alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,to_client; tls.certs; content:!"|2a 86 48 86 f7 0d 01 09 01|"; tls.cert_subject; content:"C="; pcre:"/^[A-Z]{2}/Rs"; content:"ST="; distance:0; pcre:"/^[A-Z]{2}/Rs"; content:"L="; distance:0; pcre:"/^[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?/Rs"; content:"streetAddress="; fast_pattern; pcre:"/^\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}/Rs"; content:"O="; distance:0; content:"OU="; distance:0; content:"CN="; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)).*?/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:6; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, performance_impact Significant, confidence High, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2024_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)