PT Rules

Rules rulesptopen-info.rules

5.55 KBModified 2024-11-12 12:36

1alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_0"; flow: established, to_server; content: "|1703 01 0020|"; depth: 5; fast_pattern; stream_size: server, >,954; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB447357_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002430; rev: 6;)

3alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_1"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2414; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_0; flowbits: unset, FB447357_0; flowbits: set, FB447357_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002431; rev: 6;)

5alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_2"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3044; stream_size: server, <,3863; stream_size: client, >,715; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_1; flowbits: unset, FB447357_1; flowbits: set, FB447357_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002432; rev: 6;)

7alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_3"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3630; stream_size: server, <,3963; stream_size: client, >,1264; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_2; flowbits: unset, FB447357_2; flowbits: set, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002433; rev: 6;)

9alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] SSL TOR unusual activity"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3630; stream_size: server, <,4407; stream_size: client, >,1813; stream_size: client, <,3102; flowbits: isset, FB447357_3; flowbits: unset, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002434; rev: 5;)

11alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_0"; flow: established, to_server; content: "|1703 0100 20|"; fast_pattern; depth: 5; content: "|1703 0100 20|"; distance: 32; within: 5; stream_size: server, >,1063; stream_size: client, >,429; stream_size: server, <,3156; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB167479_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001533; rev: 10;)

13alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_1"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2523; stream_size: client, >,429; stream_size: server, <,4000; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_0; flowbits: unset, FB167479_0; flowbits: set, FB167479_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001540; rev: 9;)

15alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_2"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3153; stream_size: client, >,1015; stream_size: server, <,4100; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_1; flowbits: unset, FB167479_1; flowbits: set, FB167479_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001541; rev: 10;)

17alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_3"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,1601; stream_size: server, <,4856; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_2; flowbits: unset, FB167479_2; flowbits: set, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001542; rev: 9;)

19alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,2187; stream_size: server, <,5000; stream_size: client, <,5000; flowbits: isset, FB167479_3; flowbits: unset, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001543; rev: 7;)

21alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "POLICY [PTsecurity] TOR cert set FB set FB0_01"; flow: established, to_client; content: "|3082|"; depth: 300; content: "|308201|"; distance: 2; within: 3; content: "|a00302010202|"; distance: 1; within: 6; content: "|7777|"; distance: 38; within: 2; fast_pattern; flowbits: set, FB0_01; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10001844; rev: 6;)

Rulesrulesptopen-info.rules

Rules rulesptopen-info.rules