🐾 - 🚨 Many TLS Client + Server Hello - 🥷 Possible Active Scanning activity and / or random TLS impersonation - T1595 - Suricata Rule 3321379 (pawpatrules)

🐾 - 🚨 Many TLS Client + Server Hello - 🥷 Possible Active Scanning activity and / or random TLS impersonation - T1595

SID: 3321379Rev: 214 views

Sourcepawpatrules

CreatedOctober 15, 2024

UpdatedOctober 15, 2024

Classificationnetwork-scan

alert tls any any -> any any (msg:"🐾 - 🚨 Many TLS Client + Server Hello - 🥷 Possible Active Scanning activity and / or random TLS impersonation - T1595"; flow:to_client, stateless; threshold:type threshold, track by_both, count 50, seconds 10; flowbits:set,pptrls.manytlsch; flowbits:isnotset,pptrls.manytlsch; content:"|16 03 03|"; startswith; fast_pattern; content:"|02|"; distance:2; reference:url,https://attack.mitre.org/techniques/T1595/; metadata:attack_target Client_and_Server, signature_severity Major, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1595, mitre_technique_name Active_Scanning, created_at 2024_10_15, updated_at 2024_10_15; sid:3321379; rev:2; classtype:network-scan;)

References

url	https://attack.mitre.org/techniques/T1595/

Metadata

attack targetClient_and_Server

signature severityMajor

mitre tactic idTA0043

mitre tactic nameReconnaissance

mitre technique idT1595

mitre technique nameActive_Scanning

created at2024_10_15

updated at2024_10_15

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!