Rule History

SID: 3321277 • Source: pawpatrules

Versions (2)

Version DetailsCurrent

Rev: 2 • Jun 4, 2024, 10:00 AM

Message:

🐾 - 🚨 Possible Fortinet VPN Client 🧱 for 🪟 Windows establishing external connection (api.ipify.org lookup public IP address + ja3 identified)

Rule:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Possible Fortinet VPN Client 🧱 for 🪟 Windows establishing external connection (api.ipify.org lookup public IP address + ja3 identified)"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"api.ipify.org"; ssl_version:tls1.3; ja3.hash; content:"bc29aa426fc99c0be1b9be941869f88a"; fast_pattern; metadata:created_at 2024_06_04, updated_at 2025_02_13; sid:3321277; rev:2; classtype:policy-violation;)

Created:

Jun 4, 2024, 10:00 AM

Updated:

Feb 13, 2025, 12:00 PM

DB Created:

Jun 4, 2024, 10:00 AM

DB Updated:

May 29, 2025, 11:12 PM

Filename:

rules/PAW-PATRULES_VULN.rules