_04_19; sid:3300155; rev:5; classtype:policy-violation;)
alert tcp any 1801 -> any any (msg:"🐾 - 🚨 Microsoft MSMQ server reply - Legacy Windows 🪟 Service enabled - Windows Server OS"; flow:to_client, stateless; content:"|10 5a 0b 00 4c 49 4f 52 3c 02 00 00 ff ff ff ff 00 00|"; content:"|10|"; distance:38; content:"|03|"; distance:0; content:"|00 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a|"; fast_pattern; distance:0; reference:url,https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms703216(v=vs.85); reference:url,https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/; reference:url,https://gist.github.com/goncalor/a01ba66927c0dc704000d7bf1327d36e; reference:url,https://censys.io/cve-2023-21554/; metadata:created_at 2023_04_18, updated_at 2023_04_19; sid:3300156; rev:3; classtype:policy-violation;)
alert tcp any 1801 -> any any (msg:"🐾 - 🚨 Microsoft MSMQ server reply - Legacy Windows 🪟 Service enabled - Windows Client OS"; flow:to_client, stateless; content:"|10 5a 0b 00 4c 49 4f 52 3c 02 00 00 ff ff ff ff 00 00|"; content:"|10|"; distance:38; content:"|01|"; distance:0; content:"|00 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a|"; fast_pattern; distance:0; reference:url,https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms703216(v=vs.85); reference:url,https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/; reference:url,https://gist.github.com/goncalor/a01ba66927c0dc704000d7bf1327d36e; reference:url,https://censys.io/cve-2023-21554/; metadata:created_at 2023_04_18, updated_at 2023_04_19; sid:3300157; rev:3; classtype:policy-violation;)
###################### Protocole STUN ######################
alert udp $HOME_NET any -> ![20.192.0.0/10,52.96.0.0/12,137.117.0.0/16,51.103.0.0/16,51.104.0.0/16,51.105.0.0/16,52.112.0.0/14,52.96.0.0/12,130.61.0.0/16,3.0.0.0/9,100.64.0.0/10,$HOME_NET] [1023:] (msg:"🐾 - 🚨 Microsoft Teams - client for Windows 🪟 - P2P direct Calling via STUN connection"; flow:to_server, stateless; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; content:"|00 06 00 09|"; pcre:"/....:..../"; content:"|80|"; content:"|00 08|"; distance:1; content:"|80 70 00 04 00 00 00 07 80 36|"; fast_pattern; distance:8; content:"|00 04 6e ff|"; distance:8; content:"|80 37 00 04 00 00 00|"; distance:2; reference:url,https://www.rfc-editor.org/rfc/rfc5389; reference:url,https://en.wikipedia.org/wiki/STUN; reference:url,https://www.microsoft.com/en-us/microsoft-teams/group-chat-software; metadata:created_at 2022_12_07, updated_at 2024_02_28; sid:3300158; rev:21; classtype:policy-violation;)
alert udp $HOME_NET any -> ![20.192.0.0/10,52.96.0.0/12,137.117.0.0/16,51.103.0.0/16,51.104.0.0/16,51.105.0.0/16,52.112.0.0/14,52.96.0.0/12,130.61.0.0/16,3.0.0.0/9,100.64.0.0/10,$HOME_NET] [1023:] (msg:"🐾 - 🚨 Possible Microsoft Teams - client for Linux 🐧 - P2P direct Calling via STUN connection"; flow:to_server, stateless; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; content:"|00 06 00 09|"; pcre:"/....:..../"; content:"|c0 57 00 04|"; fast_pattern; content:"|80|"; distance:4; content:"|00 08|"; distance:1; reference:url,https://www.rfc-editor.org/rfc/rfc5389; reference:url,https://en.wikipedia.org/wiki/STUN; reference:url,https://www.microsoft.com/en-us/microsoft-teams/group-chat-software; metadata:created_at 2023_04_01, updated_at 2024_02_28; sid:3300159; rev:9; classtype:attempted-user;)
alert udp $HOME_NET any -> [130.61.0.0/16,3.0.0.0/9] [1023:] (msg:"🐾 - 🚨 Possible GoTo Connect Calling via STUN connection"; flow:to_server, stateless; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; content:"|00 06 00 09|"; pcre:"/....:..../"; content:"|c0 57 00 04|"; fast_pattern; content:"|80|"; distance:4; content:"|00 08|"; distance:1; reference:url,https://www.rfc-editor.org/rfc/rfc5389; reference:url,https://en.wikipedia.org/wiki/STUN; reference:url,https://www.goto.com/fr/connect; metadata:created_at 2023_06_29, updated_at 2023_06_29; sid:3300160; rev:1; classtype:policy-violation;)
alert udp $HOME_NET any -> $EXTERNAL_NET [9000] (msg:"🐾 - 🚨 Cisco Webex STUN connection"; flow:to_server, stateless; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; fast_pattern; distance:2; within:4; content:"wcb+"; pcre:"/wcb.[0-9]{10}/"; reference:url,https://www.rfc-editor.org/rfc/rfc5389; reference:url,https://en.wikipedia.org/wiki/STUN; reference:url,https://www.webex.com/; metadata:created_at 2024_05_17, updated_at 2024_05_17; sid:3321262; rev:1; classtype:policy-violation;)
###################### SLP ######################
alert udp any 427 -> any any (msg:"🐾 - 🚨 Deprecated VMWare OpenSLP service in use - disable if not needed"; flow: to_client, stateless; content:"|02 02|"; content:"|73 65 72 76 69 63 65 3a 56 4d 77 61 72 65 49 6e 66 72 61 73 74 72 75 63 74 75 72 65 3a 2f 2f|"; fast_pattern; reference:url,https://www.vmware.com/security/advisories/VMSA-2019-0022.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2020-0023.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2021-0002.html; reference:url,https://blogs.vmware.com/security/2023/02/83330.html; reference:url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/; metadata:created_at 2023_02_08, updated_at 2023_02_08; sid:3300161; rev:1; classtype:policy-violation;)
###################### Protocole TLS ######################
### OS et gestion de paquets ###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Parrot Linux"; flow:to_server, stateless; ja3.hash; content:"f35ce21b44ac0b87d3266294bb1b0e20"; fast_pattern; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"deb.parrot.sh"; nocase; reference:url,https://parrotsec.org/; metadata:created_at 2022_08_08, updated_at 2023_04_11; sid:3300162; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management Virtualbox 🖥"; flow:to_server, stateless; ja3.hash; content:"f35ce21b44ac0b87d3266294bb1b0e20"; fast_pattern; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"download.virtualbox.org"; nocase; reference:url,https://www.virtualbox.org/; metadata:created_at 2022_08_08, updated_at 2023_04_11; sid:3300163; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 TLSv1.3"; flow:to_server, stateless; ja3.hash; content:"f35ce21b44ac0b87d3266294bb1b0e20"; fast_pattern; threshold: type limit, track by_src,count 1, seconds 86400; reference:url,https://wiki.debian.org/Aptitude; metadata:created_at 2023_04_11, updated_at 2023_04_11; sid:3300164; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 APT package management 🐧 Ubuntu Linux"; flow:to_server, stateless; ja3.hash; content:"f35ce21b44ac0b87d3266294bb1b0e20"; fast_pattern; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"esm.ubuntu.com"; nocase; reference:url,https://releases.ubuntu.com/; metadata:created_at 2023_07_25, updated_at 2023_07_25; sid:3300165; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Snapcraft app store for 🐧 Linux"; flow:to_server, stateless; ja3.hash; content:"473cd7cb9faa642487833865d516e578"; fast_pattern; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"api.snapcraft.io"; nocase; reference:url,https://snapcraft.io/; metadata:created_at 2023_07_25, updated_at 2023_07_25; sid:3300166; rev:1; classtype:policy-violation;)
### Outils offensifs ###
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"ee0799c323d74129b75b633dcfd41593"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300167; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"16ee84a07b55074cb2751329bf1c8811"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300168; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"3bdfb64d53404bacd8a47056c6a756be"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300169; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"6dc99de941a8f76cad308d9089e793d7"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300170; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"e26ff759048e07b164d8faf6c2a19f53"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300171; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"f5d1076d0d11b5cd81c4c4e8e8ee881a"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300172; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"ebd319fa8e3e1956278f639d75f61787"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300173; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 NMAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"75fe51990656df4f7a249d5b86aa29ae"; metadata: former_category JA3; reference:url,https://nmap.org/; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300174; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 MASSCAN 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; metadata: former_category JA3; reference:url,https://github.com/robertdavidgraham/masscan; metadata:created_at 2021_05_25, updated_at 2022_06_11; sid:3300175; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Default Cobalt Strike 🏴‍☠️ TLS Certificate 🔒 observed"; flow:to_client, stateless; tls.cert_fingerprint; content:"6E:CE:5E:CE:41:92:68:3D:2D:84:E2:5B:0B:A7:E0:4F:9C:B7:EB:7C"; reference: url,https://github.com/Te-k/cobaltstrike; reference: url,https://www.shodan.io/search?query=ssl.cert.serial%3A146473198; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike; metadata:created_at 2021_11_17, updated_at 2022_06_15; sid:3300176; rev:5; classtype:trojan-activity;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Default Cobalt Strike 🏴‍☠️ TLS Certificate 🔒 observed"; flow:to_client, stateless; tls.cert_issuer; content:"C=Earth"; content:"ST=Cyberspace"; content:"L=Somewhere"; content:"O=cobaltstrike"; content:"OU=AdvancedPenTesting"; content:"CN=Major Cobalt Strike";  reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, created_at 2024_01_13, updated_at 2024_01_13; sid:3301119; rev:1; classtype:trojan-activity;)
alert tls any any -> any any (msg:"🐾 - 🚨 Suspicious NIP.IO Wildcard DNS TLS Connection (seen in FIN8 attacks)"; flow:to_server, stateless; tls_sni; content:".nip.io"; nocase; reference: url,https://nip.io/; reference: url,https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html; metadata:created_at 2022_01_20, updated_at 2022_06_15; sid:3300177; rev:5; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Suspicious SSLIP.IO Wildcard DNS TLS Connection (seen in FIN8 attacks)"; flow:to_server, stateless; tls_sni; content:".sslip.io"; nocase; reference: url,https://sslip.io/; reference: url,https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation; metadata:created_at 2022_01_20, updated_at 2022_06_15; sid:3300178; rev:5; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Shodan CLI 🌐"; flow:to_server, stateless; ja3.hash; content:"8d9f7747675e24454cd9b7ed35c58707"; fast_pattern; tls_sni; content:"api.shodan.io"; metadata: former_category JA3; reference:url,https://cli.shodan.io/; metadata:created_at 2022_05_08, updated_at 2022_10_14; sid:3300179; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Onyphe 🇫🇷 CLI 🌐"; flow:to_server, stateless; ja3.hash; content:"f1b9b751b665449f1ce77721b0487b69";  tls.sni; content:"www.onyphe.io"; metadata: former_category JA3; reference:url,https://beta.onyphe.io/docs/cli/installation; metadata:created_at 2023_03_27, updated_at 2023_03_27; sid:3300180; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 Nuclei 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"f72589e607f9b36992b6b437ce399f26"; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_05_10, updated_at 2022_06_11; sid:3300181; rev:3; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 Nuclei 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"19e29534fd49dd27d09234e639c4057e"; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_10_14, updated_at 2022_10_14; sid:3300182; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Network 🕵 scan 🎩 Nuclei 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"473cd7cb9faa642487833865d516e578"; fast_pattern; tls.sni; content:!"tunnel.ngrok.com"; nocase; content:!"connect.ngrok-agent.com"; nocase; content:!"update.equinox.io"; nocase; content:!"snapcraftcontent.com"; nocase; content:!"snapcraft.io"; nocase; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_10_16, updated_at 2023_08_24; sid:3300183; rev:5; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Nuclei 🕵 scan tool for Windows 🪟 - version checking"; flow:to_server, stateless; tls.sni; content:"version-check.nuclei.sh"; ja3.hash; content:"049f44ae40ab2cab555bdfee22e7d7cb"; fast_pattern; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_10_14, updated_at 2023_08_24; sid:3300184; rev:2; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Nuclei 🕵 scan tool for Linux 🐧 - version checking"; flow:to_server, stateless; tls.sni; content:"version-check.nuclei.sh"; ja3.hash; content:"3fed133de60c35724739b913924b6c24"; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_10_14, updated_at 2022_10_14; sid:3300185; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Nuclei 🕵 scan tool - version checking"; flow:to_server, stateless; tls.sni; content:"version-check.nuclei.sh"; ja3.hash; content:"3fed133de60c35724739b913924b6c24"; metadata: former_category JA3; reference:url,https://nuclei.projectdiscovery.io/; metadata:created_at 2022_10_14, updated_at 2022_10_14; sid:3300186; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible HTTPS 🕵 scan 🎩 WebApp Information Gatherer (WIG) 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"e0ff89ed9185dfb09184797a4c3f2e1c"; fast_pattern; tls_sni; content:!"update.bleachbit.org"; content:!"github.com"; content:!"changelogs.ubuntu.com"; metadata: former_category JA3; reference:url,https://github.com/jekyc/wig; metadata:created_at 2022_08_08, updated_at 2023_07_25; sid:3300187; rev:4; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 HTTPS 🕵 scan 🎩 OWASP ZAP 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"aa2db2cb8892ae6b26061b4637855498"; metadata: former_category JA3; reference:url,https://www.zaproxy.org/; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3300188; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 HTTPS 🕵 scan 🎩 Joomscan 👨‍💻"; flow:to_server, stateless; ja3.hash; content:"f1b9b751b665449f1ce77721b0487b69";  tls.sni; content:!"www.onyphe.io"; metadata: former_category JA3; reference:url,https://github.com/OWASP/joomscan; metadata:created_at 2022_08_08, updated_at 2023_03_27; sid:3300189; rev:2; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Network vulnerability 🕵 scan 🎩 Interactsh server connection observed"; flow:to_server, stateless; tls.sni; content:"oast.me"; startswith; nocase; reference:url,https://projectdiscovery.io/; reference:url,https://github.com/projectdiscovery/interactsh; metadata:created_at 2022_10_14, updated_at 2024_03_23; sid:3300190; rev:4; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Network vulnerability 🕵 scan 🎩 Interactsh server connection observed"; flow:to_server, stateless; tls.sni; content:"oast.live"; startswith; nocase; reference:url,https://projectdiscovery.io/; reference:url,https://github.com/projectdiscovery/interactsh; metadata:created_at 2022_10_14, updated_at 2024_03_23; sid:3300191; rev:4; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Network vulnerability 🕵 scan 🎩 Interactsh server connection observed"; flow:to_server, stateless; tls.sni; content:"oast.online"; startswith; nocase; reference:url,https://projectdiscovery.io/; reference:url,https://github.com/projectdiscovery/interactsh; metadata:created_at 2022_10_14, updated_at 2024_03_23; sid:3300192; rev:3; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Network vulnerability 🕵 scan 🎩 Interactsh server connection observed"; flow:to_server, stateless; tls.sni; content:"oast.site"; startswith; nocase; reference:url,https://projectdiscovery.io/; reference:url,https://github.com/projectdiscovery/interactsh; metadata:created_at 2022_10_14, updated_at 2024_03_23; sid:3300193; rev:3; classtype:policy-violation;)
