-
Notifications
You must be signed in to change notification settings - Fork 1
/
PAW-PATRULES_LEAKS.rules
371 lines (371 loc) Β· 108 KB
/
PAW-PATRULES_LEAKS.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
# KXK00OOkxxkO00KX0
# ,NXKxo:,'... ...';cdOXN:
# l;. ..,:ldxkOOOOOOkkxol:,.. .o
# dk lOOOOOOkkkkkkkkkkkOOOOOOx dk
# KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
# x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
# d. o0Okkkkkkkkkkkkk. okkkkkkkkkkOO0k x
# l. c0kkkkkkko. .ckk .kd..'xkkkkkk0x .o
# ;, ;0kkkkkkkc ;ko. .dk. :kkkkkk0l ':
# .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
# l o0kkkk:..'dkkk. .;okkkkkkkkk0x l
# .: .OOkkk; xk, .:kkkkkO0; ;.
# ;. :0kkkko;,cko :kkkk0d .:
# : oOkkkkkkkk .dkkk0k. :
# : dOkkkkkkk .:odxkkkkkOk. ;
# ; oOkkkkkkx:,,ckkkkkkkkkkOx. ,
# '. ;OOkkkkkkkkkkkkkkkkkOOc '
# ' .lOOkkkkkkkkkkkkkOOd. .
# . .lOOkkkkkkkkkOOo' ..
# ' .;dOOOkOOOx:. .
# .. .,lxo;. ..
# .. ..
#
# ____ ___ __ ____ _ _
#| _ \ / \ \ / / | _ \ __ _| |_ _ __ _ _| | ___ ___
#| |_) / _ \ \ /\ / / | |_) / _` | __| '__| | | | |/ _ \/ __|
#| __/ ___ \ V V / | __/ (_| | |_| | | |_| | | __/\__ \
#|_| /_/ \_\_/\_/ |_| \__,_|\__|_| \__,_|_|\___||___/
#
# IDS Rules for Suricata
# π Charles BLANC-ROLIN β ΅ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# π± Leaks
alert http $HOME_NET any -> any any (msg:"πΎ - β Informations β‘ sended in clear text π via HTTP - Leak π±"; flow:to_server, stateless; http.request_body; content:"submit"; nocase; sid:3300336; metadata:created_at 2020_07_29, updated_at 2023_04_06; rev:7; classtype:policy-violation;)
alert ftp any any -> any any (msg:"πΎ - β FTP password β‘ sended in clear text π - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; content:"PASS "; nocase; sid:3300337; metadata:created_at 2020_07_29, updated_at 2022_06_12; rev:6; classtype:policy-violation;)
alert tcp any any -> any any (msg:"πΎ - β FTP password β‘ sended in clear text π - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; content:"|55 53 45 52 20|"; content:"|50 41 53 53 20|"; content:"|53 59 53 54|"; content:"|50 57 44|"; metadata:created_at 2022_06_12, updated_at 2022_06_12; sid:3300338; rev:2; classtype:policy-violation;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β FTP Upload β‘ to Internet π - Possible file exfiltration π"; flow:established,to_server; content:"STOR "; depth:5; metadata:created_at 2021_08_05, updated_at 2021_08_05; sid:3300339; rev:2; classtype:policy-violation;)
alert snmp any any -> any any (msg:"πΎ - β Unencrypted SNMP flow π - Leak π±"; snmp.version:<3; threshold: type limit, track by_src,count 1, seconds 86400; sid:3300340; metadata:created_at 2020_07_30, updated_at 2024_05_11; rev:3; classtype:policy-violation;)
alert snmp any any -> any any (msg:"πΎ - β Default private community used on unencrypted SNMP flow π - Leak π±"; snmp.version:<3; threshold: type limit, track by_src,count 1, seconds 86400; snmp.community; content:"private"; sid:3321260; metadata:created_at 2024_05_11, updated_at 2024_05_11; rev:1; classtype:policy-violation;)
alert snmp any any -> any any (msg:"πΎ - β Default public community used on unencrypted SNMP flow π - Leak π±"; snmp.version:<3; threshold: type limit, track by_src,count 1, seconds 86400; snmp.community; content:"public"; sid:3321261; metadata:created_at 2024_05_11, updated_at 2024_05_11; rev:1; classtype:policy-violation;)
alert tcp any any -> any 389 (msg: "β LDAP password β‘ sended in clear text π - Leak π±"; flow: established, to_server, no_stream; threshold: type limit, track by_src,count 1, seconds 3600; content:"|30|"; depth: 1; content:"|02 01|"; fast_pattern; distance: 1; within: 2; content: "|60|"; distance: 1; within: 1; content: "|02 01|"; distance: 1; within: 2; content: "|04|"; distance: 1; within: 1; byte_jump: 1, 0, relative; content: "|80|"; within: 1; content:!"|00|"; within: 1; reference: url,https://github.com/ptresearch/AttackDetection/blob/master/policy/policy.rules; sid:3300341; metadata:created_at 2020_10_25, updated_at 2023_12_27; rev:3; classtype:policy-violation;)
alert tcp any any -> $EXTERNAL_NET any (msg: "π Suspicious outgoing LDAP flow to Internet - Leak π± - Or Possible Log4shell attack"; flow: established, to_server, no_stream; content:"|30|"; depth: 1; content:"|02 01|"; distance: 1; within: 2; content: "|60|"; distance: 1; within: 1; content: "|02 01|"; distance: 1; within: 2; content: "|04|"; distance: 1; within: 1; reference: url,https://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:created_at 2021_12_12, updated_at 2021_12_12 ; sid:3300342; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Outgoing Internet connection ZTunnel - Zscaler - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"ZTunnel"; nocase; reference:url,https://www.zscaler.fr/resources/solution-briefs/rethinking-security-for-an-evolving-workforce-fr.pdf; metadata:created_at 2021_04_22, updated_at 2021_10_01; sid:3300343; rev:4; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Ccleaner π§Ή- Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"CCleaner Update Agent"; nocase; reference:url,https://www.ccleaner.com/; metadata:created_at 2021_10_01, updated_at 2021_04_29; sid:3300344; rev:3; classtype:policy-violation;)
alert http any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Suspicious HTTP PUT method used - Possible file upload or malware (seen in LockBit 2.0 attacks) - Possible Leak π±"; http.method; content:"PUT"; reference: url,https://www.ic3.gov/Media/News/2022/220204.pdf; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300345; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ ChatGPT in use π€ - Possible Leak π±"; tls.sni; dotprefix; content:".openai.com"; nocase; endswith; metadata:created_at 2023_05_14, updated_at 2023_05_14; sid:3300346; rev:1; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Over 10MB uploaded via SSH / SFTP to public IP address - Possible data exfiltration π±"; requires: version >= 8; flow:to_server, established; threshold: type both, track by_src,count 1, seconds 60; flow.bytes_toserver:>=10000000; metadata:created_at 2024_02_18, updated_at 2024_06_04; sid:3301136; rev:5; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Over 100MB uploaded via SSH / SFTP to public IP address - Possible data exfiltration π±"; requires: version >= 8; flow:to_server, established; threshold: type both, track by_src,count 1, seconds 60; flow.bytes_toserver:>=100000000; metadata:created_at 2024_02_18, updated_at 2024_06_04; sid:3301137; rev:4; classtype:policy-violation;)
alert ssh any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exfiltration π±"; requires: version >= 8; flow:to_server, established; threshold: type both, track by_src,count 1, seconds 60; flow.bytes_toserver:>=50000000; metadata:created_at 2024_02_18, updated_at 2024_06_04; sid:3301138; rev:4; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Over 50MB uploaded via TLS to public IP address - Possible data exfiltration π±"; requires: version >= 8; flow:to_server, stateless; threshold: type both, track by_src,count 1, seconds 60; flow.bytes_toserver:>=50000000; metadata:created_at 2024_04_29, updated_at 2024_06_04; sid:3306862; rev:7; classtype:policy-violation;)
alert tls any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Over 100MB uploaded via TLS to public IP address - Possible data exfiltration π±"; requires: version >= 8; flow:to_server, stateless; threshold: type both, track by_src,count 1, seconds 60; flow.bytes_toserver:>=100000000; metadata:created_at 2024_04_29, updated_at 2024_06_04; sid:3306863; rev:7; classtype:policy-violation;)
###################### Telemetry ######################
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Mozilla Firefox π¦ telemetry enabled - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"telemetry.mozilla.org"; nocase; reference: url,https://support.mozilla.org/en-US/kb/telemetry-clientid; metadata:created_at 2022_06_11, updated_at 2022_06_12; sid:3300347; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Mozilla Thunderbird π telemetry enabled - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400;tls_sni; content:"incoming-telemetry.thunderbird.net"; nocase; reference: url,https://support.mozilla.org/en-US/kb/thunderbird-telemetry; metadata:created_at 2022_06_11, updated_at 2022_06_12; sid:3300348; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Elastic Kibana telemetry enabled - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400;tls_sni; content:"telemetry.elastic.co"; nocase; reference: url,https://www.elastic.co/guide/en/kibana/master/telemetry-settings-kbn.html; metadata:created_at 2023_05_14, updated_at 2023_05_14; sid:3300349; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Python-based π application with Google Analytics telemetry enabled - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"www.google-analytics.com"; nocase; endswith; ja3.hash; content:"8d9f7747675e24454cd9b7ed35c58707"; fast_pattern; reference: url,https://developers.google.com/analytics/devguides/reporting/core/v3/quickstart/installed-py; metadata:created_at 2024_06_05, updated_at 2024_06_05; sid:3321278; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Python-based π application with Sentry telemetry enabled - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"ingest.sentry.io"; nocase; endswith; ja3.hash; content:"8d9f7747675e24454cd9b7ed35c58707"; fast_pattern; reference: url,https://docs.sentry.io/platforms/python/; metadata:created_at 2024_06_05, updated_at 2024_06_05; sid:3321279; rev:1; classtype:policy-violation;)
