# MIT License
# 
# Copyright (c) 2017 Open Information Security Foundation
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: bing"; tls_sni; content:"bing.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/bing; flowbits:set,traffic/label/search; noalert; sid:300000000; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook"; tls_sni; content:"facebook.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook; flowbits:set,traffic/label/social-network; noalert; sid:300000001; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook"; tls_sni; content:"facebook.net"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook; flowbits:set,traffic/label/social-network; noalert; sid:300000002; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook"; tls_sni; content:"fbcdn.net"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook; flowbits:set,traffic/label/social-network; noalert; sid:300000003; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook"; tls_sni; content:"fbcdn.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook; flowbits:set,traffic/label/social-network; noalert; sid:300000004; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook"; tls_sni; content:"fbsbx.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook; flowbits:set,traffic/label/social-network; noalert; sid:300000005; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: facebook-messenger"; tls_sni; content:"edge-chat.facebook.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/facebook-messenger; flowbits:set,traffic/label/im; noalert; sid:300000006; rev:1;)
alert tls any any -> any [993] (msg:"SURICATA TRAFFIC-ID: gmail"; tls_sni; content:"pop.gmail.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/gmail; flowbits:set,traffic/label/mail; flowbits:set,traffic/label/pop3; noalert; sid:300000007; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"google.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000008; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"googleapis.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000009; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"googlevideo.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000010; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"googleusercontent.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000011; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"google.cz"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000012; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google"; tls_sni; content:"gstatic.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google; flowbits:set,traffic/label/search; noalert; sid:300000013; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: google-video"; tls_sni; content:"googlevideo.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/google-video; flowbits:set,traffic/label/video; noalert; sid:300000014; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: irccloud"; tls_sni; content:"irccloud.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/irccloud; noalert; sid:300000015; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: lastpass"; tls_sni; content:"lastpass.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/lastpass; flowbits:set,traffic/label/password-management; noalert; sid:300000016; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: whisper"; tls_sni; content:"whispersystems.org"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/whisper; flowbits:set,traffic/label/im; noalert; sid:300000017; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: netflix"; tls_sni; content:"netflix.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/netflix; flowbits:set,traffic/label/video; noalert; sid:300000018; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: netflix"; tls_sni; content:"nflxso.net"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/netflix; flowbits:set,traffic/label/video; noalert; sid:300000019; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: netflix"; tls_sni; content:"nflxext.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/netflix; flowbits:set,traffic/label/video; noalert; sid:300000020; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: netflix"; tls_sni; content:"nflxvideo.net"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/netflix; flowbits:set,traffic/label/video; noalert; sid:300000021; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: skype"; tls_sni; content:"skype.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/skype; flowbits:set,traffic/label/im; noalert; sid:300000022; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: skype"; tls_sni; content:"skypeassets.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/skype; flowbits:set,traffic/label/im; noalert; sid:300000023; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: snapchat"; tls_sni; content:"feelinsonice.appspot.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/snapchat; flowbits:set,traffic/label/im; noalert; sid:300000024; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: snapchat"; tls_sni; content:"feelinsonice-hrd.appspot.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/snapchat; flowbits:set,traffic/label/im; noalert; sid:300000025; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: snapchat"; tls_sni; content:"snapchat.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/snapchat; flowbits:set,traffic/label/im; noalert; sid:300000026; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: twitter"; tls_sni; content:"twitter.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/twitter; flowbits:set,traffic/label/social-network; noalert; sid:300000027; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: twitter"; tls_sni; content:"twimg.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/twitter; flowbits:set,traffic/label/social-network; noalert; sid:300000028; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: whatsapp"; tls_sni; content:"whatsapp.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/whatsapp; flowbits:set,traffic/label/im; flowbits:set,traffic/label/file-transfer; noalert; sid:300000029; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: instagram"; tls_sni; content:"instagram.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/instagram; flowbits:set,traffic/label/social-network; noalert; sid:300000030; rev:1;)
alert tls any any -> any any (msg:"SURICATA TRAFFIC-ID: instagram"; tls_sni; content:"cdninstagram.com"; isdataat:!1,relative; flow:to_server,established; flowbits: set,traffic/id/instagram; flowbits:set,traffic/label/social-network; noalert; sid:300000031; rev:1;)
alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Debian APT-GET"; content:"debian.org"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/debian-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000032;)
alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Ubuntu APT-GET"; content:"ubuntu.com"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/ubuntu-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000033;)