### Autres navigateurs ###
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.3 connection to IP address)"; flow:to_server, stateless; ja3.hash; content:"78f0dc5ac5b19daf131a133cfdee9691"; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321271; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.3 connection to IP address)"; flow:to_server, stateless; ja3.hash; content:"0d85f6adde9dc6aa98804d6cfa2f90c1"; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2021_08_09, updated_at 2024_03_02; sid:3300194; rev:7; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.3 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"0149f47eabf9a20d0893e2a44e5a6323"; fast_pattern; tls_sni; content:!"database.clamav.net"; endswith; nocase; content:!"pdfarchitect.org"; endswith; nocase; content:!"version.chamilo.org"; endswith; nocase; content:!"www.phpmyadmin.net"; endswith; nocase; content:!"services.glpi-network.com"; endswith; nocase; content:!"meta.wikimedia.org"; endswith; nocase; content:!"getcomposer.org"; endswith; nocase; content:!"pkgupdate.synology.com"; endswith; nocase; content:!"sodapdf.com"; endswith; nocase; content:!"bitdefender.com"; endswith; nocase; content:!"bitdefender.net"; endswith; nocase; content:!"update.virtualbox.org"; endswith; nocase; content:!"www.virtualbox.org"; endswith; nocase; content:!"incoming.telemetry.mozilla.org"; endswith; nocase; content:!"asustor.com"; endswith; nocase; content:!"sandboxing.stormshieldcs.eu"; endswith; nocase; content:!"entropy.ubuntu.com"; endswith; nocase; content:!"www.mageni.net"; endswith; nocase; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321272; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.3 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"f436b9416f37d134cadd04886327d3e8"; fast_pattern; tls_sni; content:!"database.clamav.net"; endswith; nocase; content:!"pdfarchitect.org"; endswith; nocase; content:!"version.chamilo.org"; endswith; nocase; content:!"www.phpmyadmin.net"; endswith; nocase; content:!"services.glpi-network.com"; endswith; nocase; content:!"meta.wikimedia.org"; endswith; nocase; content:!"getcomposer.org"; endswith; nocase; content:!"pkgupdate.synology.com"; endswith; nocase; content:!"sodapdf.com"; endswith; nocase; content:!"bitdefender.com"; endswith; nocase; content:!"bitdefender.net"; endswith; nocase; content:!"update.virtualbox.org"; endswith; nocase; content:!"www.virtualbox.org"; endswith; nocase; content:!"incoming.telemetry.mozilla.org"; endswith; nocase; content:!"asustor.com"; endswith; nocase; content:!"sandboxing.stormshieldcs.eu"; endswith; nocase; content:!"entropy.ubuntu.com"; endswith; nocase; content:!"www.mageni.net"; endswith; nocase; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2021_08_09, updated_at 2024_03_02; sid:3300195; rev:22; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.2 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"87b9bfc7da97115ed2276737b09f8d74"; fast_pattern; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321274; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.2 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"00bcd759cb8ad485fdbf1e7a0c5b94b4"; fast_pattern; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2023_04_09, updated_at 2024_03_02; sid:3300196; rev:12; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.2 connection to IP address)"; flow:to_server, stateless; ja3.hash; content:"a800670a9e75f9768d052dd7f0be5728"; fast_pattern; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2024_05_26, updated_at 2024_05_26; sid:3321273; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.2 connection to IP address)"; flow:to_server, stateless; ja3.hash; content:"bcd93fc89dba4639942325c540ce598c"; fast_pattern; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2023_04_09, updated_at 2023_06_26; sid:3300197; rev:12; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (Windows 🪟)"; flow:to_server, stateless; ja3.hash; content:"4ea056e63b7910cbf543f0c095064dfe"; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2022_02_08, updated_at 2023_04_18; sid:3300198; rev:6; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (Windows 🪟 TLS1.2)"; flow:to_server, stateless; ja3.hash; content:"74954a0c86284d0d6e1c4efefe92b521"; fast_pattern; tls_sni; content:!"cdn.bitdefender.net"; endswith; nocase; content:!"avast.com"; endswith; nocase; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2023_04_18, updated_at 2023_11_01; sid:3300199; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (Windows 🪟 TLS1.3 connection to IP Address)"; flow:to_server, stateless; ja3.hash; content:"157ed5df7fc4272b631226c7d66a924e"; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2023_12_04, updated_at 2023_12_04; sid:3301096; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (Windows 🪟 TLS1.3 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"2982919ca7b9911dea9344128ed99ad6"; metadata: former_category JA3; reference:url,https://curl.se/; metadata:created_at 2023_12_04, updated_at 2023_12_04; sid:3301097; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Wget Client 🌐"; flow:to_server, stateless; ja3.hash; content:"b0d76bcf71a17de4a018e9d2987e3dad"; metadata: former_category JA3; reference:url,https://fr.wikipedia.org/wiki/GNU_Wget; metadata:created_at 2021_08_09, updated_at 2022_06_11; sid:3300200; rev:7; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Wget Client 🌐"; flow:to_server, stateless; ja3.hash; content:"12f3a91294cc7369f421b491ca4e1a7a"; metadata: former_category JA3; reference:url,https://fr.wikipedia.org/wiki/GNU_Wget; metadata:created_at 2021_08_09, updated_at 2022_06_11; sid:3300201; rev:7; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Wget Client 🌐"; flow:to_server, stateless; ja3.hash; content:"bb4f9fef542ff6b4b29aa653bf0c1d31"; metadata: former_category JA3; reference:url,https://fr.wikipedia.org/wiki/GNU_Wget; metadata:created_at 2022_05_02, updated_at 2022_06_11; sid:3300202; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Go HTTP Client 🌐"; flow:to_server, stateless; ja3.hash; content:"b102b73a090f4079a02e520bc16cc6cf"; metadata: former_category JA3; reference:url,https://golangexample.com/http-client-for-golang/; metadata:created_at 2021_08_21, updated_at 2022_06_11; sid:3300203; rev:6; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Go HTTP Client 🌐"; flow:to_server, stateless; ja3.hash; content:"df669e7ea913f1ac0c0cce9a201a2ec1"; fast_pattern; tls_sni; content:!"assist.zoho"; content:!"api.snapcraft.io"; endswith; content:!"snapcraftcontent.com"; endswith; content:!"zohoassist.com"; endswith; content:!"zoho.eu"; endswith; metadata: former_category JA3; reference:url,https://golangexample.com/http-client-for-golang/; metadata:created_at 2021_08_23, updated_at 2023_12_27; sid:3300204; rev:13; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Python 🐍 urllib module 🌐"; flow:to_server, stateless; ja3.hash; content:"8d9f7747675e24454cd9b7ed35c58707"; fast_pattern; tls_sni; content:!"extensions.gnome.org"; endswith; nocase; content:!"api.shodan.io"; endswith; nocase; content:!"www.google-analytics.com"; nocase; endswith; content:!"ingest.sentry.io"; nocase; endswith; metadata: former_category JA3; reference:url,https://docs.python.org/fr/3/library/urllib.html; metadata:created_at 2021_08_25, updated_at 2024_06_05; sid:3300205; rev:7; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Python3 🐍 Package install "; flow:to_server, stateless; ja3.hash; content:"07ff1e545ef8ab3fcf8a4dc9272221c2"; fast_pattern; tls_sni; content:"pypi.org"; endswith; nocase; metadata: former_category JA3; reference:url,https://pypi.org/project/pip/; metadata:created_at 2024_06_16, updated_at 2024_06_16; sid:3321280; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 🪟) - TLSv1.0 connection to IP address"; flow:to_server, stateless; ja3.hash; content:"fc54e0d16d9764783542f0146a98b300"; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2022_12_06, updated_at 2023_03_17; sid:3300206; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 🪟) - TLSv1.0 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"fc54e0d16d9764783542f0146a98b300"; fast_pattern; tls_sni; content:!"lenovo.com"; nocase; endswith; content:!"microsoft.com"; nocase; endswith; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_12_27, updated_at 2024_02_09; sid:3301101; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 🪟) - TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"hpsmart.com"; nocase; endswith; content:!"hp.com"; nocase; endswith; content:!"hpconnected.com"; nocase; endswith;  content:!"lenovo.com"; nocase; endswith; content:!"microsoft.com"; nocase; endswith; content:!"github.com"; nocase; endswith; content:!"githubusercontent.com"; nocase; endswith; content:!"garmin.