Rule History

SID: 2033047 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 3 • May 28, 2021, 12:00 PM

Message:

ET JA3 Hash - Possible Rclone Client Activity

Rule:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Rclone Client Activity"; flow:established,to_server; flowbits:set,ET.rclone; flowbits:noalert; ja3.hash; content:"d0ee3237a14bbd89ca4d2b5356ab20ba"; tls.sni; content:!"grafana.com"; content:!"grafana.org"; content:!"grafana.net"; content:!"-autoscaling.googleapis.com"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033047; rev:3; metadata:created_at 2021_05_28, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_06, reviewed_at 2024_02_09;)

Created:

May 28, 2021, 12:00 PM

Updated:

Jun 6, 2023, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 11, 2025, 9:34 PM

Filename:

rules/emerging-ja3.rules