ET JA3 Hash - Possible Rclone Client Activity - Suricata Rule 2033047 (et/open)

ET JA3 Hash - Possible Rclone Client Activity

SID: 2033047Rev: 31 viewsHistory

Sourceet/open

CreatedMay 28, 2021

UpdatedJune 6, 2023

Classificationbad-unknown

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Rclone Client Activity"; flow:established,to_server; flowbits:set,ET.rclone; flowbits:noalert; ja3.hash; content:"d0ee3237a14bbd89ca4d2b5356ab20ba"; tls.sni; content:!"grafana.com"; content:!"grafana.org"; content:!"grafana.net"; content:!"-autoscaling.googleapis.com"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033047; rev:3; metadata:created_at 2021_05_28, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_06, reviewed_at 2024_02_09;)

References

url	twitter.com/NCCGroupInfosec/status/1398137873954652163

Metadata

created at2021_05_28

confidenceLow

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2023_06_06

reviewed at2024_02_09

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!