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"azureedge.net"; nocase; endswith; content:!"exp-tas.com"; nocase; endswith; content:!"sentinelone.net"; nocase; endswith; content:!"trafficmanager.net"; nocase; endswith; content:!"msedge.net"; nocase; endswith; content:!".ms"; nocase; endswith; content:!"msecnd.net"; nocase; endswith; content:!".microsoft"; nocase; endswith; content:!"office.net"; endswith; nocase; content:!"lenovomm.com"; endswith; nocase; content:!"packages.wazuh.com"; endswith; nocase; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_12_27, updated_at 2024_05_26; sid:3301102; rev:14; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"3c4eb72b882d4d1442c67ce73f1292a9"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"hpsmart.com"; nocase; endswith; content:!"hp.com"; nocase; endswith; content:!"hpconnected.com"; nocase; endswith; content:!"lenovo.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"exp-tas.com"; nocase; endswith; content:!"microsoft.com"; nocase; endswith; content:!"azureedge.net"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"msecnd.net"; nocase; endswith; content:!"msedge.net"; nocase; endswith; content:!".ms"; nocase; endswith; content:!".trafficmanager.net"; nocase; endswith; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2024_03_05; sid:3301084; rev:8; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.2 connection to IP address"; flow:to_server, stateless; ja3.hash; content:"43016d7f7f9336b17c884650d0d2545d"; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2023_11_05; sid:3301085; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any ![636] (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"6a5d235ee78c6aede6a61448b4e9ff1e"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"autodesk.com"; nocase; endswith; content:!"sentinelone.net"; nocase; endswith; content:!"garmin.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"lenovo.com"; nocase; endswith; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2024_01_14; sid:3301086; rev:6; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to IP Address"; flow:to_server, stateless; ja3.hash; content:"4d5efa96609dc906f796e63cff009c2a"; fast_pattern; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2023_11_05; sid:3301088; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible BITSAdmin TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"0ffee3ba8e615ad22535e7f771690a28"; fast_pattern; tls_sni; content:!"mozilla.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!"thunderbird.net"; endswith; nocase; content:!"gvt1.com"; endswith; nocase; reference:url,https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/; reference:url,https://learn.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool; metadata:created_at 2023_04_12, updated_at 2023_06_26; sid:3300207; rev:5; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible BITSAdmin or Windows Installer TLSv1.2 connection to IP address"; flow:to_server, stateless; ja3.hash; content:"e62a5f4d538cbf169c2af71bec2399b4"; fast_pattern; reference:url,https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/; reference:url,https://learn.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool; metadata:created_at 2023_04_12, updated_at 2023_06_26; sid:3300208; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; metadata:created_at 2023_05_18, updated_at 2024_03_03; sid:3300209; rev:14; classtype:policy-violation;)
alert tls $HOME_NET any -> any 443 (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - module downloading ⬇ from PowerShell Gallery (launched as administrator 🦸)"; flow:to_server, stateless; ja3.hash; content:"6a5d235ee78c6aede6a61448b4e9ff1e"; fast_pattern; tls_sni; content:"www.powershellgallery.com"; nocase; endswith; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; reference:url,https://www.powershellgallery.com/; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059.001, mitre_technique_name Command_and_Scripting_Interpreter_PowerShell, created_at 2024_01_14, updated_at 2024_01_14; sid:3301121; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any 443 (msg:"🐾 - 🚨 Powershell 🌐 (Windows 10 🪟) - module downloading ⬇ from PowerShell Gallery (launched as administrator 🦸)"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; fast_pattern; tls_sni; content:"www.powershellgallery.com"; nocase; endswith; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; reference:url,https://www.powershellgallery.com/; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059.001, mitre_technique_name Command_and_Scripting_Interpreter_PowerShell, created_at 2024_01_14, updated_at 2024_01_14; sid:3301122; rev:1; classtype:policy-violation;)
### Applications ###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 MegaSync Desktop App for Windows 🗃"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3.hash; content:"6007fab060801d19a9b8268fae904763"; metadata: former_category JA3; reference:url,https://mega.io/sync; metadata:created_at 2022_02_08, updated_at 2022_08_02; sid:3300210; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET 5228 (msg:"🐾 - 🚨 TLS Connection ➡ Google MTALK (TCP/5228) service 👀"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"mtalk.google.com"; nocase; metadata:created_at 2022_03_18, updated_at 2022_08_02; sid:3300211; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"🐾 - 🚨 Apple 🍏 Push Notification Service (APNs) (TCP/5223)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400;tls_sni; content:"courier.push.apple.com"; nocase; metadata:created_at 2022_05_20, updated_at 2022_08_02; sid:3300212; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Rclone TLS connection 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ja3.hash; content:"049f44ae40ab2cab555bdfee22e7d7cb"; metadata: former_category JA3; reference:url,https://rclone.org/; metadata:created_at 2022_10_10, updated_at 2022_10_10; sid:3300213; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious Rclone TLS connection to MEGA 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ja3.hash; content:"049f44ae40ab2cab555bdfee22e7d7cb"; fast_pattern; tls_sni; content:"api.mega.co.nz"; metadata: former_category JA3; reference:url,https://rclone.org/; metadata:created_at 2022_10_10, updated_at 2024_01_14; sid:3300214; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious Rclone TLS connection to Uptobox 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ja3.hash; content:"049f44ae40ab2cab555bdfee22e7d7cb"; fast_pattern; tls_sni; content:"uptobox.com"; metadata: former_category JA3; reference:url,https://rclone.org/; metadata:created_at 2022_10_15, updated_at 2024_01_14; sid:3300215; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Ngrok SSL Tunnel opened - Local network Windows 🪟 machine exposed on internet 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team 👿"; flow:to_server, stateless; ja3.hash; content:"6b28b80dd90355a0302cad8f014988b9"; fast_pattern; tls_sni; content:"tunnel.ngrok.com"; metadata: former_category JA3; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2022_10_21, updated_at 2023_08_24; sid:3300216; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Ngrok SSL Tunnel opened - Local network Windows 🪟 machine exposed on internet 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team 👿"; flow:to_server, stateless; ja3.hash; content:"473cd7cb9faa642487833865d516e578"; fast_pattern; tls_sni; content:"connect.ngrok-agent.com"; metadata: former_category JA3; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2023_08_24, updated_at 2023_08_24; sid:3300217; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Ngrok SSL Tunnel opened - Local network Linux 🐧 machine exposed on internet 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team 👿"; flow:to_server, stateless; ja3.hash; content:"473cd7cb9faa642487833865d516e578"; fast_pattern; tls_sni; content:"tunnel.ngrok.com"; metadata: former_category JA3; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2022_10_21, updated_at 2023_08_24; sid:3300218; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Ngrok SSL Tunnel opened - Local network machine exposed on internet 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team 👿"; flow:to_server, stateless; tls_sni; content:"tunnel.ngrok.com"; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2022_10_21, updated_at 2022_10_21; sid:3300219; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Ngrok SSL Tunnel opened - Local network machine exposed on internet 🌐 - Possible file exfiltration 🗃 - Tool liked by Daixin Team 👿"; flow:to_server, stateless; tls_sni; content:"connect.ngrok-agent.com"; reference:url,https://ngrok.com/download; reference:url,https://www.cisa.gov/uscert/ncas/alerts/aa22-294a; metadata:created_at 2023_08_24, updated_at 2023_08_24; sid:3300220; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 LocalTunnel SSL Tunnel opened - Local network machine exposed on internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; tls_sni; content:"localtunnel.me"; reference:url,https://theboroer.github.io/localtunnel-www/; metadata:created_at 2022_12_04, updated_at 2022_12_04; sid:3300221; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 LocalTunnel SSL Tunnel opened - Local network Linux 🐧 machine exposed on internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ja3.hash; content:"398430069e0a8ecfbc8db0778d658d77"; tls_sni; content:"localtunnel.me"; metadata: former_category JA3; reference:url,https://theboroer.github.io/localtunnel-www/; metadata:created_at 2022_12_04, updated_at 2022_12_04; sid:3300222; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Unofficial Microsoft Activation Scripts (MAS) for Windows 🪟 and Office 📘 Invoke-RestMethod execution (TLSv1)"; flow:to_server, stateless; ja3.hash; content:"15b2baf954ea2db42018ede3f07add85"; fast_pattern; tls_sni; content:"massgrave.dev"; nocase; reference:url,https://massgrave.dev/; reference:url,https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/; metadata:created_at 2023_03_16, updated_at 2023_03_16; sid:3300223; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Unofficial Microsoft Activation Scripts (MAS) for Windows 🪟 and Office 📘 Invoke-RestMethod execution (TLSv1.2)"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; fast_pattern; tls_sni; content:"massgrave.dev"; nocase; reference:url,https://massgrave.dev/; reference:url,https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/; metadata:created_at 2023_03_16, updated_at 2023_03_16; sid:3300224; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Unofficial Microsoft Activation Scripts (MAS) for Windows 🪟 and Office 📘 Invoke-RestMethod execution (TLSv1)"; flow:to_server, stateless; ja3.hash; content:"235a856727c14dba889ddee0a38dd2f2"; fast_pattern; tls_sni; content:"massgrave.dev"; nocase; reference:url,https://massgrave.dev/; reference:url,https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/; metadata:created_at 2023_03_16, updated_at 2023_05_09; sid:3300225; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Unofficial Microsoft Activation Scripts (MAS) for Windows 🪟 and Office 📘 Invoke-RestMethod execution (TLSv1.3 Windows 11 🪟)"; flow:to_server, stateless; ja3.hash; content:"3c4eb72b882d4d1442c67ce73f1292a9"; fast_pattern; tls_sni; content:"massgrave.dev"; nocase; reference:url,https://massgrave.dev/; reference:url,https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/; metadata:created_at 2023_11_05, updated_at 2023_11_05; sid:3301087; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Telegram for Windows 🪟"; flow:to_server, stateless; ja3.hash; content:"57fbe0aefee44901190849b0e877a5e1"; fast_pattern; tls_sni; content:"td.telegram.org"; nocase; reference:url,https://telegram.org/; metadata:created_at 2023_06_23, updated_at 2023_06_23; sid:3300226; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspcious Google.ru 🇷🇺 flow - possible Telegram for Windows 🪟"; flow:to_server, stateless; ja3.hash; content:"57fbe0aefee44901190849b0e877a5e1"; fast_pattern; tls_sni; content:"google.ru"; nocase; reference:url,https://telegram.org/; metadata:created_at 2023_06_23, updated_at 2023_06_23; sid:3300227; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 GoTo Connect on Windows 🪟"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:"jive.com"; endswith; nocase; reference:url,https://www.goto.com/fr/connect; metadata:created_at 2023_06_29, updated_at 2023_06_29; sid:3300228; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Windows 🪟 TLSv1.2 connection to github.com - possible unwanted application"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; fast_pattern; tls_sni; content:"github.com"; endswith; nocase; metadata:created_at 2023_07_26, updated_at 2023_12_31; sid:3300229; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Windows 🪟 TLSv1.2 connection to githubusercontent.com - possible unwanted application"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; fast_pattern; tls_sni; content:"githubusercontent.com"; endswith; nocase; metadata:created_at 2023_12_31, updated_at 2023_12_31; sid:3301107; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 DumpIt (Comae) - Memory Dump Started from Windows 🪟)"; flow:to_server, stateless; ja3.hash; content:"ce5f3254611a8c095a3d821d44539877"; fast_pattern; tls_sni; content:"comae.com"; endswith; nocase; reference:url,https://www.magnetforensics.com/fr/resources/magnet-dumpit-pour-windows/; metadata:created_at 2023_12_04, updated_at 2023_12_04; sid:3301095; rev:5; classtype:policy-violation;)
### Terminaux mobiles ###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Samsung 📱 Mobile - Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:".atlas.samsung.com"; nocase; metadata:created_at 2022_03_19, updated_at 2022_08_02; sid:3300230; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Samsung 📱 Mobile - Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:".dqa.samsung.com"; nocase; metadata:created_at 2022_03_19, updated_at 2022_08_02; sid:3300231; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Updater - Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"android.googleapis.com"; nocase; metadata:created_at 2022_03_19, updated_at 2022_08_02; sid:3300232; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Nokia 📱 Mobile - Android 🤖"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:!"www."; nocase; startswith; content:".hmdglobal.com"; nocase; metadata:created_at 2022_03_19, updated_at 2022_08_02; sid:3300233; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 iPhone 📱 Mobile 🍏"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"iphone-ld.apple.com"; startswith; nocase; ja3.hash; content:"773906b0efdefa24a7f2b8eb6985bf37"; metadata:created_at 2022_05_20, updated_at 2022_08_02; sid:3300234; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET 8181 (msg:"🐾 - 🚨 SIM card unlock connectivity check 📲 Bouygues Telecom 🇫🇷 GSM Operator"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"entitlements-prod.bouyguestelecom.fr"; nocase; metadata:created_at 2022_05_20, updated_at 2022_08_02; sid:3300235; rev:4; classtype:policy-violation;)
### TOR et VPN ###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Private Internet Access 🔒 VPN Client 🕶"; flow:to_server, stateless; tls_sni; content:"www.piaproxy.net"; nocase; reference:url,https://fra.privateinternetaccess.com/; metadata:created_at 2021_08_18, updated_at 2022_08_02; sid:3300236; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Private Internet Access 🔒 VPN Client 🕶"; flow:to_server, stateless; tls_sni; content:"www.privateinternetaccess.com"; nocase; reference:url,https://fra.privateinternetaccess.com/; metadata:created_at 2021_08_18, updated_at 2022_08_02; sid:3300237; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 TOR 🧅 Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3.hash; content:"711528629b81edc0307f28392d2a96c0"; metadata: former_category JA3; reference:url,https://www.torproject.org/; metadata:created_at 2021_09_16, updated_at 2022_08_02; sid:3300238; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 TOR 🧅 Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3.hash; content:"e7d705a3286e19ea42f587b344ee6865"; metadata: former_category JA3; reference:url,https://www.torproject.org/; metadata:created_at 2022_02_11, updated_at 2022_08_02; sid:3300239; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 TOR 🧅 Browser 🌐"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3.hash; content:"140e0f0cad708278ade0984528fe8493"; metadata: former_category JA3; reference:url,https://www.torproject.org/; metadata:created_at 2022_06_28, updated_at 2022_08_02; sid:3300240; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Possible Fortinet VPN Client 🧱 for 🪟 Windows establishing external connection (api.ipify.org lookup public IP address + ja3 identified)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"api.ipify.org"; ssl_version:tls1.3; ja3.hash; content:"bc29aa426fc99c0be1b9be941869f88a"; fast_pattern; nocase; metadata:created_at 2024_06_04, updated_at 2024_06_04; sid:3321277; rev:1; classtype:policy-violation;)
### Malware ###
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Trickbot malware 👾 request"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3.hash; content:"6734f37431670b3ab4292b8f60f29984"; metadata: former_category JA3; reference:url,https://github.com/salesforce/ja3; metadata:created_at 2022_02_11, updated_at 2022_08_02; sid:3300241; rev:2; classtype:trojan-activity;)
alert tls any any -> any any (msg:"🐾 - 🚨 Possible Trickbot malware 👾 C2 answer"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3s.hash; content:"623de93db17d313345d7ea481e7443cf"; metadata: former_category JA3S; reference:url,https://github.com/salesforce/ja3; metadata:created_at 2022_02_11, updated_at 2022_08_02; sid:3300242; rev:2; classtype:trojan-activity;)
### Serveurs ###
alert tls any any -> any any (msg:"🐾 - 🚨 Expired TLS Certificate 🔒"; tls_cert_expired; metadata:created_at 2021_11_17, updated_at 2021_11_17; sid:3300243; rev:1; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 SSLV2 💔 connection observerd"; flow:to_server, stateless; ssl_version:sslv2; metadata:created_at 2021_11_17, updated_at 2022_06_15; sid:3300244; rev:6; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 SSLV3 💔 connection observerd"; flow:to_server, stateless; ssl_version:sslv3; metadata:created_at 2021_11_17, updated_at 2022_06_15; sid:3300245; rev:3; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 TLS1.0 💔 connection observerd"; flow:to_server, stateless; ssl_version:tls1.0; metadata:created_at 2021_11_17, updated_at 2022_06_15; sid:3300246; rev:3; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Connection to Asustor NAS 💽 - Default TLS Certificate 🔒"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"O=Asustor"; content:"OU=NAS"; reference:url,https://www.asustor.com/; metadata:created_at 2022_07_14, updated_at 2022_07_14; sid:3300247; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Asustor NAS 💽 - Default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"O=Asustor"; content:"OU=NAS"; reference:url,https://www.asustor.com/; metadata:created_at 2022_07_14, updated_at 2022_07_14; sid:3300248; rev:2; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Asustor NAS 💽 - Default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"O=Asustor"; content:"OU=NAS"; reference:url,https://www.asustor.com/; metadata:created_at 2022_07_14, updated_at 2022_07_14; sid:3300249; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to VMware ESXi Server 🖥️ with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Palo Alto"; nocase; content:"OU=VMware ESX Server Default Certificate"; fast_pattern; nocase; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_14, updated_at 2022_11_13; sid:3300250; rev:4; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local VMware ESXi Server 🖥️ with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Palo Alto"; nocase; content:"OU=VMware ESX Server Default Certificate"; fast_pattern; nocase; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_14, updated_at 2022_11_13; sid:3300251; rev:4; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Connection to VMware ESXi Server 🖥️ with default TLS Certificate 🔒"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Palo Alto"; nocase; content:"OU=VMware ESX Server Default Certificate"; fast_pattern; nocase; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_14, updated_at 2022_11_13; sid:3300252; rev:4; classtype:policy-violation;)
### Réseau ###
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local F5 BIG-IP with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=--"; content:"ST=WA"; content:"L=Seattle"; content:"OU=MyOrg"; content:"CN=localhost.localdomain"; content:"Email=root@localhost.localdomain"; reference:url,https://www.f5.com/products/big-ip-services; metadata:created_at 2022_05_10, updated_at 2022_10_15; sid:3300253; rev:5; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to F5 BIG-IP with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=--"; content:"ST=WA"; content:"L=Seattle"; content:"OU=MyOrg"; content:"CN=localhost.localdomain"; content:"Email=root@localhost.localdomain"; reference:url,https://www.f5.com/products/big-ip-services; metadata:created_at 2022_05_12, updated_at 2022_10_15; sid:3300254; rev:5; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local CapRover Open Source PaaS with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=CA"; content:"ST=British Columbia"; content:"L=Vancouver"; content:"O=CapRover.com"; content:"CN=caprover.com"; content:"info@caprover.com"; reference:url,https://caprover.com/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300255; rev:5; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to CapRover Open Source PaaS with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"C=CA"; content:"ST=British Columbia"; content:"L=Vancouver"; content:"O=CapRover.com"; content:"CN=caprover.com"; content:"info@caprover.com"; reference:url,https://caprover.com/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300256; rev:5; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG20 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg20-vpn"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/Business-Firewall-USG20-VPN-USG20W-VPN/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300257; rev:4; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG20W with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg20w-vpn"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/Business-Firewall-USG20-VPN-USG20W-VPN/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300258; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG FLEX 200 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_200"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-200/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300259; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG FLEX 100 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_100"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-100/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300260; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG FLEX 100W with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_100w"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-100W/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300261; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG FLEX 500 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_500"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-500/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300262; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 USG FLEX 700 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_700"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-700/; metadata:created_at 2022_05_16, updated_at 2022_10_15; sid:3300263; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 ATP 500 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp500_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP500/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300264; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 ATP 100 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp100_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP100/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300265; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 ATP 200 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp200_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP200/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300266; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 ATP 700 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp700_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP700/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300267; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Zyxel UTM 🧱 ATP 800 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp800_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP800/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300268; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG20 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg20-vpn"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/Business-Firewall-USG20-VPN-USG20W-VPN/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300269; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG20W with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg20w-vpn"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/Business-Firewall-USG20-VPN-USG20W-VPN/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300270; rev:4; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG FLEX 200 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_200"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-200/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300271; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG FLEX 100 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_100"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-100/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300272; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG FLEX 100W with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_100w"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-100W/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300273; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG FLEX 500 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_500"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-500/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300274; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 USG FLEX 700 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=usg_flex_700"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/USG-FLEX-Firewall-USG-FLEX-700/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300275; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 ATP 500 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp500_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP500/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300276; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 ATP 100 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp100_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP100/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300277; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 ATP 200 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp200_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP200/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300278; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 ATP 700 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp700_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP700/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300279; rev:3; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local Zyxel UTM 🧱 ATP 800 with default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; tls.cert_subject; content:"CN=atp800_"; nocase; reference:url,https://www.zyxel.com/fr/fr/products_services/ATP-Firewall-ZyWALL-ATP800/; metadata:created_at 2022_05_20, updated_at 2022_10_15; sid:3300280; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 OpenWRT router 🖧"; threshold: type limit, track by_src,count 1, seconds 86400; flow:to_server, stateless; tls_sni; content:"downloads.openwrt.org"; nocase; ja3.hash; content:"993587ec3a1ea116167ed2775b065785"; fast_pattern; reference:url,https://openwrt.org/; metadata:created_at 2022_03_17, updated_at 2023_03_20; sid:3300281; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 OpenWRT router 🖧"; threshold: type limit, track by_src,count 1, seconds 86400; flow:to_server, stateless; tls_sni; content:"downloads.openwrt.org"; nocase; ja3.hash; content:"a2803909422270f7a3758db642a8f7b9"; fast_pattern; reference:url,https://openwrt.org/; metadata:created_at 2022_08_22, updated_at 2023_03_20; sid:3300282; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 OpenWRT router 🖧"; threshold: type limit, track by_src,count 1, seconds 86400; flow:to_server, stateless; tls_sni; content:"downloads.openwrt.org"; nocase; ja3.hash; content:"b01b170f9fa1ef7cc9ae5789c1981f75"; fast_pattern; reference:url,https://openwrt.org/; metadata:created_at 2023_03_20, updated_at 2023_03_20; sid:3300283; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Wifi PineApple 🍍 Nano / Tetra (OpenWRT opkg update)"; threshold: type limit, track by_src,count 1, seconds 3600; flow:to_server, stateless; tls_sni; content:"downloads.hak5.org"; nocase; ja3.hash; content:"a2803909422270f7a3758db642a8f7b9"; reference:url,https://docs.hak5.org/wifi-pineapple-6th-gen-nano-tetra/; metadata:created_at 2022_08_22, updated_at 2022_10_15; sid:3300284; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Wifi PineApple 🍍 Nano / Tetra (Web Gui request)"; threshold: type limit, track by_src,count 1, seconds 3600; flow:to_server, stateless; tls_sni; content:"www.wifipineapple.com"; nocase; ja3.hash; content:"f3198b245f5ace3ae89b6ca1dc3ed54d"; reference:url,https://docs.hak5.org/wifi-pineapple-6th-gen-nano-tetra/; metadata:created_at 2022_08_23, updated_at 2022_10_15; sid:3300285; rev:2; classtype:policy-violation;)
alert tls any any -> any any (msg:"🐾 - 🚨 Connection to TP-LINK Router / Modem 🌐 - Default TLS Certificate 🔒"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"CN=tplinkmodem.net"; nocase; reference:url,https://www.tp-link.com/; metadata:created_at 2022_06_02, updated_at 2022_06_15; sid:3300286; rev:5; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to TP-LINK Router / Modem 🌐 - Default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"CN=tplinkmodem.net"; nocase; reference:url,https://www.tp-link.com/; metadata:created_at 2022_06_13, updated_at 2022_06_15; sid:3300287; rev:2; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Local TP-LINK Router / Modem 🌐 - Default TLS Certificate 🔒 exposed on Internet"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"CN=tplinkmodem.net"; nocase; reference:url,https://www.tp-link.com/; metadata:created_at 2022_06_13, updated_at 2022_07_14; sid:3300288; rev:3; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Fortinet Fortigate UTM 🧱 with default TLS Certificate 🔒 exposed on Internet (Possible FortiClient VPN)"; flow:to_client, stateless; tls.cert_issuer; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Sunnyvale"; nocase; content:"O=Fortinet"; nocase; content:"OU=Certificate Authority"; nocase; fast_pattern;  content:"CN=fortinet-subca2001"; nocase; content:"support@fortinet.com"; nocase; reference:url,https://www.fortinet.com/fr/products/next-generation-firewall; metadata:created_at 2023_03_15, updated_at 2023_03_15; sid:3300289; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Fortinet Fortigate UTM 🧱 with default TLS Certificate 🔒 exposed on Internet (Possible FortiClient VPN)"; flow:to_client, stateless; tls.cert_issuer; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Sunnyvale"; nocase; content:"O=Fortinet"; nocase; content:"OU=Certificate Authority"; nocase; fast_pattern; content:"CN=F"; nocase; pcre:"/CN=F[A-Z0-9]{15}/"; content:"support@fortinet.com"; nocase; reference:url,https://www.fortinet.com/fr/products/next-generation-firewall; metadata:created_at 2023_03_15, updated_at 2023_03_15; sid:3300290; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Fortinet Fortigate UTM 🧱 with default TLS Certificate 🔒 exposed on Internet (Possible FortiClient VPN)"; flow:to_client, stateless; tls.cert_issuer; content:"O=Fortinet Ltd"; nocase; fast_pattern; content:"CN=F"; nocase; pcre:"/CN=F.............../"; reference:url,https://www.fortinet.com/fr/products/next-generation-firewall; metadata:created_at 2023_03_15, updated_at 2023_03_15; sid:3300291; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Fortinet Fortigate UTM 🧱 with default TLS Certificate 🔒 exposed on Internet (Possible FortiClient VPN)"; flow:to_client, stateless; tls.cert_issuer; content:"O=Fortinet Ltd"; nocase; fast_pattern; content:"CN=Fortigate"; nocase; reference:url,https://www.fortinet.com/fr/products/next-generation-firewall; metadata:created_at 2023_03_15, updated_at 2023_03_15; sid:3300292; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Connection to Fortinet Fortigate UTM 🧱 with default TLS Certificate 🔒 exposed on Internet (Possible FortiClient VPN)"; flow:to_client, stateless; tls.cert_issuer; content:"C=US"; nocase; content:"ST=California"; nocase; content:"L=Sunnyvale"; nocase; content:"O=Fortinet"; nocase; content:"OU=Certificate Authority"; nocase; fast_pattern; content:"CN=support"; nocase; content:"support@fortinet.com"; nocase; reference:url,https://www.fortinet.com/fr/products/next-generation-firewall; metadata:created_at 2023_03_15, updated_at 2023_03_15; sid:3300293; rev:1; classtype:policy-violation;)
###################### Outils suspetcs - tous protocoles ######################
alert ip any any -> 205.185.115.131 53 (msg:"🐾 - 🚨 Tox chat client flow detected - used in particular by 🔒 Lockbit 3.0 group"; flow:to_server, stateless; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://www.joesandbox.com/analysis/671436/0/html#av-urls; reference: url,https://www.joesandbox.com/analysis/669602/0/html#av-urls; reference: url,https://tox.chat/; reference: url,https://www.itpro.co.uk/security/ransomware/368418/latest-lockbit-ransomware-strain-strikingly-similar-to-blackmatter; reference: url,https://www.zataz.com/lockbit-3-0-des-pirates-aux-centaines-de-piratage/; metadata:created_at 2022_08_23, updated_at 2022_08_23; sid:3300294; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Possible Tox chat client download - used in particular by 🔒 Lockbit 3.0 group"; flow:to_server, stateless; threshold: type limit, track by_src, seconds 60, count 1; tls_sni; content:"tox.chat"; nocase; reference: url,https://www.joesandbox.com/analysis/671436/0/html#av-urls; reference: url,https://www.joesandbox.com/analysis/669602/0/html#av-urls; reference: url,https://tox.chat/; reference: url,https://www.itpro.co.uk/security/ransomware/368418/latest-lockbit-ransomware-strain-strikingly-similar-to-blackmatter; reference: url,https://www.zataz.com/lockbit-3-0-des-pirates-aux-centaines-de-piratage/; metadata:created_at 2022_08_23, updated_at 2022_08_23; sid:3300295; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Suspicious TLS connection to possible backdoored machine by LocalTunnel service"; flow:to_server, stateless; tls_sni; content:"loca.lt"; endswith; reference:url,https://theboroer.github.io/localtunnel-www/; metadata:created_at 2022_12_04, updated_at 2022_12_04; sid:3300296; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Flipper Zero 🐬 update"; threshold: type limit, track by_src,count 1, seconds 3600; flow:to_server, stateless; tls_sni; content:"update.flipperzero.one"; nocase; reference:url,https://flipperzero.one/; metadata:created_at 2022_12_28, updated_at 2022_12_28; sid:3300297; rev:1; classtype:policy-violation;)
###################### Non respect des ports / protocoles ######################
alert tcp any any -> any ![443,465,563,587,636,695,853,898,989,990,992,993,994,995,2376,2484,3269,4116,3424,4843,5061,5085,5228,5349,5671,5986,6513,6514,6619,6697,8243,8883] (msg:"🐾 - 🚨 Suspicious 👀 SSL/TLS trafic on unusual SSL/TLS port"; flow:to_server, stateless; app-layer-protocol:tls; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300298; rev:8; classtype:policy-violation;)
alert tcp any any -> any ![53] (msg:"🐾 - 🚨 Suspicious 👀 DNS TCP trafic on unusual DNS port"; flow:to_server, stateless; app-layer-protocol:dns; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300299; rev:5; classtype:policy-violation;)
alert tcp any any -> any [53] (msg:"🐾 - 🚨 Suspicious 👀 non DNS TCP trafic on usual DNS port"; flow:to_server; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_17; sid:3300300; rev:6; classtype:policy-violation;)
alert udp any any -> any ![53] (msg:"🐾 - 🚨 Suspicious 👀 DNS UDP trafic on unusual DNS port"; flow:to_server, stateless;app-layer-protocol:dns; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300301; rev:5; classtype:policy-violation;)
alert udp any any -> any [53] (msg:"🐾 - 🚨 Suspicious 👀 non DNS UDP trafic on usual DNS port"; flow:to_server, stateless; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300302; rev:5; classtype:policy-violation;)
alert tcp any any -> any ![80,591,593,5800,5985,8080,8280,11371] (msg:"🐾 - 🚨 Suspicious 👀 HTTP trafic on unusual HTTP port"; flow:to_server, stateless; app-layer-protocol:http; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300303; rev:5; classtype:policy-violation;)
alert tcp any any -> any ![20,21,2811] (msg:"🐾 - 🚨 Suspicious 👀 FTP trafic on unusual FTP port"; flow:to_server, stateless; app-layer-protocol:ftp; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300304; rev:5; classtype:policy-violation;)
alert tcp any any -> any ![22,830] (msg:"🐾 - 🚨 Suspicious 👀 SSH trafic on unusual SSH port"; flow:to_server, stateless; app-layer-protocol:ssh; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300305; rev:5; classtype:policy-violation;)
alert tcp any any -> any [22,830] (msg:"🐾 - 🚨 Suspicious 👀 non SSH trafic on usual SSH port"; flow:to_server, stateless; app-layer-protocol:!ssh; threshold: type limit, track by_src, seconds 60, count 1; reference: url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_02_11, updated_at 2022_06_15; sid:3300306; rev:5; classtype:policy-violation;)