/
opnsense.mail.rules
87 lines (87 loc) · 15.4 KB
/
opnsense.mail.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.com"; dns_query; content:"outlook.com"; nocase; classtype:mail; sid:54000000;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.com)"; content:"outlook.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000001; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.com)"; tls_sni; content:"outlook.com";flow:to_server,established; classtype:mail; sid:54000002; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.office365.com"; dns_query; content:"outlook.office365.com"; nocase; classtype:mail; sid:54000003;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.office365.com)"; content:"outlook.office365.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000004; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.office365.com)"; tls_sni; content:"outlook.office365.com";flow:to_server,established; classtype:mail; sid:54000005; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.office.com"; dns_query; content:"outlook.office.com"; nocase; classtype:mail; sid:54000006;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.office.com)"; content:"outlook.office.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000007; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.office.com)"; tls_sni; content:"outlook.office.com";flow:to_server,established; classtype:mail; sid:54000008; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Outlook.com - DNS request for outlook.live.com"; dns_query; content:"outlook.live.com"; nocase; classtype:mail; sid:54000009;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Outlook.com - Related URL (outlook.live.com)"; content:"outlook.live.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000010; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Outlook.com - Related TLS SNI (outlook.live.com)"; tls_sni; content:"outlook.live.com";flow:to_server,established; classtype:mail; sid:54000011; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Hotmail - DNS request for outlook.live.com"; dns_query; content:"outlook.live.com"; nocase; classtype:mail; sid:54000012;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Hotmail - Related URL (outlook.live.com)"; content:"outlook.live.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000013; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Hotmail - Related TLS SNI (outlook.live.com)"; tls_sni; content:"outlook.live.com";flow:to_server,established; classtype:mail; sid:54000014; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.de"; dns_query; content:"gmx.de"; nocase; classtype:mail; sid:54000015;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.de)"; content:"gmx.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000016; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.de)"; tls_sni; content:"gmx.de";flow:to_server,established; classtype:mail; sid:54000017; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.at"; dns_query; content:"gmx.at"; nocase; classtype:mail; sid:54000018;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.at)"; content:"gmx.at"; http_uri; flow:to_server,established; classtype:mail; sid:54000019; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.at)"; tls_sni; content:"gmx.at";flow:to_server,established; classtype:mail; sid:54000020; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.ch"; dns_query; content:"gmx.ch"; nocase; classtype:mail; sid:54000021;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.ch)"; content:"gmx.ch"; http_uri; flow:to_server,established; classtype:mail; sid:54000022; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.ch)"; tls_sni; content:"gmx.ch";flow:to_server,established; classtype:mail; sid:54000023; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.co"; dns_query; content:"gmx.co"; nocase; classtype:mail; sid:54000024;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.co)"; content:"gmx.co"; http_uri; flow:to_server,established; classtype:mail; sid:54000025; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.co)"; tls_sni; content:"gmx.co";flow:to_server,established; classtype:mail; sid:54000026; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.net"; dns_query; content:"gmx.net"; nocase; classtype:mail; sid:54000027;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.net)"; content:"gmx.net"; http_uri; flow:to_server,established; classtype:mail; sid:54000028; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.net)"; tls_sni; content:"gmx.net";flow:to_server,established; classtype:mail; sid:54000029; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - GMX - DNS request for gmx.co.uk"; dns_query; content:"gmx.co.uk"; nocase; classtype:mail; sid:54000030;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - GMX - Related URL (gmx.co.uk)"; content:"gmx.co.uk"; http_uri; flow:to_server,established; classtype:mail; sid:54000031; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - GMX - Related TLS SNI (gmx.co.uk)"; tls_sni; content:"gmx.co.uk";flow:to_server,established; classtype:mail; sid:54000032; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for mail.ru"; dns_query; content:"mail.ru"; nocase; classtype:mail; sid:54000033;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (mail.ru)"; content:"mail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000034; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (mail.ru)"; tls_sni; content:"mail.ru";flow:to_server,established; classtype:mail; sid:54000035; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for attachmail.ru"; dns_query; content:"attachmail.ru"; nocase; classtype:mail; sid:54000036;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (attachmail.ru)"; content:"attachmail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000037; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (attachmail.ru)"; tls_sni; content:"attachmail.ru";flow:to_server,established; classtype:mail; sid:54000038; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - mail.ru - DNS request for imgsmail.ru"; dns_query; content:"imgsmail.ru"; nocase; classtype:mail; sid:54000039;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - mail.ru - Related URL (imgsmail.ru)"; content:"imgsmail.ru"; http_uri; flow:to_server,established; classtype:mail; sid:54000040; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - mail.ru - Related TLS SNI (imgsmail.ru)"; tls_sni; content:"imgsmail.ru";flow:to_server,established; classtype:mail; sid:54000041; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Gmail - DNS request for mail.google.com"; dns_query; content:"mail.google.com"; nocase; classtype:mail; sid:54000042;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Gmail - Related URL (mail.google.com)"; content:"mail.google.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000043; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Gmail - Related TLS SNI (mail.google.com)"; tls_sni; content:"mail.google.com";flow:to_server,established; classtype:mail; sid:54000044; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Gmail - DNS request for gmail.com"; dns_query; content:"gmail.com"; nocase; classtype:mail; sid:54000045;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Gmail - Related URL (gmail.com)"; content:"gmail.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000046; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Gmail - Related TLS SNI (gmail.com)"; tls_sni; content:"gmail.com";flow:to_server,established; classtype:mail; sid:54000047; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Yahoo_Mail - DNS request for mail.yahoo.com"; dns_query; content:"mail.yahoo.com"; nocase; classtype:mail; sid:54000048;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Yahoo_Mail - Related URL (mail.yahoo.com)"; content:"mail.yahoo.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000049; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Yahoo_Mail - Related TLS SNI (mail.yahoo.com)"; tls_sni; content:"mail.yahoo.com";flow:to_server,established; classtype:mail; sid:54000050; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Yahoo_Mail - DNS request for mail.yahoo.de"; dns_query; content:"mail.yahoo.de"; nocase; classtype:mail; sid:54000051;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Yahoo_Mail - Related URL (mail.yahoo.de)"; content:"mail.yahoo.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000052; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Yahoo_Mail - Related TLS SNI (mail.yahoo.de)"; tls_sni; content:"mail.yahoo.de";flow:to_server,established; classtype:mail; sid:54000053; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for login.aol.com"; dns_query; content:"login.aol.com"; nocase; classtype:mail; sid:54000054;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (login.aol.com)"; content:"login.aol.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000055; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (login.aol.com)"; tls_sni; content:"login.aol.com";flow:to_server,established; classtype:mail; sid:54000056; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.de"; dns_query; content:"mail.aol.de"; nocase; classtype:mail; sid:54000057;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.de)"; content:"mail.aol.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000058; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.de)"; tls_sni; content:"mail.aol.de";flow:to_server,established; classtype:mail; sid:54000059; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.in"; dns_query; content:"mail.aol.in"; nocase; classtype:mail; sid:54000060;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.in)"; content:"mail.aol.in"; http_uri; flow:to_server,established; classtype:mail; sid:54000061; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.in)"; tls_sni; content:"mail.aol.in";flow:to_server,established; classtype:mail; sid:54000062; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.com"; dns_query; content:"mail.aol.com"; nocase; classtype:mail; sid:54000063;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.com)"; content:"mail.aol.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000064; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.com)"; tls_sni; content:"mail.aol.com";flow:to_server,established; classtype:mail; sid:54000065; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.ca"; dns_query; content:"mail.aol.ca"; nocase; classtype:mail; sid:54000066;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.ca)"; content:"mail.aol.ca"; http_uri; flow:to_server,established; classtype:mail; sid:54000067; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.ca)"; tls_sni; content:"mail.aol.ca";flow:to_server,established; classtype:mail; sid:54000068; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.in"; dns_query; content:"mail.aol.in"; nocase; classtype:mail; sid:54000069;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.in)"; content:"mail.aol.in"; http_uri; flow:to_server,established; classtype:mail; sid:54000070; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.in)"; tls_sni; content:"mail.aol.in";flow:to_server,established; classtype:mail; sid:54000071; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.fr"; dns_query; content:"mail.aol.fr"; nocase; classtype:mail; sid:54000072;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.fr)"; content:"mail.aol.fr"; http_uri; flow:to_server,established; classtype:mail; sid:54000073; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.fr)"; tls_sni; content:"mail.aol.fr";flow:to_server,established; classtype:mail; sid:54000074; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - AOL_Mail - DNS request for mail.aol.jp"; dns_query; content:"mail.aol.jp"; nocase; classtype:mail; sid:54000075;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - AOL_Mail - Related URL (mail.aol.jp)"; content:"mail.aol.jp"; http_uri; flow:to_server,established; classtype:mail; sid:54000076; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - AOL_Mail - Related TLS SNI (mail.aol.jp)"; tls_sni; content:"mail.aol.jp";flow:to_server,established; classtype:mail; sid:54000077; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Apple_Mail - DNS request for mail.me.com"; dns_query; content:"mail.me.com"; nocase; classtype:mail; sid:54000078;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Apple_Mail - Related URL (mail.me.com)"; content:"mail.me.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000079; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Apple_Mail - Related TLS SNI (mail.me.com)"; tls_sni; content:"mail.me.com";flow:to_server,established; classtype:mail; sid:54000080; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - Hushmail - DNS request for hushmail.com"; dns_query; content:"hushmail.com"; nocase; classtype:mail; sid:54000081;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - Hushmail - Related URL (hushmail.com)"; content:"hushmail.com"; http_uri; flow:to_server,established; classtype:mail; sid:54000082; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - Hushmail - Related TLS SNI (hushmail.com)"; tls_sni; content:"hushmail.com";flow:to_server,established; classtype:mail; sid:54000083; rev:1;)
#alert dns any any -> any 53 (msg:"OPN_Mail - T-Online_Mail - DNS request for e-mail.t-online.de"; dns_query; content:"e-mail.t-online.de"; nocase; classtype:mail; sid:54000084;)
#alert http any any -> any $HTTP_PORTS (msg:"OPN_Mail - T-Online_Mail - Related URL (e-mail.t-online.de)"; content:"e-mail.t-online.de"; http_uri; flow:to_server,established; classtype:mail; sid:54000085; rev:1;)
#alert tls any any -> any any (msg:"OPN_Mail - T-Online_Mail - Related TLS SNI (e-mail.t-online.de)"; tls_sni; content:"e-mail.t-online.de";flow:to_server,established; classtype:mail; sid:54000086; rev:1;)