alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; content:"checkip.dyndns.org"; fast_pattern; http_host; depth:18; isdataat:!1,relative; classtype:policy-violation; sid:2021378; rev:3; metadata:created_at 2015_07_02, updated_at 2015_07_02;)

Added 2018-09-13 19:51:25 UTC

We are finding that traffic from NVIDIA Network Service will do a lookup to checkip.dyndns.org. Can this rule look for Nvidia domains within a 30 second window? services.gfe.nvidia.com www.nvidia.com

-- GaryBlackwell - 2018-11-29


Added 2018-09-13 18:00:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; content:"Host|3A 20|checkip.dyndns.org|0d 0a|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021378; rev:2; metadata:created_at 2015_07_02, updated_at 2015_07_02;)

Added 2017-08-07 21:16:05 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; content:"Host|3A 20|checkip.dyndns.org|0d 0a|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021378; rev:2;)

Added 2015-07-02 17:52:37 UTC


Topic revision: r2 - 2018-11-29 - GaryBlackwell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats