Rule History

alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Curl User Agent 🌐 (TLS1.3 connection to FQDN)"; flow:to_server, stateless; ja3.hash; content:"f436b9416f37d134cadd04886327d3e8"; fast_pattern; tls_sni; content:!"database.clamav.net"; endswith; nocase; content:!"pdfarchitect.org"; endswith; nocase; content:!"version.chamilo.org"; endswith; nocase; content:!"www.phpmyadmin.net"; endswith; nocase; content:!"services.glpi-network.com"; endswith; nocase; content:!"meta.wikimedia.org"; endswith; nocase; content:!"getcomposer.org"; endswith; nocase; content:!"pkgupdate.synology.com"; endswith; nocase; content:!"sodapdf.com"; endswith; nocase; content:!"bitdefender.com"; endswith; nocase; content:!"bitdefender.net"; endswith; nocase; content:!"update.virtualbox.org"; endswith; nocase; content:!"www.virtualbox.org"; endswith; nocase; content:!"incoming.telemetry.mozilla.org"; endswith; nocase; content:!"asustor.com"; endswith; nocase; content:!"sandboxing.stormshieldcs.eu"; endswith; nocase; content:!"entropy.ubuntu.com"; endswith; nocase; content:!"www.mageni.net"; endswith; nocase; content:!"uws.ucopia.com"; endswith; nocase; metadata:former_category JA3; reference:url,https://curl.se/; metadata:created_at 2021_08_09, updated_at 2024_08_24; sid:3300195; rev:23; classtype:policy-violation;)