SIG: CloudFlare Tunnel DNS Query For

alert udp $HOME_NET any → any 53 (msg:“ET POLICY CloudFlare Tunnel DNS Query For”; content:“|0A|argotunnel|03|com”; fast_pattern:only; classtype:policy-violation; reference:url,Tunnel Vision: CloudflareD AbuseD in the WilD | GuidePoint Security; sid:123111; rev:1;)

Kind Regards,
Kevin Ross

1 Like

Thanks Kevin! We’ll get this in today’s release!

This is SID 2047122 (DNS query) and 2047123 (TLS SNI observed), thanks @kevross33 @ishaughnessy !