###################### Public IP lookup ######################
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ifconfig.io lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ifconfig.io"; nocase; metadata:created_at 2022_08_14, updated_at 2022_08_14; sid:3300350; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ifconfig.io lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"ifconfig.io"; nocase; metadata:created_at 2022_08_14, updated_at 2022_08_14; sid:3300351; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ip-api.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; http.host.raw; content:"ip-api.com"; nocase; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300352; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ifconfig.me lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ifconfig.me"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300353; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ifconfig.me lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"ifconfig.me"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300354; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ipinfo.io lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ipinfo.io"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300355; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ipinfo.io lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"ipinfo.io"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300356; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π api.ipify.org lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"api.ipify.org"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300357; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π api.ipify.org lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"api.ipify.org"; fast_pattern; ja3.hash; content:!"bc29aa426fc99c0be1b9be941869f88a"; nocase; metadata:created_at 2022_10_31, updated_at 2024_06_04; sid:3300358; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ipecho.net lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ipecho.net"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300359; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ipecho.net lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"ipecho.net"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300360; rev:1; classtype:policy-violation;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π myip.opendns.com (DNS Query) lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; dns_query; content:"myip.opendns.com"; nocase; reference: url,https://www.teamviewer.com/; metadata:created_at 2022_10_31, updated_at 2023_08_18; sid:3300361; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π whatismyip.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"whatismyip.com"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300362; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π icanhazip.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"icanhazip.com"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300363; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π icanhazip.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"icanhazip.com"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300364; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π myexternalip.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"myexternalip.com"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300365; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π myexternalip.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"myexternalip.com"; nocase; metadata:created_at 2022_10_31, updated_at 2022_10_31; sid:3300366; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π whoer.net lookup public IP address from local network (and more informations) - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"whoer.net"; nocase; metadata:created_at 2023_01_11, updated_at 2023_01_11; sid:3300367; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π speedtest.net lookup public IP address from local network & bandwidth testing - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"speedtest.net"; nocase; metadata:created_at 2023_01_11, updated_at 2023_01_11; sid:3300368; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π geolocation-db.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls_sni; content:"geolocation-db.com"; nocase; metadata:created_at 2023_06_21, updated_at 2023_06_21; sid:3300369; rev:2; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π checkip.dyndns.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"checkip.dyndns.com"; nocase; metadata:created_at 2023_08_21, updated_at 2023_08_21; sid:3300370; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π ip-info.ff.avast.com lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"ip-info.ff.avast.com"; nocase; metadata:created_at 2023_11_01, updated_at 2023_11_01; sid:3300652; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π geoplugin.net lookup public IP address from local network - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"geoplugin.net"; nocase; metadata:created_at 2024_03_03, updated_at 2024_03_03; sid:3301152; rev:1; classtype:policy-violation;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ π geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"geoplugin.net"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/json.gp"; reference:url,https://blog.talosintelligence.com/threat-roundup-1021-1028-2/; metadata:created_at 2024_03_03, updated_at 2024_03_03; sid:3301153; rev:2; classtype:policy-violation;)
###################### Protocole DICOM ######################
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π¨ DICOM A-RELEASE request β to Internet DICOM Server π - Possible Leak π±"; flow:to_server, stateless; content:"|05 00 00 00 00 04 00 00 00 00|"; endswith; metadata:created_at 2022_02_13, updated_at 2022_06_11; sid:3300371; rev:4; classtype:policy-violation;)
alert tcp any any -> $EXTERNAL_NET any (msg:"πΎ - π Exposed DICOM server / modality - π¨ DICOM A-RELEASE response β to Internet π - Possible Leak π±"; flow:to_client, stateless; content:"|06 00 00 00 00 04 00 00 00 00|"; endswith; metadata:created_at 2022_02_13, updated_at 2022_06_11; sid:3300372; rev:4; classtype:policy-violation;)
alert tcp $EXTERNAL_NET any -> any any (msg:"πΎ - π Exposed DICOM server / modality - π¨ DICOM A-RELEASE request β from Internet π - Possible Leak π±"; flow:to_server, stateless; content:"|05 00 00 00 00 04 00 00 00 00|"; endswith; metadata:created_at 2022_05_05, updated_at 2022_06_11; sid:3300373; rev:4; classtype:policy-violation;)
alert tcp $EXTERNAL_NET any -> any any (msg:"πΎ - π¨ DICOM A-RELEASE response β from Internet DICOM Server π - Possible Leak π±"; flow:to_client, stateless; content:"|06 00 00 00 00 04 00 00 00 00|"; endswith; metadata:created_at 2022_05_05, updated_at 2022_06_11; sid:3300374; rev:4; classtype:policy-violation;)
###################### Remote Tools ######################
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Teamviewer π - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|DynGate)"; nocase; reference:url,https://www.teamviewer.com/; metadata:created_at 2021_04_29, updated_at 2021_10_01; sid:3300375; rev:3; classtype:policy-violation;)
alert dns any any -> any any (msg:"πΎ - π¨ Teamviewer remote tool (DNS Query) - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; dns_query; content:"router"; nocase; content:"teamviewer.com"; nocase; reference: url,https://www.teamviewer.com/; metadata:created_at 2022_04_03, updated_at 2022_04_03; sid:3300376; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β AnyDesk 6.X π - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3_hash; content:"3f2fba0262b1a22b739126dfb2fe7a7d"; metadata: former_category JA3; reference:url,https://anydesk.com/; metadata:created_at 2021_05_05, updated_at 2022_10_09; sid:3300377; rev:3; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β AnyDesk 7.X π - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ja3_hash; content:"c91bde19008eefabce276152ccd51457"; metadata: former_category JA3; reference:url,https://anydesk.com/; metadata:created_at 2022_10_09, updated_at 2022_10_09; sid:3300378; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β AnyDesk Remote tool (TLS Connection) - Possible Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"CN=AnyNet Relay"; content:"O=philandro Software GmbH"; reference:url,https://anydesk.com/; metadata:created_at 2022_04_03, updated_at 2022_04_03; sid:3300379; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Axeda remote access agent (TLSv1.0) π - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; ja3_hash; content:"a99945828d72d137e7ea232b52deeaa3"; metadata: former_category JA3; reference:url,https://support.ptc.com/help/thingworx_hc/axeda_compatibility_package/en/index.html#page/axeda_compatibility_package/remote_access/c_ra_axeda_desktop_viewer_support.html; metadata:created_at 2021_06_02, updated_at 2022_03_09; sid:3300380; rev:4; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Axeda remote access agent (TLSv1.2) π - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; ja3_hash; content:"118ccd49490cf92ab09c77393ef192b6"; metadata: former_category JA3; reference:url,https://support.ptc.com/help/thingworx_hc/axeda_compatibility_package/en/index.html#page/axeda_compatibility_package/remote_access/c_ra_axeda_desktop_viewer_support.html; metadata:created_at 2021_06_02, updated_at 2022_03_09; sid:3300381; rev:4; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β LogMeIn Agent π - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; tls.cert_subject; content:"C=US"; nocase; content:"ST=Massachusetts"; nocase; content:"L=Boston"; nocase; content:"O=LogMeIn"; nocase; reference:url,https://www.logmein.com/fr; metadata:created_at 2021_07_20, updated_at 2021_09_07; sid:3300382; rev:2; classtype:policy-violation;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Remote Utilities - Administration tool π¦Ή (</rman_message>)"; content:"|3c 2f 72 6d 61 6e 5f 6d 65 73 73 61 67 65 3e|"; reference:url,https://www.remoteutilities.com/; metadata:created_at 2021_09_29, updated_at 2021_09_30; sid:3300383; rev:2; classtype:policy-violation;)
alert ip any any -> 23.235.252.66 any (msg:"πΎ - π¨ Remote Utilities - Administration tool π¦Ή (known IP for Internet ID) - Leak π±"; reference: url,https://www.remoteutilities.com/; metadata:created_at 2021_09_30, updated_at 2021_09_30; sid:3300384; rev:2; classtype:policy-violation;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5655 (msg:"πΎ - π¨ Possible Remote Utilities connection to Internet - Administration tool π¦Ή (TCP port 5655 used) - Leak π±"; reference: url,https://www.remoteutilities.com/; metadata:created_at 2021_09_30, updated_at 2021_09_30; sid:3300385; rev:2; classtype:policy-violation;)
alert tcp $HOME_NET any -> $HOME_NET 5650 (msg:"πΎ - π¨ Possible Remote Utilities local connection - Administration tool π¦Ή (TCP port 5650 used) - Leak π±"; reference: url,https://www.remoteutilities.com/; metadata:created_at 2021_09_30, updated_at 2021_09_30; sid:3300386; rev:2; classtype:policy-violation;)
alert dns any any -> any any (msg:"πΎ - π¨ Splashtop remote tool (DNS Query) - Leak π±"; dns_query; content:"relay.splashtop.com"; nocase; reference: url,https://www.splashtop.com/fr/; metadata:created_at 2021_09_30, updated_at 2022_04_03; sid:3300387; rev:2; classtype:policy-violation;)
alert dns any any -> any any (msg:"πΎ - π¨ Splashtop remote tool (DNS Query) - Leak π±"; dns_query; content:"dc.splashtop.eu"; nocase; reference: url,https://www.splashtop.com/fr/; metadata:created_at 2021_09_30, updated_at 2022_04_03; sid:3300388; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β ConnectWise ScreenConnect π - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; tls_sni; content:"screenconnect.com"; ja3_hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; metadata: former_category JA3; reference:url,https://control.connectwise.com/; metadata:created_at 2022_04_27, updated_at 2022_04_27; sid:3300389; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Zoho Assist Remote Tool π (Possible Windows πͺ Client) - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ja3_hash; content:"6641dc4250623c018363f7a37d13c469"; tls.sni; content:"zoho"; nocase; reference:url,https://www.zoho.com/assist/; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300390; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β Zoho Assist Remote Tool π (TLS certificate π observed)- Leak π±"; flow:to_client, stateless; threshold: type limit, track by_dst,count 1, seconds 3600; tls.cert_subject; content:"CN=*.zohoassist.com"; nocase; reference:url,https://www.zoho.com/assist/; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300391; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Zoho Assist Remote Tool π (Possible Linux π§ Client) - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ja3_hash; content:"df669e7ea913f1ac0c0cce9a201a2ec1"; tls.sni; content:"zohoassist.com"; endswith; nocase; reference:url,https://www.zoho.com/assist/; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300392; rev:2; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Zoho Assist Remote Tool π (Possible Linux π§ Client) - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ja3_hash; content:"df669e7ea913f1ac0c0cce9a201a2ec1"; tls.sni; content:"assist.zoho"; nocase; reference:url,https://www.zoho.com/assist/; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300393; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Zoho Assist Web console authentication - Leak π±"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; tls.sni; content:"accounts.zoho.in"; nocase; reference:url,https://www.zoho.com/assist/; metadata:created_at 2022_08_16, updated_at 2022_08_16; sid:3300394; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Atera remote control agent for Windows πͺ - Possible Leak π±"; flow:to_server, stateless; ja3.hash; content:"3b5074b1b5d032e5620f69f9f700ff0e"; tls_sni; content:"agent-api.atera.com"; metadata: former_category JA3; reference:url,https://www.atera.com/; metadata:created_at 2023_06_21, updated_at 2023_06_21; sid:3300395; rev:1; classtype:policy-violation;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Curl (Windows) connection to transfer.sh - possible upload - Leak π±"; flow:to_server, stateless; tls_sni; content:"transfer.sh"; nocase; ja3.hash; content:"4ea056e63b7910cbf543f0c095064dfe"; metadata:created_at 2022_02_08, updated_at 2023_06_21; sid:3300396; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Curl (Linux) connection to transfer.sh - possible upload - Leak π±"; flow:to_server, stateless; tls_sni; content:"transfer.sh"; nocase; ja3.hash; content:"f436b9416f37d134cadd04886327d3e8"; metadata:created_at 2022_02_08, updated_at 2023_06_21; sid:3300397; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Curl (Windows) connection to temp.sh - possible upload - Leak π±"; flow:to_server, stateless; tls_sni; content:"temp.sh"; nocase; ja3.hash; content:"4ea056e63b7910cbf543f0c095064dfe"; metadata:created_at 2022_03_04, updated_at 2023_06_21; sid:3300398; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π¨ Curl (Linux) connection to temp.sh - possible upload - Leak π±"; flow:to_server, stateless; tls_sni; content:"temp.sh"; nocase; ja3.hash; content:"f436b9416f37d134cadd04886327d3e8"; metadata:created_at 2022_03_04, updated_at 2023_06_21; sid:3300399; rev:3; classtype:bad-unknown;)
###################### Files Upload ######################
### DNS Request ###
alert dns any any -> any any (msg:"πΎ - β DNS Request π - swisstransfer.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"swisstransfer.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300400; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - wetransfer.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"wetransfer.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300401; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - wetransfer.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"wetransfer.net"; nocase; metadata:created_at 2021_09_07, updated_at 2021_09_07; sid:3300402; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - we.tl (We Transfer) - File Sharing solution π - Possible Leak π±"; dns_query; content:"we.tl"; nocase; metadata:created_at 2021_12_06, updated_at 2021_12_06; sid:3300403; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sendspace.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"sendspace.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300404; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - transfernow.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"transfernow.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300405; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - file.io - File Sharing solution π - Possible Leak π±"; dns_query; flow:to_server, stateless; content:"www.file.io"; nocase; metadata:created_at 2021_08_27, updated_at 2022_11_17; sid:3300406; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - hightail.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"hightail.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300407; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filemail.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"filemail.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300408; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - fromsmash.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"fromsmash.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300409; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - pcloud.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"pcloud.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300410; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - grosfichiers.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"grosfichiers.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300411; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - 1fichier.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"1fichier.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300412; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - mega.io - File Sharing solution π - Possible Leak π±"; dns_query; content:"mega.io"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300413; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - dropbox.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"dropbox.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300414; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - box.com - File Sharing solution π - Possible Leak π±"; dns_query; content:".box.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_30; sid:3300415; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - mediafire.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"mediafire.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300416; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - anonfiles.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"anonfiles.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300417; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - spicyfile.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"spicyfile.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300418; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - turbobit.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"turbobit.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300419; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - easybytez.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"easybytez.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300420; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - rapidgator.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"rapidgator.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300421; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - files.fm - File Sharing solution π - Possible Leak π±"; dns_query; content:"files.fm"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300422; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - depositfiles.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"depositfiles.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300423; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - 2shared.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"2shared.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300424; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filefactory.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"filefactory.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300425; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filedropper.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"filedropper.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300426; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - delafil.se - File Sharing solution π - Possible Leak π±"; dns_query; content:"delafil.se"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300427; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filesanywhere.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"filesanywhere.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300428; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - zippyshare.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"zippyshare.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300429; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - uptobox.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"uptobox.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300430; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - terashare.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"terashare.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300431; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - uploaded.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"uploaded.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300432; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - jumpshare.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"jumpshare.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300433; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - volafile.org - File Sharing solution π - Possible Leak π±"; dns_query; content:"volafile.org"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300434; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - jirafeau.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"jirafeau.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300435; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - 4shared.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"4shared.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300436; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - tinyupload.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"tinyupload.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300437; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sprend.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"sprend.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300438; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - hitfile.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"hitfile.net"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300439; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - datafilehost.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"datafilehost.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300440; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - letscrate.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"letscrate.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300441; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - file2send.eu - File Sharing solution π - Possible Leak π±"; dns_query; content:"file2send.eu"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300442; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filecargo.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"filecargo.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300443; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - howfile.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"howfile.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300444; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - novafile.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"novafile.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300445; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - prefiles.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"prefiles.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300446; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filerio.in - File Sharing solution π - Possible Leak π±"; dns_query; content:"filerio.in"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300447; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - tusfiles.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"tusfiles.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300448; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sendmyway.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"sendmyway.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300449; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - netkups.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"netkups.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300450; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - fileflyer.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"fileflyer.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300451; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - telxsendit.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"telxsendit.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300452; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - fileburst.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"fileburst.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300453; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filecentral.se - File Sharing solution π - Possible Leak π±"; dns_query; content:"filecentral.se"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300454; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - nullfix.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"nullfix.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300455; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - infini.fr - File Sharing solution π - Possible Leak π±"; dns_query; content:"infini.fr"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300456; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - ethibox.fr - File Sharing solution π - Possible Leak π±"; dns_query; content:"ethibox.fr"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300457; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - zaclys.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"zaclys.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300458; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - drop.chapril.org - File Sharing solution π - Possible Leak π±"; dns_query; content:"drop.chapril.org"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300459; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - nuage.parinux.org - File Sharing solution π - Possible Leak π±"; dns_query; content:"nuage.parinux.org"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300460; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - disroot.org - File Sharing solution π - Possible Leak π±"; dns_query; content:"disroot.org"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300461; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sans-nuage.fr - File Sharing solution π - Possible Leak π±"; dns_query; content:"sans-nuage.fr"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300462; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - lufi.nomagic.uk - File Sharing solution π - Possible Leak π±"; dns_query; content:"lufi.nomagic.uk"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300463; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - bayfiles.com - File Sharing solution π - Possible Leak π±"; dns_query; content:"bayfiles.com"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300464; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - mega.co.nz - File Sharing solution π - Possible Leak π±"; dns_query; content:"mega.co.nz"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300465; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - mega.nz - File Sharing solution π - Possible Leak π±"; dns_query; content:"mega.nz"; nocase; metadata:created_at 2021_08_27, updated_at 2021_08_27; sid:3300466; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - gofile.io - File Sharing solution π - Possible Leak π±"; dns_query; content:"gofile.io"; nocase; metadata:created_at 2021_09_30, updated_at 2021_09_30; sid:3300467; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - securesha.re - File Sharing solution π - Possible Leak π±"; dns_query; content:"securesha.re"; nocase; metadata:created_at 2021_10_06, updated_at 2021_10_06; sid:3300468; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - privatlab.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"privatlab.net"; nocase; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300469; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - fex.net - File Sharing solution π - Possible Leak π±"; dns_query; content:"fex.net"; nocase; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300470; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - transfer.sh - File Sharing solution π - Possible Leak π±"; dns_query; content:"transfer.sh"; nocase; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300471; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - send.exploit.in - File Sharing solution π - Possible Leak π±"; dns_query; content:"send.exploit.in"; nocase; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300472; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - qaz.su - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"qaz.su"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300473; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - qaz.im - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"qaz.im"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300474; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - upload.prntscr.com - Lightshot Print Screen Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"upload.prntscr.com"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300475; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - dropfiles.me - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"dropfiles.me"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300476; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - privatlab.com - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"privatlab.com"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300477; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - temp.sh - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; dns_query; content:"temp.sh"; nocase; metadata:created_at 2022_03_04, updated_at 2022_03_04; sid:3300478; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - www.handybackup.net - File Sharing solution π - Possible Leak π± - seen in π RagnarLocker Attack"; dns_query; content:"www.handybackup.net"; nocase; reference:url,https://twitter.com/AltShiftPrtScn/status/1403707430765273095; metadata:created_at 2022_03_10, updated_at 2022_03_10; sid:3300479; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - workupload.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"workupload.com"; nocase; metadata:created_at 2022_06_16, updated_at 2022_06_16; sid:3300480; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - ftp.uptobox.com - FTP Upload to File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"ftp.uptobox.com"; nocase; metadata:created_at 2022_08_17, updated_at 2022_08_17; sid:3300481; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - ghostbin.me - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"ghostbin.me"; nocase; metadata:created_at 2022_09_05, updated_at 2022_09_05; sid:3300482; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - hidrive.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"hidrive.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300483; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - backblaze.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"backblaze.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300484; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sharefile.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"sharefile.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300485; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - jottacloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"jottacloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300486; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - hubic.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"hubic.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300487; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - shadow.tech - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"shadow.tech"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300488; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - koofr.net - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"koofr.net"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300489; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - koofr.eu - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"koofr.eu"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300490; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - cloud.mail.ru - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"cloud.mail.ru"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300491; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - azure.microsoft.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"azure.microsoft.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300492; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - onedrive.live.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"onedrive.live.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300493; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - opendrive.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"opendrive.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300494; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - openstack.org - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"openstack.org"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300495; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - rackspace.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"rackspace.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300496; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - memset.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"memset.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300497; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - put.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"put.io"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300498; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - qingcloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"qingcloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300499; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sia.tech - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"sia.tech"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300500; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - saicloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"saicloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300501; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - storj.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"storj.io"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300502; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sugarsync.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"sugarsync.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300503; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - disk.yandex.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"disk.yandex.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300504; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - accounts.zoho.eu - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"accounts.zoho.eu"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300505; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - accounts.zoho.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"accounts.zoho.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300506; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - premiumize.me - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"premiumize.me"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300507; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - seafile.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"seafile.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300508; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - ufile.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"ufile.io"; nocase; metadata:created_at 2022_11_17, updated_at 2022_11_17; sid:3300509; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - file.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"file.io"; nocase; metadata:created_at 2022_11_17, updated_at 2023_08_18; sid:3300510; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - satoshidisk.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"satoshidisk.com"; nocase; metadata:created_at 2023_04_16, updated_at 2023_08_18; sid:3300511; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - privatty.com - Data Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; dns_query; content:"privatty.com"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300512; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - 1ty.me - Data Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; dns_query; content:"1ty.me"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300513; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - dropmefiles.com - Data Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; dns_query; content:"dropmefiles.com"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300514; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filetransfer.io - Data Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; dns_query; content:"filetransfer.io"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300515; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - qaz.is - Data Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; dns_query; content:"qaz.is"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300516; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - tempsend.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"tempsend.com"; nocase; metadata:created_at 2023_06_28, updated_at 2023_08_18; sid:3300517; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - transfert-my-files.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"transfert-my-files.com"; nocase; metadata:created_at 2023_06_28, updated_at 2023_08_18; sid:3300518; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - sendbig.com - Data Sharing solution π - Possible Leak π± - used by π LockBit Ransomware Group"; flow:to_server, stateless; dns_query; content:"sendbig.com"; nocase; metadata:created_at 2023_08_18, updated_at 2023_08_18; sid:3300519; rev:2; classtype:bad-unknown;)
alert dns any any -> any any (msg:"πΎ - β DNS Request π - filesharing.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; dns_query; content:"filesharing.com"; nocase; metadata:created_at 2024_04_27, updated_at 2024_04_27; sid:3301786; rev:1; classtype:bad-unknown;)
### TLS SNI###
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - swisstransfer.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"swisstransfer.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300520; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - 1fichier.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"1fichier.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300521; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - 2shared.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"2shared.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300522; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - 4shared.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"4shared.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300523; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - anonfiles.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"anonfiles.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300524; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - bayfiles.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"bayfiles.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300525; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - box.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:".box.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300526; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - datafilehost.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"datafilehost.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300527; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - delafil.se - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"delafil.se"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300528; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - depositfiles.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"depositfiles.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300529; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - disroot.org - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"disroot.org"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300530; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - drop.chapril.org - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"drop.chapril.org"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300531; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - dropbox.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"dropbox.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300532; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - easybytez.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"easybytez.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300533; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - ethibox.fr - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"ethibox.fr"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300534; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - file.io - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"www.file.io"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300535; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - file2send.eu - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"file2send.eu"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300536; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - fileburst.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"fileburst.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300537; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filecargo.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filecargo.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300538; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filecentral.se - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filecentral.se"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300539; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filedropper.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filedropper.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300540; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filefactory.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filefactory.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300541; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - fileflyer.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"fileflyer.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300542; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filemail.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filemail.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300543; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filerio.in - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filerio.in"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300544; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - files.fm - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"files.fm"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300545; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filesanywhere.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filesanywhere.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300546; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - fromsmash.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"fromsmash.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300547; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - gofile.io - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"gofile.io"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300548; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - grosfichiers.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"grosfichiers.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300549; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - hightail.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"hightail.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300550; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - hitfile.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"hitfile.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300551; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - howfile.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"howfile.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300552; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - infini.fr - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"infini.fr"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300553; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - jirafeau.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"jirafeau.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300554; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - jumpshare.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"jumpshare.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300555; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - letscrate.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"letscrate.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300556; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - lufi.nomagic.uk - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"lufi.nomagic.uk"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300557; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - mediafire.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"mediafire.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300558; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - mega.co.nz - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"mega.co.nz"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300559; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - mega.io - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"mega.io"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300560; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - mega.nz - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"mega.nz"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300561; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - netkups.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"netkups.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300562; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - novafile.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"novafile.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300563; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - nuage.parinux.org - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"nuage.parinux.org"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300564; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - nullfix.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"nullfix.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300565; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - pcloud.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"pcloud.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300566; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - prefiles.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"prefiles.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300567; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - rapidgator.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"rapidgator.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300568; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sans-nuage.fr - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sans-nuage.fr"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300569; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - securesha.re - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"securesha.re"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300570; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sendmyway.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sendmyway.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300571; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sendspace.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sendspace.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300572; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - spicyfile.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"spicyfile.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300573; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sprend.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sprend.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300574; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - telxsendit.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"telxsendit.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300575; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - terashare.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"terashare.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300576; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - tinyupload.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"tinyupload.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300577; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - transfernow.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"transfernow.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300578; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - turbobit.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"turbobit.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300579; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - tusfiles.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"tusfiles.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300580; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - uploaded.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"uploaded.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300581; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - uptobox.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"uptobox.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300582; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - volafile.org - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"volafile.org"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300583; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - we.tl (We Transfer) - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"we.tl"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300584; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - wetransfer.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"wetransfer.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300585; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - wetransfer.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"wetransfer.net"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300586; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - zaclys.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"zaclys.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300587; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - zippyshare.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"zippyshare.com"; nocase; metadata:created_at 2021_12_06, updated_at 2024_04_29; sid:3300588; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - privatlab.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"privatlab.net"; nocase; metadata:created_at 2022_02_08, updated_at 2024_04_29; sid:3300589; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - fex.net - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"fex.net"; nocase; metadata:created_at 2022_02_08, updated_at 2024_04_29; sid:3300590; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - transfer.sh - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"transfer.sh"; nocase; metadata:created_at 2022_02_08, updated_at 2024_04_29; sid:3300591; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - send.exploit.in - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"send.exploit.in"; nocase; metadata:created_at 2022_02_08, updated_at 2024_04_29; sid:3300592; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - qaz.su - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"qaz.su"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300593; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - qaz.im - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"qaz.im"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300594; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - upload.prntscr.com - Lightshot Print Screen Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"upload.prntscr.com"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300595; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - dropfiles.me - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"dropfiles.me"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300596; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - privatlab.com - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"privatlab.com"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300597; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - temp.sh - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"temp.sh"; nocase; metadata:created_at 2022_03_04, updated_at 2024_04_29; sid:3300598; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - www.handybackup.net - File Sharing solution π - Possible Leak π± - seen in π RagnarLocker Attack"; flow:to_server, stateless; tls_sni; content:"www.handybackup.net"; nocase; reference:url,https://twitter.com/AltShiftPrtScn/status/1403707430765273095; metadata:created_at 2022_03_10, updated_at 2024_04_29; sid:3300599; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - workupload.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"workupload.com"; nocase; metadata:created_at 2022_06_16, updated_at 2022_06_16; sid:3300600; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - ftp.uptobox.com - FTP Upload to File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"ftp.uptobox.com"; nocase; metadata:created_at 2022_08_17, updated_at 2022_08_17; sid:3300601; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - ghostbin.me - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"ghostbin.me"; nocase; metadata:created_at 2022_09_05, updated_at 2022_09_05; sid:3300602; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - hidrive.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"hidrive.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300603; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - backblaze.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"backblaze.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300604; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sharefile.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sharefile.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300605; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - jottacloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"jottacloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300606; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - hubic.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"hubic.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300607; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - shadow.tech - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"shadow.tech"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300608; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - koofr.net - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"koofr.net"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300609; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - koofr.eu - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"koofr.eu"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300610; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - cloud.mail.ru - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"cloud.mail.ru"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300611; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - azure.microsoft.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"azure.microsoft.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300612; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - onedrive.live.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"onedrive.live.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300613; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - opendrive.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"opendrive.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300614; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - openstack.org - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"openstack.org"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300615; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - rackspace.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"rackspace.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300616; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - memset.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"memset.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300617; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - put.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"put.io"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300618; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - qingcloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"qingcloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300619; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sia.tech - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sia.tech"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300620; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - saicloud.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"saicloud.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300621; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - storj.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"storj.io"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300622; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sugarsync.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"sugarsync.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300623; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - disk.yandex.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"disk.yandex.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300624; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - accounts.zoho.eu - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"accounts.zoho.eu"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300625; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - accounts.zoho.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"accounts.zoho.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300626; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - premiumize.me - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"premiumize.me"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300627; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - seafile.com - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"seafile.com"; nocase; metadata:created_at 2022_10_15, updated_at 2022_10_15; sid:3300628; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - ufile.io - Data Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"ufile.io"; nocase; metadata:created_at 2022_11_17, updated_at 2022_11_17; sid:3300629; rev:1; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - file.io - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"file.io"; nocase; metadata:created_at 2022_11_17, updated_at 2023_08_18; sid:3300630; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - satoshidisk.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"satoshidisk.com"; nocase; metadata:created_at 2023_04_16, updated_at 2023_08_18; sid:3300631; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - privatty.com - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"privatty.com"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300632; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - 1ty.me - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"1ty.me"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300633; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - dropmefiles.com - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"dropmefiles.com"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300634; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filetransfer.io - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"filetransfer.io"; nocase; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300635; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - qaz.is - File Sharing solution π - Possible Leak π± - seen in π Conti Ransomware Leak"; flow:to_server, stateless; tls_sni; content:"qaz.is"; metadata:created_at 2023_05_09, updated_at 2023_08_18; sid:3300636; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - tempsend.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"tempsend.com"; nocase; metadata:created_at 2023_06_28, updated_at 2023_08_18; sid:3300637; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - transfert-my-files.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"transfert-my-files.com"; nocase; metadata:created_at 2023_06_28, updated_at 2023_08_18; sid:3300638; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - sendbig.com - File Sharing solution π - Possible Leak π± - used by π LockBit Ransomware Group"; flow:to_server, stateless; tls_sni; content:"sendbig.com"; nocase; metadata:created_at 2023_08_18, updated_at 2023_08_18; sid:3300639; rev:2; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - π TLS connection to (sni) - filesharing.com - File Sharing solution π - Possible Leak π±"; flow:to_server, stateless; tls_sni; content:"filesharing.com"; nocase; metadata:created_at 2024_04_27, updated_at 2024_04_27; sid:3301787; rev:1; classtype:bad-unknown;)
### TLS Certificate###
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious File π Upload β using Anonfiles API - Possible Leak π± / Malware πΎ"; tls.cert_subject; content:"CN=api.anonfiles.com"; nocase; reference:url,https://anonfiles.com/docs/api; metadata:created_at 2021_08_16, updated_at 2021_08_16; sid:3300640; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious File π Upload β using Bayfiles API - Possible Leak π± / Malware πΎ"; tls.cert_subject; content:"CN=api.bayfiles.com"; nocase; reference:url,https://bayfiles.com/docs/api; metadata:created_at 2021_08_16, updated_at 2021_08_16; sid:3300641; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious File π Upload β using Mega API - Possible Leak π± / Malware πΎ"; tls.cert_subject; content:"CN=*.userstorage.mega.co.nz"; nocase; reference:url,https://mega.io/doc; metadata:created_at 2021_08_16, updated_at 2021_08_16; sid:3300642; rev:2; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious File π Upload β using MegaSync Application - Possible Leak π± / Malware πΎ"; tls.cert_subject; content:"CN=*.api.mega.co.nz"; nocase; reference:url,https://mega.io/doc; metadata:created_at 2022_02_08, updated_at 2022_02_08; sid:3300643; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - π¨ Suspicious File π Upload β using Sendspace API - Possible Leak π± / Malware πΎ"; tls.cert_subject; content:"CN=*.sendspace.com"; nocase; reference:url,https://www.sendspace.com/dev_howto.html; metadata:created_at 2021_08_16, updated_at 2021_08_16; sid:3300644; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - pcloud.com - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=*.pcloud.com"; nocase; metadata:created_at 2021_09_01, updated_at 2024_02_08; sid:3300645; rev:3; classtype:bad-unknown;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - dropbox.com - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=*.dropbox.com"; nocase; metadata:created_at 2021_09_01, updated_at 2024_02_08; sid:3300646; rev:3; classtype:bad-unknown;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"πΎ - β Pcloud File Sharing Agent - Leak π±"; threshold: type limit, track by_src,count 1, seconds 86400; ja3_hash; content:"0e0112f1e6cecc6f6751fe1195f9f17c"; metadata: former_category JA3; metadata:created_at 2021_09_07, updated_at 2021_09_07; sid:3300647; rev:1; classtype:policy-violation;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - gofile.io - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=*.gofile.io"; nocase; metadata:created_at 2021_09_30, updated_at 2024_02_08; sid:3300648; rev:2; classtype:bad-unknown;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - securesha.re - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=securesha.re"; nocase; metadata:created_at 2021_10_06, updated_at 2024_02_08; sid:3300649; rev:2; classtype:bad-unknown;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - wetransfer.com - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=wetransfer.com"; nocase; metadata:created_at 2021_09_01, updated_at 2024_02_08; sid:3300650; rev:3; classtype:bad-unknown;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"πΎ - β TLS Connection - wetransfer.net - File Sharing solution π - Possible Leak π±"; flow:to_client, stateless; tls.cert_subject; content:"CN=wetransfer.net"; nocase; metadata:created_at 2021_09_09, updated_at 2024_02_08; sid:3300651; rev:3; classtype:bad-unknown;)