├── .gitignore ├── LICENSE ├── README.md └── src ├── file-transfer.lst ├── mail.lst ├── messaging.lst ├── opnsense.file_transfer.rules ├── opnsense.mail.rules ├── opnsense.malware_ja3.rules ├── opnsense.media_streaming.rules ├── opnsense.messaging.rules ├── opnsense.social_media.rules ├── opnsense.test.rules ├── opnsense.uncategorized.rules ├── social-media.lst ├── steaming-media.lst └── uncategorized.lst /.gitignore: -------------------------------------------------------------------------------- 1 | */*/work 2 | *.pyc 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2017, OPNsense 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OPNsense Suricata Application Detection 2 | 3 | ## Welcome to the OPNsense IDS/IPS Application Detection rules! 4 | 5 | If you are searching for an easy way to block specific applications like Youtube or Netflix this is the right resource for you. 6 | 7 | We have categorized the rules in six categories: 8 | 9 | ``` 10 | file-transfer (file sharing in general) 11 | media-streaming (streaming, like youtube or shoutcast) 12 | social-networking (facebook, google+) 13 | messaging (ICQ, whatsapp) 14 | mail (gmail, yahoo mail, mail.ru) 15 | uncategorized (Zynga, Amazon, etc. Please add your favorites) 16 | ``` 17 | 18 | To add more applications to the ruleset please fork this repository and only edit the .lst files. 19 | The content of the files (e.g. messaging.lst) look like this: 20 | 21 | ``` 22 | ICQ_WebClient messaging icq.com 23 | ``` 24 | 25 | There is first the name of the application (if more words extend with underscore), 26 | then the category which must always be the same for each file, and then the URL to block. 27 | 28 | If one application uses more than one URL like DropBox, you can add as many lines as you 29 | want but be sure to leave the name always the same! 30 | 31 | Order is most important for editing .lst files. Always append new rules at the end, 32 | a sorting is not possible since our rule generator counts the rules always one up. 33 | This would mix up your existing configuration. 34 | 35 | Feel free to add new applications and rules to our ruleset! 36 | 37 | 38 | -------------------------------------------------------------------------------- /src/file-transfer.lst: -------------------------------------------------------------------------------- 1 | 4shared file-transfer 4shared.com 2 | Bigupload file-transfer bigupload.com 3 | Bigupload file-transfer bigupload.net 4 | Box.net file-transfer box.net 5 | Clubbox file-transfer clubbox.co.kr 6 | Datei.to file-transfer datei.to 7 | Depositfiles file-transfer depositfiles.com 8 | Divshare file-transfer divshare.com 9 | Dropbox file-transfer dropboxusercontent.com 10 | Dropbox file-transfer dropbox.com 11 | Dropbox file-transfer dropboxapi.com 12 | Extratorrent file-transfer extratorrent.cc 13 | Filer.cx file-transfer filer.cx 14 | Filesonic file-transfer filesonic.com 15 | Hotfile file-transfer hotfile.com 16 | ifile.it file-transfer ifile.it 17 | Kickasstorrents file-transfer kickass.to 18 | Kickasstorrents file-transfer kickasstorrents.eu 19 | Kickasstorrents file-transfer kickass.so 20 | Kickasstorrents file-transfer kickass.cr 21 | Kickasstorrents file-transfer kickasstorrents.to 22 | Kickasstorrents file-transfer kickass.cd 23 | Kickasstorrents file-transfer kickass.mx 24 | Kickasstorrents file-transfer kickass.la 25 | Mediafire file-transfer mediafire.com 26 | Mega file-transfer mega.nz 27 | Mega file-transfer mega.co.nz 28 | Mega file-transfer megaupload.com 29 | Mega file-transfer megaproxy.com 30 | Mega file-transfer megashare.com 31 | Mega file-transfer megavideo.com 32 | Oboom file-transfer oboom-premium.com 33 | Rutracker file-transfer rutracker.org 34 | SkyDrive file-transfer skydrive.live.com 35 | Torrentz.eu file-transfer torrentz.eu 36 | Uploaded file-transfer uploaded.net 37 | WeTransfer file-transfer wetransfer.com 38 | Xunlei file-transfer xunlei.com 39 | Zippyshare file-transfer zippyshare.com 40 | Share-Online file-transfer share-online.biz 41 | load.to file-transfer load.to 42 | anonfile file-transfer anonfile.com 43 | rapidgator file-transfer rapidgator.net 44 | filefactory file-transfer filefactory.com 45 | turbobit file-transfer turbobit.net 46 | 1fichier file-transfer 1fichier.com 47 | hugefiles file-transfer hugefiles.cc 48 | 2shared file-transfer 2shared.com 49 | free.fr file-transfer dl.free.fr 50 | grosfichier file-transfer grosfichiers.com 51 | -------------------------------------------------------------------------------- /src/mail.lst: -------------------------------------------------------------------------------- 1 | Outlook.com mail outlook.com 2 | Outlook.com mail outlook.office365.com 3 | Outlook.com mail outlook.office.com 4 | Outlook.com mail outlook.live.com 5 | Hotmail mail outlook.live.com 6 | GMX mail gmx.de 7 | GMX mail gmx.at 8 | GMX mail gmx.ch 9 | GMX mail gmx.co 10 | GMX mail gmx.net 11 | GMX mail gmx.co.uk 12 | mail.ru mail mail.ru 13 | mail.ru mail attachmail.ru 14 | mail.ru mail imgsmail.ru 15 | Gmail mail mail.google.com 16 | Gmail mail gmail.com 17 | Yahoo_Mail mail mail.yahoo.com 18 | Yahoo_Mail mail mail.yahoo.de 19 | AOL_Mail mail login.aol.com 20 | AOL_Mail mail mail.aol.de 21 | AOL_Mail mail mail.aol.in 22 | AOL_Mail mail mail.aol.com 23 | AOL_Mail mail mail.aol.ca 24 | AOL_Mail mail mail.aol.in 25 | AOL_Mail mail mail.aol.fr 26 | AOL_Mail mail mail.aol.jp 27 | Apple_Mail mail mail.me.com 28 | Hushmail mail hushmail.com 29 | T-Online_Mail mail e-mail.t-online.de 30 | -------------------------------------------------------------------------------- /src/messaging.lst: -------------------------------------------------------------------------------- 1 | 050Plus messaging 050plus.com 2 | CiscoJabberVideo messaging ciscojabbervideo.com 3 | Citrix_Online messaging citrixonline.com 4 | Citrix_Online messaging citrixonlinecdn.com 5 | Dingtalk messaging im.dingtalk.com 6 | Dingtalk messaging dingtalkapps.com 7 | GaduGadu messaging gg.pl 8 | GaduGadu messaging gadu-gadu.pl 9 | Google_Duo messaging duo.google.com 10 | Google_Hangouts messaging hangouts.google.com 11 | Google_Talk messaging talk.google.com 12 | ICQ_WebClient messaging icq.com 13 | IMO.IM messaging imo.im 14 | Kik_Messenger messaging apikik.com 15 | Kik_Messenger messaging kik.com 16 | Livemeeting messaging livemeeting.com 17 | Meebo messaging meebo.com 18 | Net2Phone messaging net2phone.com 19 | WeChat messaging wechat.com 20 | WeChat messaging weixin.qq.com 21 | YiXin messaging yixin.im 22 | WhatsApp messaging whatsapp.com 23 | WhatsApp messaging whatsapp.net 24 | -------------------------------------------------------------------------------- /src/opnsense.file_transfer.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - 4shared - DNS request for 4shared.com"; dns_query; content:"4shared.com"; nocase; classtype:file-transfer; sid:53000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - 4shared - Related URL (4shared.com)"; content:"4shared.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_File_Transfer - 4shared - Related TLS SNI (4shared.com)"; tls_sni; content:"4shared.com";flow:to_server,established; classtype:file-transfer; sid:53000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Bigupload - DNS request for bigupload.com"; dns_query; content:"bigupload.com"; nocase; classtype:file-transfer; sid:53000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Bigupload - Related URL (bigupload.com)"; content:"bigupload.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Bigupload - Related TLS SNI (bigupload.com)"; tls_sni; content:"bigupload.com";flow:to_server,established; classtype:file-transfer; sid:53000005; rev:1;) 7 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Bigupload - DNS request for bigupload.net"; dns_query; content:"bigupload.net"; nocase; classtype:file-transfer; sid:53000006;) 8 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Bigupload - Related URL (bigupload.net)"; content:"bigupload.net"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000007; rev:1;) 9 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Bigupload - Related TLS SNI (bigupload.net)"; tls_sni; content:"bigupload.net";flow:to_server,established; classtype:file-transfer; sid:53000008; rev:1;) 10 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Box.net - DNS request for box.net"; dns_query; content:"box.net"; nocase; classtype:file-transfer; sid:53000009;) 11 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Box.net - Related URL (box.net)"; content:"box.net"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000010; rev:1;) 12 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Box.net - Related TLS SNI (box.net)"; tls_sni; content:"box.net";flow:to_server,established; classtype:file-transfer; sid:53000011; rev:1;) 13 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Clubbox - DNS request for clubbox.co.kr"; dns_query; content:"clubbox.co.kr"; nocase; classtype:file-transfer; sid:53000012;) 14 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Clubbox - Related URL (clubbox.co.kr)"; content:"clubbox.co.kr"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000013; rev:1;) 15 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Clubbox - Related TLS SNI (clubbox.co.kr)"; tls_sni; content:"clubbox.co.kr";flow:to_server,established; classtype:file-transfer; sid:53000014; rev:1;) 16 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Datei.to - DNS request for datei.to"; dns_query; content:"datei.to"; nocase; classtype:file-transfer; sid:53000015;) 17 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Datei.to - Related URL (datei.to)"; content:"datei.to"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000016; rev:1;) 18 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Datei.to - Related TLS SNI (datei.to)"; tls_sni; content:"datei.to";flow:to_server,established; classtype:file-transfer; sid:53000017; rev:1;) 19 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Depositfiles - DNS request for depositfiles.com"; dns_query; content:"depositfiles.com"; nocase; classtype:file-transfer; sid:53000018;) 20 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Depositfiles - Related URL (depositfiles.com)"; content:"depositfiles.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000019; rev:1;) 21 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Depositfiles - Related TLS SNI (depositfiles.com)"; tls_sni; content:"depositfiles.com";flow:to_server,established; classtype:file-transfer; sid:53000020; rev:1;) 22 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Divshare - DNS request for divshare.com"; dns_query; content:"divshare.com"; nocase; classtype:file-transfer; sid:53000021;) 23 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Divshare - Related URL (divshare.com)"; content:"divshare.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000022; rev:1;) 24 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Divshare - Related TLS SNI (divshare.com)"; tls_sni; content:"divshare.com";flow:to_server,established; classtype:file-transfer; sid:53000023; rev:1;) 25 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Dropbox - DNS request for dropboxusercontent.com"; dns_query; content:"dropboxusercontent.com"; nocase; classtype:file-transfer; sid:53000024;) 26 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Dropbox - Related URL (dropboxusercontent.com)"; content:"dropboxusercontent.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000025; rev:1;) 27 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Dropbox - Related TLS SNI (dropboxusercontent.com)"; tls_sni; content:"dropboxusercontent.com";flow:to_server,established; classtype:file-transfer; sid:53000026; rev:1;) 28 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Dropbox - DNS request for dropbox.com"; dns_query; content:"dropbox.com"; nocase; classtype:file-transfer; sid:53000027;) 29 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Dropbox - Related URL (dropbox.com)"; content:"dropbox.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000028; rev:1;) 30 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Dropbox - Related TLS SNI (dropbox.com)"; tls_sni; content:"dropbox.com";flow:to_server,established; classtype:file-transfer; sid:53000029; rev:1;) 31 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Dropbox - DNS request for dropboxapi.com"; dns_query; content:"dropboxapi.com"; nocase; classtype:file-transfer; sid:53000030;) 32 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Dropbox - Related URL (dropboxapi.com)"; content:"dropboxapi.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000031; rev:1;) 33 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Dropbox - Related TLS SNI (dropboxapi.com)"; tls_sni; content:"dropboxapi.com";flow:to_server,established; classtype:file-transfer; sid:53000032; rev:1;) 34 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Extratorrent - DNS request for extratorrent.cc"; dns_query; content:"extratorrent.cc"; nocase; classtype:file-transfer; sid:53000033;) 35 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Extratorrent - Related URL (extratorrent.cc)"; content:"extratorrent.cc"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000034; rev:1;) 36 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Extratorrent - Related TLS SNI (extratorrent.cc)"; tls_sni; content:"extratorrent.cc";flow:to_server,established; classtype:file-transfer; sid:53000035; rev:1;) 37 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Filer.cx - DNS request for filer.cx"; dns_query; content:"filer.cx"; nocase; classtype:file-transfer; sid:53000036;) 38 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Filer.cx - Related URL (filer.cx)"; content:"filer.cx"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000037; rev:1;) 39 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Filer.cx - Related TLS SNI (filer.cx)"; tls_sni; content:"filer.cx";flow:to_server,established; classtype:file-transfer; sid:53000038; rev:1;) 40 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Filesonic - DNS request for filesonic.com"; dns_query; content:"filesonic.com"; nocase; classtype:file-transfer; sid:53000039;) 41 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Filesonic - Related URL (filesonic.com)"; content:"filesonic.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000040; rev:1;) 42 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Filesonic - Related TLS SNI (filesonic.com)"; tls_sni; content:"filesonic.com";flow:to_server,established; classtype:file-transfer; sid:53000041; rev:1;) 43 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Hotfile - DNS request for hotfile.com"; dns_query; content:"hotfile.com"; nocase; classtype:file-transfer; sid:53000042;) 44 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Hotfile - Related URL (hotfile.com)"; content:"hotfile.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000043; rev:1;) 45 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Hotfile - Related TLS SNI (hotfile.com)"; tls_sni; content:"hotfile.com";flow:to_server,established; classtype:file-transfer; sid:53000044; rev:1;) 46 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - ifile.it - DNS request for ifile.it"; dns_query; content:"ifile.it"; nocase; classtype:file-transfer; sid:53000045;) 47 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - ifile.it - Related URL (ifile.it)"; content:"ifile.it"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000046; rev:1;) 48 | #alert tls any any -> any any (msg:"OPN_File_Transfer - ifile.it - Related TLS SNI (ifile.it)"; tls_sni; content:"ifile.it";flow:to_server,established; classtype:file-transfer; sid:53000047; rev:1;) 49 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.to"; dns_query; content:"kickass.to"; nocase; classtype:file-transfer; sid:53000048;) 50 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.to)"; content:"kickass.to"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000049; rev:1;) 51 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.to)"; tls_sni; content:"kickass.to";flow:to_server,established; classtype:file-transfer; sid:53000050; rev:1;) 52 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickasstorrents.eu"; dns_query; content:"kickasstorrents.eu"; nocase; classtype:file-transfer; sid:53000051;) 53 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickasstorrents.eu)"; content:"kickasstorrents.eu"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000052; rev:1;) 54 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickasstorrents.eu)"; tls_sni; content:"kickasstorrents.eu";flow:to_server,established; classtype:file-transfer; sid:53000053; rev:1;) 55 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.so"; dns_query; content:"kickass.so"; nocase; classtype:file-transfer; sid:53000054;) 56 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.so)"; content:"kickass.so"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000055; rev:1;) 57 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.so)"; tls_sni; content:"kickass.so";flow:to_server,established; classtype:file-transfer; sid:53000056; rev:1;) 58 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.cr"; dns_query; content:"kickass.cr"; nocase; classtype:file-transfer; sid:53000057;) 59 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.cr)"; content:"kickass.cr"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000058; rev:1;) 60 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.cr)"; tls_sni; content:"kickass.cr";flow:to_server,established; classtype:file-transfer; sid:53000059; rev:1;) 61 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickasstorrents.to"; dns_query; content:"kickasstorrents.to"; nocase; classtype:file-transfer; sid:53000060;) 62 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickasstorrents.to)"; content:"kickasstorrents.to"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000061; rev:1;) 63 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickasstorrents.to)"; tls_sni; content:"kickasstorrents.to";flow:to_server,established; classtype:file-transfer; sid:53000062; rev:1;) 64 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.cd"; dns_query; content:"kickass.cd"; nocase; classtype:file-transfer; sid:53000063;) 65 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.cd)"; content:"kickass.cd"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000064; rev:1;) 66 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.cd)"; tls_sni; content:"kickass.cd";flow:to_server,established; classtype:file-transfer; sid:53000065; rev:1;) 67 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.mx"; dns_query; content:"kickass.mx"; nocase; classtype:file-transfer; sid:53000066;) 68 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.mx)"; content:"kickass.mx"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000067; rev:1;) 69 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.mx)"; tls_sni; content:"kickass.mx";flow:to_server,established; classtype:file-transfer; sid:53000068; rev:1;) 70 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Kickasstorrents - DNS request for kickass.la"; dns_query; content:"kickass.la"; nocase; classtype:file-transfer; sid:53000069;) 71 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Kickasstorrents - Related URL (kickass.la)"; content:"kickass.la"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000070; rev:1;) 72 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Kickasstorrents - Related TLS SNI (kickass.la)"; tls_sni; content:"kickass.la";flow:to_server,established; classtype:file-transfer; sid:53000071; rev:1;) 73 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mediafire - DNS request for mediafire.com"; dns_query; content:"mediafire.com"; nocase; classtype:file-transfer; sid:53000072;) 74 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mediafire - Related URL (mediafire.com)"; content:"mediafire.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000073; rev:1;) 75 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mediafire - Related TLS SNI (mediafire.com)"; tls_sni; content:"mediafire.com";flow:to_server,established; classtype:file-transfer; sid:53000074; rev:1;) 76 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for mega.nz"; dns_query; content:"mega.nz"; nocase; classtype:file-transfer; sid:53000075;) 77 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (mega.nz)"; content:"mega.nz"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000076; rev:1;) 78 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (mega.nz)"; tls_sni; content:"mega.nz";flow:to_server,established; classtype:file-transfer; sid:53000077; rev:1;) 79 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for mega.co.nz"; dns_query; content:"mega.co.nz"; nocase; classtype:file-transfer; sid:53000078;) 80 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (mega.co.nz)"; content:"mega.co.nz"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000079; rev:1;) 81 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (mega.co.nz)"; tls_sni; content:"mega.co.nz";flow:to_server,established; classtype:file-transfer; sid:53000080; rev:1;) 82 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for megaupload.com"; dns_query; content:"megaupload.com"; nocase; classtype:file-transfer; sid:53000081;) 83 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (megaupload.com)"; content:"megaupload.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000082; rev:1;) 84 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (megaupload.com)"; tls_sni; content:"megaupload.com";flow:to_server,established; classtype:file-transfer; sid:53000083; rev:1;) 85 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for megaproxy.com"; dns_query; content:"megaproxy.com"; nocase; classtype:file-transfer; sid:53000084;) 86 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (megaproxy.com)"; content:"megaproxy.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000085; rev:1;) 87 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (megaproxy.com)"; tls_sni; content:"megaproxy.com";flow:to_server,established; classtype:file-transfer; sid:53000086; rev:1;) 88 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for megashare.com"; dns_query; content:"megashare.com"; nocase; classtype:file-transfer; sid:53000087;) 89 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (megashare.com)"; content:"megashare.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000088; rev:1;) 90 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (megashare.com)"; tls_sni; content:"megashare.com";flow:to_server,established; classtype:file-transfer; sid:53000089; rev:1;) 91 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Mega - DNS request for megavideo.com"; dns_query; content:"megavideo.com"; nocase; classtype:file-transfer; sid:53000090;) 92 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Mega - Related URL (megavideo.com)"; content:"megavideo.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000091; rev:1;) 93 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Mega - Related TLS SNI (megavideo.com)"; tls_sni; content:"megavideo.com";flow:to_server,established; classtype:file-transfer; sid:53000092; rev:1;) 94 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Oboom - DNS request for oboom-premium.com"; dns_query; content:"oboom-premium.com"; nocase; classtype:file-transfer; sid:53000093;) 95 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Oboom - Related URL (oboom-premium.com)"; content:"oboom-premium.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000094; rev:1;) 96 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Oboom - Related TLS SNI (oboom-premium.com)"; tls_sni; content:"oboom-premium.com";flow:to_server,established; classtype:file-transfer; sid:53000095; rev:1;) 97 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Rutracker - DNS request for rutracker.org"; dns_query; content:"rutracker.org"; nocase; classtype:file-transfer; sid:53000096;) 98 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Rutracker - Related URL (rutracker.org)"; content:"rutracker.org"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000097; rev:1;) 99 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Rutracker - Related TLS SNI (rutracker.org)"; tls_sni; content:"rutracker.org";flow:to_server,established; classtype:file-transfer; sid:53000098; rev:1;) 100 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - SkyDrive - DNS request for skydrive.live.com"; dns_query; content:"skydrive.live.com"; nocase; classtype:file-transfer; sid:53000099;) 101 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - SkyDrive - Related URL (skydrive.live.com)"; content:"skydrive.live.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000100; rev:1;) 102 | #alert tls any any -> any any (msg:"OPN_File_Transfer - SkyDrive - Related TLS SNI (skydrive.live.com)"; tls_sni; content:"skydrive.live.com";flow:to_server,established; classtype:file-transfer; sid:53000101; rev:1;) 103 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Torrentz.eu - DNS request for torrentz.eu"; dns_query; content:"torrentz.eu"; nocase; classtype:file-transfer; sid:53000102;) 104 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Torrentz.eu - Related URL (torrentz.eu)"; content:"torrentz.eu"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000103; rev:1;) 105 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Torrentz.eu - Related TLS SNI (torrentz.eu)"; tls_sni; content:"torrentz.eu";flow:to_server,established; classtype:file-transfer; sid:53000104; rev:1;) 106 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Uploaded - DNS request for uploaded.net"; dns_query; content:"uploaded.net"; nocase; classtype:file-transfer; sid:53000105;) 107 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Uploaded - Related URL (uploaded.net)"; content:"uploaded.net"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000106; rev:1;) 108 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Uploaded - Related TLS SNI (uploaded.net)"; tls_sni; content:"uploaded.net";flow:to_server,established; classtype:file-transfer; sid:53000107; rev:1;) 109 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - WeTransfer - DNS request for wetransfer.com"; dns_query; content:"wetransfer.com"; nocase; classtype:file-transfer; sid:53000108;) 110 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - WeTransfer - Related URL (wetransfer.com)"; content:"wetransfer.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000109; rev:1;) 111 | #alert tls any any -> any any (msg:"OPN_File_Transfer - WeTransfer - Related TLS SNI (wetransfer.com)"; tls_sni; content:"wetransfer.com";flow:to_server,established; classtype:file-transfer; sid:53000110; rev:1;) 112 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Xunlei - DNS request for xunlei.com"; dns_query; content:"xunlei.com"; nocase; classtype:file-transfer; sid:53000111;) 113 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Xunlei - Related URL (xunlei.com)"; content:"xunlei.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000112; rev:1;) 114 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Xunlei - Related TLS SNI (xunlei.com)"; tls_sni; content:"xunlei.com";flow:to_server,established; classtype:file-transfer; sid:53000113; rev:1;) 115 | #alert dns any any -> any 53 (msg:"OPN_File_Transfer - Zippyshare - DNS request for zippyshare.com"; dns_query; content:"zippyshare.com"; nocase; classtype:file-transfer; sid:53000114;) 116 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_File_Transfer - Zippyshare - Related URL (zippyshare.com)"; content:"zippyshare.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000115; rev:1;) 117 | #alert tls any any -> any any (msg:"OPN_File_Transfer - Zippyshare - Related TLS SNI (zippyshare.com)"; tls_sni; content:"zippyshare.com";flow:to_server,established; classtype:file-transfer; sid:53000116; rev:1;) 118 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - Share-Online - DNS request for share-online.biz"; dns_query; content:"share-online.biz"; nocase; classtype:file-transfer; sid:53000117;) 119 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - Share-Online - Related URL (share-online.biz)"; content:"share-online.biz"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000118; rev:1;) 120 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - Share-Online - Related TLS SNI (share-online.biz)"; tls_sni; content:"share-online.biz";flow:to_server,established; classtype:file-transfer; sid:53000119; rev:1;) 121 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - load.to - DNS request for load.to"; dns_query; content:"load.to"; nocase;classtype:file-transfer; sid:53000120;) 122 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - load.to - Related URL (load.to)"; content:"load.to"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000121; rev:1;) 123 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - load.to - Related TLS SNI (load.to)"; tls_sni; content:"load.to";flow:to_server,established; classtype:file-transfer; sid:53000122; rev:1;) 124 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - anonfile - DNS request for anonfile.com"; dns_query; content:"anonfile.com"; nocase; classtype:file-transfer; sid:53000123;) 125 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - anonfile - Related URL (anonfile.com)"; content:"anonfile.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000124; rev:1;) 126 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - anonfile - Related TLS SNI (anonfile.com)"; tls_sni; content:"anonfile.com";flow:to_server,established; classtype:file-transfer; sid:53000125; rev:1;) 127 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - rapidgator - DNS request for rapidgator.net"; dns_query; content:"rapidgator.net"; nocase; classtype:file-transfer; sid:53000126;) 128 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - rapidgator - Related URL (rapidgator.net)"; content:"rapidgator.net"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000127; rev:1;) 129 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - rapidgator - Related TLS SNI (rapidgator.net)"; tls_sni; content:"rapidgator.net";flow:to_server,established; classtype:file-transfer; sid:53000128; rev:1;) 130 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - filefactory - DNS request for filefactory.com"; dns_query; content:"filefactory.com"; nocase; classtype:file-transfer; sid:53000129;) 131 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - filefactory - Related URL (filefactory.com)"; content:"filefactory.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000130; rev:1;) 132 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - filefactory - Related TLS SNI (filefactory.com)"; tls_sni; content:"filefactory.com";flow:to_server,established; classtype:file-transfer; sid:53000131; rev:1;) 133 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - turbobit - DNS request for turbobit.net"; dns_query; content:"turbobit.net"; nocase; classtype:file-transfer; sid:53000132;) 134 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - turbobit - Related URL (turbobit.net)"; content:"turbobit.net"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000133; rev:1;) 135 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - turbobit - Related TLS SNI (turbobit.net)"; tls_sni; content:"turbobit.net";flow:to_server,established; classtype:file-transfer; sid:53000134; rev:1;) 136 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - 1fichier - DNS request for 1fichier.com"; dns_query; content:"1fichier.com"; nocase; classtype:file-transfer; sid:53000135;) 137 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - 1fichier - Related URL (1fichier.com)"; content:"1fichier.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000136; rev:1;) 138 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - 1fichier - Related TLS SNI (1fichier.com)"; tls_sni; content:"1fichier.com";flow:to_server,established; classtype:file-transfer; sid:53000137; rev:1;) 139 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - hugefiles - DNS request for hugefiles.cc"; dns_query; content:"hugefiles.cc"; nocase; classtype:file-transfer; sid:53000138;) 140 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - hugefiles - Related URL (hugefiles.cc)"; content:"hugefiles.cc"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000139; rev:1;) 141 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - hugefiles - Related TLS SNI (hugefiles.cc)"; tls_sni; content:"hugefiles.cc";flow:to_server,established; classtype:file-transfer; sid:53000140; rev:1;) 142 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_File_Transfer - 2shared - DNS request for 2shared.com"; dns_query; content:"2shared.com"; nocase; classtype:file-transfer; sid:53000141;) 143 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_File_Transfer - 2shared - Related URL (2shared.com)"; content:"2shared.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000142; rev:1;) 144 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_File_Transfer - 2shared - Related TLS SNI (2shared.com)"; tls_sni; content:"2shared.com";flow:to_server,established; classtype:file-transfer; sid:53000143; rev:1;) 145 | #alert dns $HOME_NET any -> any 53 (msg:"surigen - free.fr - DNS request for dl.free.fr"; dns_query; content:"dl.free.fr"; nocase; classtype:file-transfer; sid:53000144;) 146 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"surigen - free.fr - Related URL (dl.free.fr)"; content:"dl.free.fr"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000145; rev:1;) 147 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"surigen - free.fr - Related TLS SNI (dl.free.fr)"; tls_sni; content:"dl.free.fr";flow:to_server,established; classtype:file-transfer; sid:53000146; rev:1;) 148 | #alert dns $HOME_NET any -> any 53 (msg:"surigen - grosfichier - DNS request for grosfichiers.com"; dns_query; content:"grosfichiers.com"; nocase; classtype:file-transfer; sid:53000147;) 149 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"surigen - grosfichier - Related URL (grosfichiers.com)"; content:"grosfichiers.com"; http_uri; flow:to_server,established; classtype:file-transfer; sid:53000148; rev:1;) 150 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"surigen - grosfichier - Related TLS SNI (grosfichiers.com)"; tls_sni; content:"grosfichiers.com";flow:to_server,established; classtype:file-transfer; sid:53000149; rev:1;) 151 | -------------------------------------------------------------------------------- /src/opnsense.mail.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.com"; dns_query; content:"outlook.com"; nocase; classtype:mail; sid:54000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.com)"; content:"outlook.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.com)"; tls_sni; content:"outlook.com";flow:to_server,established; classtype:mail; sid:54000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.office365.com"; dns_query; content:"outlook.office365.com"; nocase; classtype:mail; sid:54000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.office365.com)"; content:"outlook.office365.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.office365.com)"; tls_sni; content:"outlook.office365.com";flow:to_server,established; classtype:mail; sid:54000005; rev:1;) 7 | #alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.office.com"; dns_query; content:"outlook.office.com"; nocase; classtype:mail; sid:54000006;) 8 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.office.com)"; content:"outlook.office.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000007; rev:1;) 9 | #alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.office.com)"; tls_sni; content:"outlook.office.com";flow:to_server,established; classtype:mail; sid:54000008; rev:1;) 10 | #alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.live.com"; dns_query; content:"outlook.live.com"; nocase; classtype:mail; sid:54000009;) 11 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.live.com)"; content:"outlook.live.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000010; rev:1;) 12 | #alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.live.com)"; tls_sni; content:"outlook.live.com";flow:to_server,established; classtype:mail; sid:54000011; rev:1;) 13 | #alert dns any any -> any 53 (msg:"OPN_Mail - Hotmail - DNS request for outlook.live.com"; dns_query; content:"outlook.live.com"; nocase; classtype:mail; sid:54000012;) 14 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Hotmail - Related URL (outlook.live.com)"; content:"outlook.live.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000013; rev:1;) 15 | #alert tls any any -> any any (msg:"OPN_Mail - Hotmail - Related TLS SNI (outlook.live.com)"; tls_sni; content:"outlook.live.com";flow:to_server,established; classtype:mail; sid:54000014; rev:1;) 16 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.de"; dns_query; content:"gmx.de"; nocase; classtype:mail; sid:54000015;) 17 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.de)"; content:"gmx.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000016; rev:1;) 18 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.de)"; tls_sni; content:"gmx.de";flow:to_server,established; classtype:mail; sid:54000017; rev:1;) 19 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.at"; dns_query; content:"gmx.at"; nocase; classtype:mail; sid:54000018;) 20 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.at)"; content:"gmx.at"; http_uri; flow:to_server,established; classtype:mail; sid:54000019; rev:1;) 21 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.at)"; tls_sni; content:"gmx.at";flow:to_server,established; classtype:mail; sid:54000020; rev:1;) 22 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.ch"; dns_query; content:"gmx.ch"; nocase; classtype:mail; sid:54000021;) 23 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.ch)"; content:"gmx.ch"; http_uri; flow:to_server,established; classtype:mail; sid:54000022; rev:1;) 24 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.ch)"; tls_sni; content:"gmx.ch";flow:to_server,established; classtype:mail; sid:54000023; rev:1;) 25 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.co"; dns_query; content:"gmx.co"; nocase; classtype:mail; sid:54000024;) 26 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.co)"; content:"gmx.co"; http_uri; flow:to_server,established; classtype:mail; sid:54000025; rev:1;) 27 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.co)"; tls_sni; content:"gmx.co";flow:to_server,established; classtype:mail; sid:54000026; rev:1;) 28 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.net"; dns_query; content:"gmx.net"; nocase; classtype:mail; sid:54000027;) 29 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.net)"; content:"gmx.net"; http_uri; flow:to_server,established; classtype:mail; sid:54000028; rev:1;) 30 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.net)"; tls_sni; content:"gmx.net";flow:to_server,established; classtype:mail; sid:54000029; rev:1;) 31 | #alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.co.uk"; dns_query; content:"gmx.co.uk"; nocase; classtype:mail; sid:54000030;) 32 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.co.uk)"; content:"gmx.co.uk"; http_uri; flow:to_server,established; classtype:mail; sid:54000031; rev:1;) 33 | #alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.co.uk)"; tls_sni; content:"gmx.co.uk";flow:to_server,established; classtype:mail; sid:54000032; rev:1;) 34 | #alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for mail.ru"; dns_query; content:"mail.ru"; nocase; classtype:mail; sid:54000033;) 35 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (mail.ru)"; content:"mail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000034; rev:1;) 36 | #alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (mail.ru)"; tls_sni; content:"mail.ru";flow:to_server,established; classtype:mail; sid:54000035; rev:1;) 37 | #alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for attachmail.ru"; dns_query; content:"attachmail.ru"; nocase; classtype:mail; sid:54000036;) 38 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (attachmail.ru)"; content:"attachmail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000037; rev:1;) 39 | #alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (attachmail.ru)"; tls_sni; content:"attachmail.ru";flow:to_server,established; classtype:mail; sid:54000038; rev:1;) 40 | #alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for imgsmail.ru"; dns_query; content:"imgsmail.ru"; nocase; classtype:mail; sid:54000039;) 41 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (imgsmail.ru)"; content:"imgsmail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000040; rev:1;) 42 | #alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (imgsmail.ru)"; tls_sni; content:"imgsmail.ru";flow:to_server,established; classtype:mail; sid:54000041; rev:1;) 43 | #alert dns any any -> any 53 (msg:"OPN_Mail - Gmail - DNS request for mail.google.com"; dns_query; content:"mail.google.com"; nocase; classtype:mail; sid:54000042;) 44 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Gmail - Related URL (mail.google.com)"; content:"mail.google.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000043; rev:1;) 45 | #alert tls any any -> any any (msg:"OPN_Mail - Gmail - Related TLS SNI (mail.google.com)"; tls_sni; content:"mail.google.com";flow:to_server,established; classtype:mail; sid:54000044; rev:1;) 46 | #alert dns any any -> any 53 (msg:"OPN_Mail - Gmail - DNS request for gmail.com"; dns_query; content:"gmail.com"; nocase; classtype:mail; sid:54000045;) 47 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Gmail - Related URL (gmail.com)"; content:"gmail.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000046; rev:1;) 48 | #alert tls any any -> any any (msg:"OPN_Mail - Gmail - Related TLS SNI (gmail.com)"; tls_sni; content:"gmail.com";flow:to_server,established; classtype:mail; sid:54000047; rev:1;) 49 | #alert dns any any -> any 53 (msg:"OPN_Mail - Yahoo_Mail - DNS request for mail.yahoo.com"; dns_query; content:"mail.yahoo.com"; nocase; classtype:mail; sid:54000048;) 50 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Yahoo_Mail - Related URL (mail.yahoo.com)"; content:"mail.yahoo.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000049; rev:1;) 51 | #alert tls any any -> any any (msg:"OPN_Mail - Yahoo_Mail - Related TLS SNI (mail.yahoo.com)"; tls_sni; content:"mail.yahoo.com";flow:to_server,established; classtype:mail; sid:54000050; rev:1;) 52 | #alert dns any any -> any 53 (msg:"OPN_Mail - Yahoo_Mail - DNS request for mail.yahoo.de"; dns_query; content:"mail.yahoo.de"; nocase; classtype:mail; sid:54000051;) 53 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Yahoo_Mail - Related URL (mail.yahoo.de)"; content:"mail.yahoo.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000052; rev:1;) 54 | #alert tls any any -> any any (msg:"OPN_Mail - Yahoo_Mail - Related TLS SNI (mail.yahoo.de)"; tls_sni; content:"mail.yahoo.de";flow:to_server,established; classtype:mail; sid:54000053; rev:1;) 55 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for login.aol.com"; dns_query; content:"login.aol.com"; nocase; classtype:mail; sid:54000054;) 56 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (login.aol.com)"; content:"login.aol.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000055; rev:1;) 57 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (login.aol.com)"; tls_sni; content:"login.aol.com";flow:to_server,established; classtype:mail; sid:54000056; rev:1;) 58 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.de"; dns_query; content:"mail.aol.de"; nocase; classtype:mail; sid:54000057;) 59 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.de)"; content:"mail.aol.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000058; rev:1;) 60 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.de)"; tls_sni; content:"mail.aol.de";flow:to_server,established; classtype:mail; sid:54000059; rev:1;) 61 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.in"; dns_query; content:"mail.aol.in"; nocase; classtype:mail; sid:54000060;) 62 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.in)"; content:"mail.aol.in"; http_uri; flow:to_server,established; classtype:mail; sid:54000061; rev:1;) 63 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.in)"; tls_sni; content:"mail.aol.in";flow:to_server,established; classtype:mail; sid:54000062; rev:1;) 64 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.com"; dns_query; content:"mail.aol.com"; nocase; classtype:mail; sid:54000063;) 65 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.com)"; content:"mail.aol.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000064; rev:1;) 66 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.com)"; tls_sni; content:"mail.aol.com";flow:to_server,established; classtype:mail; sid:54000065; rev:1;) 67 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.ca"; dns_query; content:"mail.aol.ca"; nocase; classtype:mail; sid:54000066;) 68 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.ca)"; content:"mail.aol.ca"; http_uri; flow:to_server,established; classtype:mail; sid:54000067; rev:1;) 69 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.ca)"; tls_sni; content:"mail.aol.ca";flow:to_server,established; classtype:mail; sid:54000068; rev:1;) 70 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.in"; dns_query; content:"mail.aol.in"; nocase; classtype:mail; sid:54000069;) 71 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.in)"; content:"mail.aol.in"; http_uri; flow:to_server,established; classtype:mail; sid:54000070; rev:1;) 72 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.in)"; tls_sni; content:"mail.aol.in";flow:to_server,established; classtype:mail; sid:54000071; rev:1;) 73 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.fr"; dns_query; content:"mail.aol.fr"; nocase; classtype:mail; sid:54000072;) 74 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.fr)"; content:"mail.aol.fr"; http_uri; flow:to_server,established; classtype:mail; sid:54000073; rev:1;) 75 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.fr)"; tls_sni; content:"mail.aol.fr";flow:to_server,established; classtype:mail; sid:54000074; rev:1;) 76 | #alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.jp"; dns_query; content:"mail.aol.jp"; nocase; classtype:mail; sid:54000075;) 77 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.jp)"; content:"mail.aol.jp"; http_uri; flow:to_server,established; classtype:mail; sid:54000076; rev:1;) 78 | #alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.jp)"; tls_sni; content:"mail.aol.jp";flow:to_server,established; classtype:mail; sid:54000077; rev:1;) 79 | #alert dns any any -> any 53 (msg:"OPN_Mail - Apple_Mail - DNS request for mail.me.com"; dns_query; content:"mail.me.com"; nocase; classtype:mail; sid:54000078;) 80 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Apple_Mail - Related URL (mail.me.com)"; content:"mail.me.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000079; rev:1;) 81 | #alert tls any any -> any any (msg:"OPN_Mail - Apple_Mail - Related TLS SNI (mail.me.com)"; tls_sni; content:"mail.me.com";flow:to_server,established; classtype:mail; sid:54000080; rev:1;) 82 | #alert dns any any -> any 53 (msg:"OPN_Mail - Hushmail - DNS request for hushmail.com"; dns_query; content:"hushmail.com"; nocase; classtype:mail; sid:54000081;) 83 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Hushmail - Related URL (hushmail.com)"; content:"hushmail.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000082; rev:1;) 84 | #alert tls any any -> any any (msg:"OPN_Mail - Hushmail - Related TLS SNI (hushmail.com)"; tls_sni; content:"hushmail.com";flow:to_server,established; classtype:mail; sid:54000083; rev:1;) 85 | #alert dns any any -> any 53 (msg:"OPN_Mail - T-Online_Mail - DNS request for e-mail.t-online.de"; dns_query; content:"e-mail.t-online.de"; nocase; classtype:mail; sid:54000084;) 86 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - T-Online_Mail - Related URL (e-mail.t-online.de)"; content:"e-mail.t-online.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000085; rev:1;) 87 | #alert tls any any -> any any (msg:"OPN_Mail - T-Online_Mail - Related TLS SNI (e-mail.t-online.de)"; tls_sni; content:"e-mail.t-online.de";flow:to_server,established; classtype:mail; sid:54000086; rev:1;) 88 | -------------------------------------------------------------------------------- /src/opnsense.malware_ja3.rules: -------------------------------------------------------------------------------- 1 | # This file contains rules matching known malware JA3 signatures. 2 | # Most of them are not intensivly tested and might produce FPs! 3 | 4 | ############################################################ 5 | # Rule extraction from malware-traffic-analysis.net 01/2018: 6 | ############################################################ 7 | 8 | # Hits from: 9 | # 2018-01-02-fake-Flash-player-installs-coinminer-malware.pcap 10 | # 2018-01-02-whatsapp-malspam-traffic.pcap 11 | # 2018-01-06-fake-AV-page-after-viewing-mitchandgina.com.pcap 12 | # 2018-01-09-Emotet-and-Zeus-Panda-Banker-traffic.pcap 13 | # and many more ... 14 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 1"; ja3_hash; content:"4d7a28d6f2263ed61de88ca66eb011e3"; classtype:ja3-malware; sid:49000001; rev:1;) 15 | 16 | # Hits from: 17 | # 2018-01-03-malspam-infection-traffic.pcap 18 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 2"; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; classtype:ja3-malware; sid:49000002; rev:1;) 19 | 20 | # Hits from: 21 | # 2018-01-25-Dridex-malspam-infection-traffic-1-of-2.pcap 22 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 3"; ja3_hash; content:"74927e242d6c3febf8cb9cab10a7f889"; classtype:ja3-malware; sid:49000003; rev:1;) 23 | 24 | # Hits from: 25 | # 2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap 26 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 4"; ja3_hash; content:"67f762b0ffe3aad00dfdb0e4b1acd8b5"; classtype:ja3-malware; sid:49000004; rev:1;) 27 | 28 | ############################################################ 29 | # Rule extraction from malware-traffic-analysis.net 02/2018: 30 | ############################################################ 31 | 32 | # Hits from: 33 | # 2018-02-08-malspam-pushing-Quant-Loader-2nd-run.pcap 34 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 5"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; classtype:ja3-malware; sid:49000005; rev:1;) 35 | 36 | # Hits from: 37 | # 2018-02-28-Hancitor-infection-traffic-3rd-run.pcap 38 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 6"; ja3_hash; content:"ada70206e40642a3e4461f35503241d5"; classtype:ja3-malware; sid:49000006; rev:1;) 39 | 40 | ############################################################ 41 | # Rule extraction from malware-traffic-analysis.net 03/2018: 42 | ############################################################ 43 | 44 | # Hits from: 45 | # 2018-03-05-CoinsLTD-campaign-Rig-EK-and-post-infection-traffic.pcap 46 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 7"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; classtype:ja3-malware; sid:49000007; rev:1;) 47 | 48 | # Hits from: 49 | # 2018-03-08-Hookads-campaign-Rig-EK.pcap 50 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 8; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; classtype:ja3-malware; sid:49000008; rev:1;) 51 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 9"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; classtype:ja3-malware; sid:49000009; rev:1;) 52 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 10"; ja3_hash; content:"1e67431b78a64adf42e0fee804fb15e5"; classtype:ja3-malware; sid:49000010; rev:1;) 53 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 11"; ja3_hash; content:"db6b2a19e5cd3b42abbc21f13c3fc750"; classtype:ja3-malware; sid:49000011; rev:1;) 54 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 12"; ja3_hash; content:"29085f03f8e8a03f0b399c5c7cf0b0b8"; classtype:ja3-malware; sid:49000012; rev:1;) 55 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 13"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; classtype:ja3-malware; sid:49000013; rev:1;) 56 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 14"; ja3_hash; content:"46efd49abcca8ea9baa932da68fdb529"; classtype:ja3-malware; sid:49000014; rev:1;) 57 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 15"; ja3_hash; content:"5d62f64398e43b0a4ea9d15167f3a01d"; classtype:ja3-malware; sid:49000015; rev:1;) 58 | 59 | # Hits from: 60 | # 2018-03-22-fake-firefox-update.pcap 61 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 16"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; classtype:ja3-malware; sid:49000016; rev:1;) 62 | 63 | # Hits from: 64 | # 2018-03-26-Sigma-ransomware-malspam-infection-traffic.pcap 65 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 17"; ja3_hash; content:"fed8d14fc5a67b40cd470ba239019785"; classtype:ja3-malware; sid:49000017; rev:1;) 66 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 18"; ja3_hash; content:"83d60721ecc423892660e275acc4dffd"; classtype:ja3-malware; sid:49000018; rev:1;) 67 | 68 | # Hits from: 69 | # 2018-03-27-fake-chrome-update.pcap 70 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 19"; ja3_hash; content:"14eff09463c9d6dc6e14e954eba239c2"; classtype:ja3-malware; sid:49000019; rev:1;) 71 | #alert tls any any -> any any (msg:"OPNsense: match JA3 malware hash, rule 20"; ja3_hash; content:"656854b0e07f676ae44f8d559744be60"; classtype:ja3-malware; sid:49000020; rev:1;) 72 | -------------------------------------------------------------------------------- /src/opnsense.media_streaming.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - 123movies - DNS request for 0123movies.com"; dns_query; content:"0123movies.com"; nocase; classtype:media-streaming; sid:55000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - 123movies - Related URL (0123movies.com)"; content:"0123movies.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - 123movies - Related TLS SNI (0123movies.com)"; tls_sni; content:"0123movies.com";flow:to_server,established; classtype:media-streaming; sid:55000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - 123movies - DNS request for 123movies.fun"; dns_query; content:"123movies.fun"; nocase; classtype:media-streaming; sid:55000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - 123movies - Related URL (123movies.fun)"; content:"123movies.fun"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - 123movies - Related TLS SNI (123movies.fun)"; tls_sni; content:"123movies.fun";flow:to_server,established; classtype:media-streaming; sid:55000005; rev:1;) 7 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - 123movies - DNS request for 123movies4u.co"; dns_query; content:"123movies4u.co"; nocase; classtype:media-streaming; sid:55000006;) 8 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - 123movies - Related URL (123movies4u.co)"; content:"123movies4u.co"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000007; rev:1;) 9 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - 123movies - Related TLS SNI (123movies4u.co)"; tls_sni; content:"123movies4u.co";flow:to_server,established; classtype:media-streaming; sid:55000008; rev:1;) 10 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Afreeca - DNS request for afreeca.com"; dns_query; content:"afreeca.com"; nocase; classtype:media-streaming; sid:55000009;) 11 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Afreeca - Related URL (afreeca.com)"; content:"afreeca.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000010; rev:1;) 12 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Afreeca - Related TLS SNI (afreeca.com)"; tls_sni; content:"afreeca.com";flow:to_server,established; classtype:media-streaming; sid:55000011; rev:1;) 13 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Afreeca - DNS request for bizafreeca.com"; dns_query; content:"bizafreeca.com"; nocase; classtype:media-streaming; sid:55000012;) 14 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Afreeca - Related URL (bizafreeca.com)"; content:"bizafreeca.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000013; rev:1;) 15 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Afreeca - Related TLS SNI (bizafreeca.com)"; tls_sni; content:"bizafreeca.com";flow:to_server,established; classtype:media-streaming; sid:55000014; rev:1;) 16 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Afreeca - DNS request for afreecatv.com"; dns_query; content:"afreecatv.com"; nocase; classtype:media-streaming; sid:55000015;) 17 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Afreeca - Related URL (afreecatv.com)"; content:"afreecatv.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000016; rev:1;) 18 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Afreeca - Related TLS SNI (afreecatv.com)"; tls_sni; content:"afreecatv.com";flow:to_server,established; classtype:media-streaming; sid:55000017; rev:1;) 19 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - AppleMusic - DNS request for streamingaudio.itunes.apple.com"; dns_query; content:"streamingaudio.itunes.apple.com"; nocase; classtype:media-streaming; sid:55000018;) 20 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - AppleMusic - Related URL (streamingaudio.itunes.apple.com)"; content:"streamingaudio.itunes.apple.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000019; rev:1;) 21 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - AppleMusic - Related TLS SNI (streamingaudio.itunes.apple.com)"; tls_sni; content:"streamingaudio.itunes.apple.com";flow:to_server,established; classtype:media-streaming; sid:55000020; rev:1;) 22 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - AppleMusic - DNS request for gs.apple.com"; dns_query; content:"gs.apple.com"; nocase; classtype:media-streaming; sid:55000021;) 23 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - AppleMusic - Related URL (gs.apple.com)"; content:"gs.apple.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000022; rev:1;) 24 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - AppleMusic - Related TLS SNI (gs.apple.com)"; tls_sni; content:"gs.apple.com";flow:to_server,established; classtype:media-streaming; sid:55000023; rev:1;) 25 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - AppleMusic - DNS request for albert.apple.com"; dns_query; content:"albert.apple.com"; nocase; classtype:media-streaming; sid:55000024;) 26 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - AppleMusic - Related URL (albert.apple.com)"; content:"albert.apple.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000025; rev:1;) 27 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - AppleMusic - Related TLS SNI (albert.apple.com)"; tls_sni; content:"albert.apple.com";flow:to_server,established; classtype:media-streaming; sid:55000026; rev:1;) 28 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - BBC - DNS request for bbc.co.uk"; dns_query; content:"bbc.co.uk"; nocase; classtype:media-streaming; sid:55000027;) 29 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - BBC - Related URL (bbc.co.uk)"; content:"bbc.co.uk"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000028; rev:1;) 30 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - BBC - Related TLS SNI (bbc.co.uk)"; tls_sni; content:"bbc.co.uk";flow:to_server,established; classtype:media-streaming; sid:55000029; rev:1;) 31 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Grooveshark - DNS request for grooveshark.com"; dns_query; content:"grooveshark.com"; nocase; classtype:media-streaming; sid:55000030;) 32 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Grooveshark - Related URL (grooveshark.com)"; content:"grooveshark.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000031; rev:1;) 33 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Grooveshark - Related TLS SNI (grooveshark.com)"; tls_sni; content:"grooveshark.com";flow:to_server,established; classtype:media-streaming; sid:55000032; rev:1;) 34 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Grooveshark - DNS request for grooveshark.im"; dns_query; content:"grooveshark.im"; nocase; classtype:media-streaming; sid:55000033;) 35 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Grooveshark - Related URL (grooveshark.im)"; content:"grooveshark.im"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000034; rev:1;) 36 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Grooveshark - Related TLS SNI (grooveshark.im)"; tls_sni; content:"grooveshark.im";flow:to_server,established; classtype:media-streaming; sid:55000035; rev:1;) 37 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Hulu - DNS request for secure.hulu.com"; dns_query; content:"secure.hulu.com"; nocase; classtype:media-streaming; sid:55000036;) 38 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Hulu - Related URL (secure.hulu.com)"; content:"secure.hulu.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000037; rev:1;) 39 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Hulu - Related TLS SNI (secure.hulu.com)"; tls_sni; content:"secure.hulu.com";flow:to_server,established; classtype:media-streaming; sid:55000038; rev:1;) 40 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - LastFM - DNS request for last.fm"; dns_query; content:"last.fm"; nocase; classtype:media-streaming; sid:55000039;) 41 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - LastFM - Related URL (last.fm)"; content:"last.fm"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000040; rev:1;) 42 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - LastFM - Related TLS SNI (last.fm)"; tls_sni; content:"last.fm";flow:to_server,established; classtype:media-streaming; sid:55000041; rev:1;) 43 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Netflix - DNS request for netflix.com"; dns_query; content:"netflix.com"; nocase; classtype:media-streaming; sid:55000042;) 44 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Netflix - Related URL (netflix.com)"; content:"netflix.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000043; rev:1;) 45 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Netflix - Related TLS SNI (netflix.com)"; tls_sni; content:"netflix.com";flow:to_server,established; classtype:media-streaming; sid:55000044; rev:1;) 46 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Periscope - DNS request for periscope.tv"; dns_query; content:"periscope.tv"; nocase; classtype:media-streaming; sid:55000045;) 47 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Periscope - Related URL (periscope.tv)"; content:"periscope.tv"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000046; rev:1;) 48 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Periscope - Related TLS SNI (periscope.tv)"; tls_sni; content:"periscope.tv";flow:to_server,established; classtype:media-streaming; sid:55000047; rev:1;) 49 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - Shoutcast - DNS request for shoutcast.com"; dns_query; content:"shoutcast.com"; nocase; classtype:media-streaming; sid:55000048;) 50 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - Shoutcast - Related URL (shoutcast.com)"; content:"shoutcast.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000049; rev:1;) 51 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - Shoutcast - Related TLS SNI (shoutcast.com)"; tls_sni; content:"shoutcast.com";flow:to_server,established; classtype:media-streaming; sid:55000050; rev:1;) 52 | #alert dns any any -> any 53 (msg:"OPN_Media_Streaming - TuneIn - DNS request for tunein.com"; dns_query; content:"tunein.com"; nocase; classtype:media-streaming; sid:55000051;) 53 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Media_Streaming - TuneIn - Related URL (tunein.com)"; content:"tunein.com"; http_uri; flow:to_server,established; classtype:media-streaming; sid:55000052; rev:1;) 54 | #alert tls any any -> any any (msg:"OPN_Media_Streaming - TuneIn - Related TLS SNI (tunein.com)"; tls_sni; content:"tunein.com";flow:to_server,established; classtype:media-streaming; sid:55000053; rev:1;) 55 | -------------------------------------------------------------------------------- /src/opnsense.messaging.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_Messaging - 050Plus - DNS request for 050plus.com"; dns_query; content:"050plus.com"; nocase; classtype:messaging; sid:52000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - 050Plus - Related URL (050plus.com)"; content:"050plus.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_Messaging - 050Plus - Related TLS SNI (050plus.com)"; tls_sni; content:"050plus.com";flow:to_server,established; classtype:messaging; sid:52000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_Messaging - CiscoJabberVideo - DNS request for ciscojabbervideo.com"; dns_query; content:"ciscojabbervideo.com"; nocase; classtype:messaging; sid:52000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - CiscoJabberVideo - Related URL (ciscojabbervideo.com)"; content:"ciscojabbervideo.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_Messaging - CiscoJabberVideo - Related TLS SNI (ciscojabbervideo.com)"; tls_sni; content:"ciscojabbervideo.com";flow:to_server,established; classtype:messaging; sid:52000005; rev:1;) 7 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Citrix_Online - DNS request for citrixonline.com"; dns_query; content:"citrixonline.com"; nocase; classtype:messaging; sid:52000006;) 8 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Citrix_Online - Related URL (citrixonline.com)"; content:"citrixonline.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000007; rev:1;) 9 | #alert tls any any -> any any (msg:"OPN_Messaging - Citrix_Online - Related TLS SNI (citrixonline.com)"; tls_sni; content:"citrixonline.com";flow:to_server,established; classtype:messaging; sid:52000008; rev:1;) 10 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Citrix_Online - DNS request for citrixonlinecdn.com"; dns_query; content:"citrixonlinecdn.com"; nocase; classtype:messaging; sid:52000009;) 11 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Citrix_Online - Related URL (citrixonlinecdn.com)"; content:"citrixonlinecdn.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000010; rev:1;) 12 | #alert tls any any -> any any (msg:"OPN_Messaging - Citrix_Online - Related TLS SNI (citrixonlinecdn.com)"; tls_sni; content:"citrixonlinecdn.com";flow:to_server,established; classtype:messaging; sid:52000011; rev:1;) 13 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Dingtalk - DNS request for im.dingtalk.com"; dns_query; content:"im.dingtalk.com"; nocase; classtype:messaging; sid:52000012;) 14 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Dingtalk - Related URL (im.dingtalk.com)"; content:"im.dingtalk.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000013; rev:1;) 15 | #alert tls any any -> any any (msg:"OPN_Messaging - Dingtalk - Related TLS SNI (im.dingtalk.com)"; tls_sni; content:"im.dingtalk.com";flow:to_server,established; classtype:messaging; sid:52000014; rev:1;) 16 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Dingtalk - DNS request for dingtalkapps.com"; dns_query; content:"dingtalkapps.com"; nocase; classtype:messaging; sid:52000015;) 17 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Dingtalk - Related URL (dingtalkapps.com)"; content:"dingtalkapps.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000016; rev:1;) 18 | #alert tls any any -> any any (msg:"OPN_Messaging - Dingtalk - Related TLS SNI (dingtalkapps.com)"; tls_sni; content:"dingtalkapps.com";flow:to_server,established; classtype:messaging; sid:52000017; rev:1;) 19 | #alert dns any any -> any 53 (msg:"OPN_Messaging - GaduGadu - DNS request for gg.pl"; dns_query; content:"gg.pl"; nocase; classtype:messaging; sid:52000018;) 20 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - GaduGadu - Related URL (gg.pl)"; content:"gg.pl"; http_uri; flow:to_server,established; classtype:messaging; sid:52000019; rev:1;) 21 | #alert tls any any -> any any (msg:"OPN_Messaging - GaduGadu - Related TLS SNI (gg.pl)"; tls_sni; content:"gg.pl";flow:to_server,established; classtype:messaging; sid:52000020; rev:1;) 22 | #alert dns any any -> any 53 (msg:"OPN_Messaging - GaduGadu - DNS request for gadu-gadu.pl"; dns_query; content:"gadu-gadu.pl"; nocase; classtype:messaging; sid:52000021;) 23 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - GaduGadu - Related URL (gadu-gadu.pl)"; content:"gadu-gadu.pl"; http_uri; flow:to_server,established; classtype:messaging; sid:52000022; rev:1;) 24 | #alert tls any any -> any any (msg:"OPN_Messaging - GaduGadu - Related TLS SNI (gadu-gadu.pl)"; tls_sni; content:"gadu-gadu.pl";flow:to_server,established; classtype:messaging; sid:52000023; rev:1;) 25 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Google_Duo - DNS request for duo.google.com"; dns_query; content:"duo.google.com"; nocase; classtype:messaging; sid:52000024;) 26 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Google_Duo - Related URL (duo.google.com)"; content:"duo.google.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000025; rev:1;) 27 | #alert tls any any -> any any (msg:"OPN_Messaging - Google_Duo - Related TLS SNI (duo.google.com)"; tls_sni; content:"duo.google.com";flow:to_server,established; classtype:messaging; sid:52000026; rev:1;) 28 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Google_Hangouts - DNS request for hangouts.google.com"; dns_query; content:"hangouts.google.com"; nocase; classtype:messaging; sid:52000027;) 29 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Google_Hangouts - Related URL (hangouts.google.com)"; content:"hangouts.google.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000028; rev:1;) 30 | #alert tls any any -> any any (msg:"OPN_Messaging - Google_Hangouts - Related TLS SNI (hangouts.google.com)"; tls_sni; content:"hangouts.google.com";flow:to_server,established; classtype:messaging; sid:52000029; rev:1;) 31 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Google_Talk - DNS request for talk.google.com"; dns_query; content:"talk.google.com"; nocase; classtype:messaging; sid:52000030;) 32 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Google_Talk - Related URL (talk.google.com)"; content:"talk.google.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000031; rev:1;) 33 | #alert tls any any -> any any (msg:"OPN_Messaging - Google_Talk - Related TLS SNI (talk.google.com)"; tls_sni; content:"talk.google.com";flow:to_server,established; classtype:messaging; sid:52000032; rev:1;) 34 | #alert dns any any -> any 53 (msg:"OPN_Messaging - ICQ_WebClient - DNS request for icq.com"; dns_query; content:"icq.com"; nocase; classtype:messaging; sid:52000033;) 35 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - ICQ_WebClient - Related URL (icq.com)"; content:"icq.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000034; rev:1;) 36 | #alert tls any any -> any any (msg:"OPN_Messaging - ICQ_WebClient - Related TLS SNI (icq.com)"; tls_sni; content:"icq.com";flow:to_server,established; classtype:messaging; sid:52000035; rev:1;) 37 | #alert dns any any -> any 53 (msg:"OPN_Messaging - IMO.IM - DNS request for imo.im"; dns_query; content:"imo.im"; nocase; classtype:messaging; sid:52000036;) 38 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - IMO.IM - Related URL (imo.im)"; content:"imo.im"; http_uri; flow:to_server,established; classtype:messaging; sid:52000037; rev:1;) 39 | #alert tls any any -> any any (msg:"OPN_Messaging - IMO.IM - Related TLS SNI (imo.im)"; tls_sni; content:"imo.im";flow:to_server,established; classtype:messaging; sid:52000038; rev:1;) 40 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Kik_Messenger - DNS request for apikik.com"; dns_query; content:"apikik.com"; nocase; classtype:messaging; sid:52000039;) 41 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Kik_Messenger - Related URL (apikik.com)"; content:"apikik.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000040; rev:1;) 42 | #alert tls any any -> any any (msg:"OPN_Messaging - Kik_Messenger - Related TLS SNI (apikik.com)"; tls_sni; content:"apikik.com";flow:to_server,established; classtype:messaging; sid:52000041; rev:1;) 43 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Kik_Messenger - DNS request for kik.com"; dns_query; content:"kik.com"; nocase; classtype:messaging; sid:52000042;) 44 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Kik_Messenger - Related URL (kik.com)"; content:"kik.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000043; rev:1;) 45 | #alert tls any any -> any any (msg:"OPN_Messaging - Kik_Messenger - Related TLS SNI (kik.com)"; tls_sni; content:"kik.com";flow:to_server,established; classtype:messaging; sid:52000044; rev:1;) 46 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Livemeeting - DNS request for livemeeting.com"; dns_query; content:"livemeeting.com"; nocase; classtype:messaging; sid:52000045;) 47 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Livemeeting - Related URL (livemeeting.com)"; content:"livemeeting.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000046; rev:1;) 48 | #alert tls any any -> any any (msg:"OPN_Messaging - Livemeeting - Related TLS SNI (livemeeting.com)"; tls_sni; content:"livemeeting.com";flow:to_server,established; classtype:messaging; sid:52000047; rev:1;) 49 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Meebo - DNS request for meebo.com"; dns_query; content:"meebo.com"; nocase; classtype:messaging; sid:52000048;) 50 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Meebo - Related URL (meebo.com)"; content:"meebo.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000049; rev:1;) 51 | #alert tls any any -> any any (msg:"OPN_Messaging - Meebo - Related TLS SNI (meebo.com)"; tls_sni; content:"meebo.com";flow:to_server,established; classtype:messaging; sid:52000050; rev:1;) 52 | #alert dns any any -> any 53 (msg:"OPN_Messaging - Net2Phone - DNS request for net2phone.com"; dns_query; content:"net2phone.com"; nocase; classtype:messaging; sid:52000051;) 53 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - Net2Phone - Related URL (net2phone.com)"; content:"net2phone.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000052; rev:1;) 54 | #alert tls any any -> any any (msg:"OPN_Messaging - Net2Phone - Related TLS SNI (net2phone.com)"; tls_sni; content:"net2phone.com";flow:to_server,established; classtype:messaging; sid:52000053; rev:1;) 55 | #alert dns any any -> any 53 (msg:"OPN_Messaging - WeChat - DNS request for wechat.com"; dns_query; content:"wechat.com"; nocase; classtype:messaging; sid:52000054;) 56 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - WeChat - Related URL (wechat.com)"; content:"wechat.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000055; rev:1;) 57 | #alert tls any any -> any any (msg:"OPN_Messaging - WeChat - Related TLS SNI (wechat.com)"; tls_sni; content:"wechat.com";flow:to_server,established; classtype:messaging; sid:52000056; rev:1;) 58 | #alert dns any any -> any 53 (msg:"OPN_Messaging - WeChat - DNS request for weixin.qq.com"; dns_query; content:"weixin.qq.com"; nocase; classtype:messaging; sid:52000057;) 59 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - WeChat - Related URL (weixin.qq.com)"; content:"weixin.qq.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000058; rev:1;) 60 | #alert tls any any -> any any (msg:"OPN_Messaging - WeChat - Related TLS SNI (weixin.qq.com)"; tls_sni; content:"weixin.qq.com";flow:to_server,established; classtype:messaging; sid:52000059; rev:1;) 61 | #alert dns any any -> any 53 (msg:"OPN_Messaging - YiXin - DNS request for yixin.im"; dns_query; content:"yixin.im"; nocase; classtype:messaging; sid:52000060;) 62 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Messaging - YiXin - Related URL (yixin.im)"; content:"yixin.im"; http_uri; flow:to_server,established; classtype:messaging; sid:52000061; rev:1;) 63 | #alert tls any any -> any any (msg:"OPN_Messaging - YiXin - Related TLS SNI (yixin.im)"; tls_sni; content:"yixin.im";flow:to_server,established; classtype:messaging; sid:52000062; rev:1;) 64 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_Messaging - WhatsApp - DNS request for whatsapp.com"; dns_query; content:"whatsapp.com"; nocase; classtype:messaging; sid:52000063;) 65 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_Messaging - WhatsApp - Related URL (whatsapp.com)"; content:"whatsapp.com"; http_uri; flow:to_server,established; classtype:messaging; sid:52000064; rev:1;) 66 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com)"; tls_sni; content:"whatsapp.com";flow:to_server,established; classtype:messaging; sid:52000065; rev:1;) 67 | #alert dns $HOME_NET any -> any 53 (msg:"OPN_Messaging - WhatsApp - DNS request for whatsapp.net"; dns_query; content:"whatsapp.net"; nocase; classtype:messaging; sid:52000066;) 68 | #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OPN_Messaging - WhatsApp - Related URL (whatsapp.net)"; content:"whatsapp.net"; http_uri; flow:to_server,established; classtype:messaging; sid:52000067; rev:1;) 69 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.net)"; tls_sni; content:"whatsapp.net";flow:to_server,established; classtype:messaging; sid:52000068; rev:1;) 70 | -------------------------------------------------------------------------------- /src/opnsense.social_media.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Classmates - DNS request for classmates.com"; dns_query; content:"classmates.com"; nocase; classtype:social-media; sid:51000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Classmates - Related URL (classmates.com)"; content:"classmates.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_Social_Media - Classmates - Related TLS SNI (classmates.com)"; tls_sni; content:"classmates.com";flow:to_server,established; classtype:social-media; sid:51000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Facebook - DNS request for facebook.com"; dns_query; content:"facebook.com"; nocase; classtype:social-media; sid:51000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Facebook - Related URL (facebook.com)"; content:"facebook.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_Social_Media - Facebook - Related TLS SNI (facebook.com)"; tls_sni; content:"facebook.com";flow:to_server,established; classtype:social-media; sid:51000005; rev:1;) 7 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Facebook - DNS request for facebook.net"; dns_query; content:"facebook.net"; nocase; classtype:social-media; sid:51000006;) 8 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Facebook - Related URL (facebook.net)"; content:"facebook.net"; http_uri; flow:to_server,established; classtype:social-media; sid:51000007; rev:1;) 9 | #alert tls any any -> any any (msg:"OPN_Social_Media - Facebook - Related TLS SNI (facebook.net)"; tls_sni; content:"facebook.net";flow:to_server,established; classtype:social-media; sid:51000008; rev:1;) 10 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Facebook - DNS request for fbcdn.net"; dns_query; content:"fbcdn.net"; nocase; classtype:social-media; sid:51000009;) 11 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Facebook - Related URL (fbcdn.net)"; content:"fbcdn.net"; http_uri; flow:to_server,established; classtype:social-media; sid:51000010; rev:1;) 12 | #alert tls any any -> any any (msg:"OPN_Social_Media - Facebook - Related TLS SNI (fbcdn.net)"; tls_sni; content:"fbcdn.net";flow:to_server,established; classtype:social-media; sid:51000011; rev:1;) 13 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Foursquare - DNS request for foursquare.com"; dns_query; content:"foursquare.com"; nocase; classtype:social-media; sid:51000012;) 14 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Foursquare - Related URL (foursquare.com)"; content:"foursquare.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000013; rev:1;) 15 | #alert tls any any -> any any (msg:"OPN_Social_Media - Foursquare - Related TLS SNI (foursquare.com)"; tls_sni; content:"foursquare.com";flow:to_server,established; classtype:social-media; sid:51000014; rev:1;) 16 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Friendster - DNS request for friendster.com"; dns_query; content:"friendster.com"; nocase; classtype:social-media; sid:51000015;) 17 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Friendster - Related URL (friendster.com)"; content:"friendster.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000016; rev:1;) 18 | #alert tls any any -> any any (msg:"OPN_Social_Media - Friendster - Related TLS SNI (friendster.com)"; tls_sni; content:"friendster.com";flow:to_server,established; classtype:social-media; sid:51000017; rev:1;) 19 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Google_plus - DNS request for plus.google.com"; dns_query; content:"plus.google.com"; nocase; classtype:social-media; sid:51000018;) 20 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Google_plus - Related URL (plus.google.com)"; content:"plus.google.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000019; rev:1;) 21 | #alert tls any any -> any any (msg:"OPN_Social_Media - Google_plus - Related TLS SNI (plus.google.com)"; tls_sni; content:"plus.google.com";flow:to_server,established; classtype:social-media; sid:51000020; rev:1;) 22 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Instagram - DNS request for instagram.com"; dns_query; content:"instagram.com"; nocase; classtype:social-media; sid:51000021;) 23 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Instagram - Related URL (instagram.com)"; content:"instagram.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000022; rev:1;) 24 | #alert tls any any -> any any (msg:"OPN_Social_Media - Instagram - Related TLS SNI (instagram.com)"; tls_sni; content:"instagram.com";flow:to_server,established; classtype:social-media; sid:51000023; rev:1;) 25 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - LinkedIn - DNS request for linkedin.com"; dns_query; content:"linkedin.com"; nocase; classtype:social-media; sid:51000024;) 26 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - LinkedIn - Related URL (linkedin.com)"; content:"linkedin.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000025; rev:1;) 27 | #alert tls any any -> any any (msg:"OPN_Social_Media - LinkedIn - Related TLS SNI (linkedin.com)"; tls_sni; content:"linkedin.com";flow:to_server,established; classtype:social-media; sid:51000026; rev:1;) 28 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - match_com - DNS request for match.com"; dns_query; content:"match.com"; nocase; classtype:social-media; sid:51000027;) 29 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - match_com - Related URL (match.com)"; content:"match.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000028; rev:1;) 30 | #alert tls any any -> any any (msg:"OPN_Social_Media - match_com - Related TLS SNI (match.com)"; tls_sni; content:"match.com";flow:to_server,established; classtype:social-media; sid:51000029; rev:1;) 31 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - MySpace - DNS request for myspace.com"; dns_query; content:"myspace.com"; nocase; classtype:social-media; sid:51000030;) 32 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - MySpace - Related URL (myspace.com)"; content:"myspace.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000031; rev:1;) 33 | #alert tls any any -> any any (msg:"OPN_Social_Media - MySpace - Related TLS SNI (myspace.com)"; tls_sni; content:"myspace.com";flow:to_server,established; classtype:social-media; sid:51000032; rev:1;) 34 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - MySpace - DNS request for myspacecdn.com"; dns_query; content:"myspacecdn.com"; nocase; classtype:social-media; sid:51000033;) 35 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - MySpace - Related URL (myspacecdn.com)"; content:"myspacecdn.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000034; rev:1;) 36 | #alert tls any any -> any any (msg:"OPN_Social_Media - MySpace - Related TLS SNI (myspacecdn.com)"; tls_sni; content:"myspacecdn.com";flow:to_server,established; classtype:social-media; sid:51000035; rev:1;) 37 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Orkut - DNS request for orkut.com"; dns_query; content:"orkut.com"; nocase; classtype:social-media; sid:51000036;) 38 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Orkut - Related URL (orkut.com)"; content:"orkut.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000037; rev:1;) 39 | #alert tls any any -> any any (msg:"OPN_Social_Media - Orkut - Related TLS SNI (orkut.com)"; tls_sni; content:"orkut.com";flow:to_server,established; classtype:social-media; sid:51000038; rev:1;) 40 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Pinterest - DNS request for pinterest.com"; dns_query; content:"pinterest.com"; nocase; classtype:social-media; sid:51000039;) 41 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Pinterest - Related URL (pinterest.com)"; content:"pinterest.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000040; rev:1;) 42 | #alert tls any any -> any any (msg:"OPN_Social_Media - Pinterest - Related TLS SNI (pinterest.com)"; tls_sni; content:"pinterest.com";flow:to_server,established; classtype:social-media; sid:51000041; rev:1;) 43 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Reddit - DNS request for reddit.com"; dns_query; content:"reddit.com"; nocase; classtype:social-media; sid:51000042;) 44 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Reddit - Related URL (reddit.com)"; content:"reddit.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000043; rev:1;) 45 | #alert tls any any -> any any (msg:"OPN_Social_Media - Reddit - Related TLS SNI (reddit.com)"; tls_sni; content:"reddit.com";flow:to_server,established; classtype:social-media; sid:51000044; rev:1;) 46 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Renren - DNS request for renren.com"; dns_query; content:"renren.com"; nocase; classtype:social-media; sid:51000045;) 47 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Renren - Related URL (renren.com)"; content:"renren.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000046; rev:1;) 48 | #alert tls any any -> any any (msg:"OPN_Social_Media - Renren - Related TLS SNI (renren.com)"; tls_sni; content:"renren.com";flow:to_server,established; classtype:social-media; sid:51000047; rev:1;) 49 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - TwitPic - DNS request for twitpic.com"; dns_query; content:"twitpic.com"; nocase; classtype:social-media; sid:51000048;) 50 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - TwitPic - Related URL (twitpic.com)"; content:"twitpic.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000049; rev:1;) 51 | #alert tls any any -> any any (msg:"OPN_Social_Media - TwitPic - Related TLS SNI (twitpic.com)"; tls_sni; content:"twitpic.com";flow:to_server,established; classtype:social-media; sid:51000050; rev:1;) 52 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Twitter - DNS request for twitter.com"; dns_query; content:"twitter.com"; nocase; classtype:social-media; sid:51000051;) 53 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Twitter - Related URL (twitter.com)"; content:"twitter.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000052; rev:1;) 54 | #alert tls any any -> any any (msg:"OPN_Social_Media - Twitter - Related TLS SNI (twitter.com)"; tls_sni; content:"twitter.com";flow:to_server,established; classtype:social-media; sid:51000053; rev:1;) 55 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - VKontakte - DNS request for vkontakte.ru"; dns_query; content:"vkontakte.ru"; nocase; classtype:social-media; sid:51000054;) 56 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - VKontakte - Related URL (vkontakte.ru)"; content:"vkontakte.ru"; http_uri; flow:to_server,established; classtype:social-media; sid:51000055; rev:1;) 57 | #alert tls any any -> any any (msg:"OPN_Social_Media - VKontakte - Related TLS SNI (vkontakte.ru)"; tls_sni; content:"vkontakte.ru";flow:to_server,established; classtype:social-media; sid:51000056; rev:1;) 58 | #alert dns any any -> any 53 (msg:"OPN_Social_Media - Xing - DNS request for xing.com"; dns_query; content:"xing.com"; nocase; classtype:social-media; sid:51000057;) 59 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Social_Media - Xing - Related URL (xing.com)"; content:"xing.com"; http_uri; flow:to_server,established; classtype:social-media; sid:51000058; rev:1;) 60 | #alert tls any any -> any any (msg:"OPN_Social_Media - Xing - Related TLS SNI (xing.com)"; tls_sni; content:"xing.com";flow:to_server,established; classtype:social-media; sid:51000059; rev:1;) 61 | -------------------------------------------------------------------------------- /src/opnsense.test.rules: -------------------------------------------------------------------------------- 1 | drop http any any -> any any (msg:"OPNsense test eicar virus"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; fast_pattern; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:7999999; rev:1;) 2 | -------------------------------------------------------------------------------- /src/opnsense.uncategorized.rules: -------------------------------------------------------------------------------- 1 | #alert dns any any -> any 53 (msg:"OPN_Uncategorized - Youporn - DNS request for youporn.com"; dns_query; content:"youporn.com"; nocase; classtype:uncategorized; sid:56000000;) 2 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Uncategorized - Youporn - Related URL (youporn.com)"; content:"youporn.com"; http_uri; flow:to_server,established; classtype:uncategorized; sid:56000001; rev:1;) 3 | #alert tls any any -> any any (msg:"OPN_Uncategorized - Youporn - Related TLS SNI (youporn.com)"; tls_sni; content:"youporn.com";flow:to_server,established; classtype:uncategorized; sid:56000002; rev:1;) 4 | #alert dns any any -> any 53 (msg:"OPN_Uncategorized - PornHub - DNS request for pornhub.com"; dns_query; content:"pornhub.com"; nocase; classtype:uncategorized; sid:56000003;) 5 | #alert http any any -> any $HTTP_PORTS (msg:"OPN_Uncategorized - PornHub - Related URL (pornhub.com)"; content:"pornhub.com"; http_uri; flow:to_server,established; classtype:uncategorized; sid:56000004; rev:1;) 6 | #alert tls any any -> any any (msg:"OPN_Uncategorized - PornHub - Related TLS SNI (pornhub.com)"; tls_sni; content:"pornhub.com";flow:to_server,established; classtype:uncategorized; sid:56000005; rev:1;) 7 | -------------------------------------------------------------------------------- /src/social-media.lst: -------------------------------------------------------------------------------- 1 | Classmates social-media classmates.com 2 | Facebook social-media facebook.com 3 | Facebook social-media facebook.net 4 | Facebook social-media fbcdn.net 5 | Foursquare social-media foursquare.com 6 | Friendster social-media friendster.com 7 | Google_plus social-media plus.google.com 8 | Instagram social-media instagram.com 9 | LinkedIn social-media linkedin.com 10 | match_com social-media match.com 11 | MySpace social-media myspace.com 12 | MySpace social-media myspacecdn.com 13 | Orkut social-media orkut.com 14 | Pinterest social-media pinterest.com 15 | Reddit social-media reddit.com 16 | Renren social-media renren.com 17 | TwitPic social-media twitpic.com 18 | Twitter social-media twitter.com 19 | VKontakte social-media vkontakte.ru 20 | Xing social-media xing.com 21 | -------------------------------------------------------------------------------- /src/steaming-media.lst: -------------------------------------------------------------------------------- 1 | 123movies media-streaming 0123movies.com 2 | 123movies media-streaming 123movies.fun 3 | 123movies media-streaming 123movies4u.co 4 | Afreeca media-streaming afreeca.com 5 | Afreeca media-streaming bizafreeca.com 6 | Afreeca media-streaming afreecatv.com 7 | AppleMusic media-streaming streamingaudio.itunes.apple.com 8 | AppleMusic media-streaming gs.apple.com 9 | AppleMusic media-streaming albert.apple.com 10 | BBC media-streaming bbc.co.uk 11 | Grooveshark media-streaming grooveshark.com 12 | Grooveshark media-streaming grooveshark.im 13 | Hulu media-streaming secure.hulu.com 14 | LastFM media-streaming last.fm 15 | Netflix media-streaming netflix.com 16 | Periscope media-streaming periscope.tv 17 | Shoutcast media-streaming shoutcast.com 18 | TuneIn media-streaming tunein.com 19 | 7plus media-streaming 7plus.com.au 20 | AMC media-streaming AMC.com 21 | BBC media-streaming bbcmedia.co.uk 22 | Dailymotion media-streaming dailymotion.com 23 | DirectTV media-streaming directv.com 24 | Disneyplus media-streaming disneyplus.com 25 | NowTV media-streaming nowtv.com 26 | Pandora media-streaming pandora.com 27 | PeacockTV media-streaming peacocktv.com 28 | SoundCloud media-streaming soundcloud.com 29 | Starz media-streaming stars.com 30 | UWatchFree media-streaming uwatchfree.fo 31 | Vimeo media-streaming vimeo.com 32 | XFinity media-streaming Xfinity.com 33 | Yideo media-streaming yideo.com 34 | YouTube media-streaming youtube.com 35 | YuppTV media-streaming yupptv.com 36 | Zee5 media-streaming zee5.com 37 | -------------------------------------------------------------------------------- /src/uncategorized.lst: -------------------------------------------------------------------------------- 1 | Youporn uncategorized youporn.com 2 | PornHub uncategorized pornhub.com 3 | --------------------------------------------------------------------------------