SIG: CloudFlare Tunnel DNS Query For argotunnel.com

kevross33 · August 9, 2023, 4:57pm

alert udp $HOME_NET any → any 53 (msg:“ET POLICY CloudFlare Tunnel DNS Query For argotunnel.com”; content:“|0A|argotunnel|03|com”; fast_pattern:only; classtype:policy-violation; reference:url,Tunnel Vision: CloudflareD AbuseD in the WilD | GuidePoint Security; sid:123111; rev:1;)

Kind Regards,
Kevin Ross

ishaughnessy · August 9, 2023, 5:39pm

Thanks Kevin! We’ll get this in today’s release!

rgonzalez · August 14, 2023, 8:07pm

This is SID 2047122 (DNS query) and 2047123 (TLS SNI observed), thanks @kevross33 @ishaughnessy !

Topic		Replies	Views
SIG: TryCloudFlare in SNI Rule Signatures	1	66	December 10, 2024
ViperSoftX C2 domains Rule Signatures	4	385	January 10, 2023
Ruleset Update Summary - 2023/08/09 - v10390 Ruleset Updates	0	311	August 9, 2023
Weekly Community Review - September 21, 2023 Announcements	0	288	September 22, 2023
Daily Ruleset Update Summary 2022/09/22 Ruleset Updates	0	132	September 22, 2022