🐾 - 🔔 Many TLS Client Hello to IP address - Potential SSL Scan activity 🥷 - T1595.002

SID: 3300319Rev: 80 views
Sourcepawpatrules
CreatedAugust 2, 2023
UpdatedAugust 4, 2023
Classificationattempted-recon
alert tls any any -> any any (msg:"🐾 - 🔔 Many TLS Client Hello to IP address - Potential SSL Scan activity 🥷 - T1595.002"; flow:to_server, stateless; content:"|16 03|"; fast_pattern; content:"|01|"; distance:3; content:"|03|"; distance:3; threshold:type threshold, track by_src, count 70, seconds 50; tls_sni; pcre:"/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; reference:url,https://github.com/rbsec/sslscan; reference:url,https://attack.mitre.org/techniques/T1595/002/; classtype:attempted-recon; sid:3300319; rev:8; metadata:created_at 2023_08_02, updated_at 2023_08_04;)

References

urlhttps://github.com/rbsec/sslscan
urlhttps://attack.mitre.org/techniques/T1595/002/

Metadata

created at2023_08_02
updated at2023_08_04

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!