alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET HUNTING TryCloudFlare Domain in TLS SNI”; flow:established,to_server; tls.sni; dotprefix; content:“.trycloudflare.com”; endswith; reference:url,Quick Tunnels · Cloudflare Zero Trust docs; reference:url,Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint UK; classtype:misc-activity; sid:156711; rev:1;)
Kind Regards,
Kevin Ross