Created
July 26, 2017 16:03
-
-
Save jasonish/7661328f5b61fad28ff99ddcb0de672b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"feelinsonice.appspot.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000000; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"feelinsonice-hrd.appspot.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000001; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"snapchat.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000002; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Skype TLS SNI pattern"; tls_sni; content:"apps.skype.com"; nocase; flow:established,to_server; flowbits:set,app/skype; sid:13000003; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Skype TLS SNI pattern"; tls_sni; content:"ui.skype.com"; nocase; flow:established,to_server; flowbits:set,app/skype; sid:13000004; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Youtube TLS SNI pattern"; tls_sni; content:"upload.youtube.com"; nocase; flow:established,to_server; flowbits:set,app/youtube; flowbits:set,youtube-upload; sid:13000005; rev:1;) | |
| alert tls any any -> any any (msg:"APPID Youtube TLS SNI pattern"; tls_sni; content:"youtube.com"; nocase; flow:established,to_server; flowbits:set,app/youtube; sid:13000006; rev:1;) | |
| alert http any any -> any any (msg:"APPID Yum Linux package updater"; content:"yum"; http_user_agent; flow:established,to_server; flowbits:set,app/yum; sid:13000007; rev:1;) | |
| alert http any any -> any any (msg:"APPID DNF Linux package updater"; content:"dnf"; http_user_agent; pcre:"^/([A-Z]+) (.*)\r\n/G, pkt:key,pkt:value"; flow:established,to_server; flowbits:set,app/dnf; sid:13000008; rev:1;) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| snapchat-tls: | |
| msg: APPID Snapchat TLS SNI pattern | |
| flowbit: app/snapchat | |
| proto: tls | |
| flow: established,to_server | |
| rules: | |
| - tls_sni: feelinsonice.appspot.com | |
| - tls_sni: feelinsonice-hrd.appspot.com | |
| - tls_sni: snapchat.com | |
| skype-tls: | |
| msg: APPID Skype TLS SNI pattern | |
| flowbit: app/skype | |
| proto: tls | |
| flow: established,to_server | |
| rules: | |
| - tls_sni: apps.skype.com | |
| - tls_sni: ui.skype.com | |
| youtube: | |
| msg: APPID Youtube TLS SNI pattern | |
| flowbit: app/youtube | |
| proto: tls | |
| flow: established,to_server | |
| rules: | |
| - tls_sni: upload.youtube.com | |
| flowbit: youtube-upload | |
| - tls_sni: youtube.com | |
| yum: | |
| msg: APPID Yum Linux package updater | |
| flowbit: app/yum | |
| proto: http | |
| flow: established,to_server | |
| rules: | |
| - http_user_agent: "yum" | |
| dnf: | |
| msg: APPID DNF Linux package updater | |
| flowbit: app/dnf | |
| proto: http | |
| flow: established,to_server | |
| rules: | |
| - http_user_agent: "dnf" | |
| pcre: '^/([A-Z]+) (.*)\r\n/G, pkt:key,pkt:value' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment