alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"|2E|xxx|0D 0A|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:4;)

Added 2012-01-16 19:46:57 UTC

False Positive: This triggers other links also which has ".xxx" but may not be sexually explicit content. Eg: The following url triggered the rule for me: http://count.xxxssk.com/s?isentrance=true&guid=e18d9627-87b7-5360-e87c-c24f7004ecc5&resolution

-- RaviSankar - 2017-01-03


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"|2E|xxx|0D 0A|"; http_header; distance:0; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:2;)

Added 2011-10-12 19:34:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"|2E|xxx|0D 0A|"; http_header; distance:0; classtype:policy-violation; reference:url,en.wikipedia.org/wiki/.xxx; sid:2012694; rev:2;)

Added 2011-04-20 16:13:11 UTC


Topic revision: r2 - 2017-01-03 - RaviSankar
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats