From 1d21449edb166df0d8097556ef297add6fca4e7a Mon Sep 17 00:00:00 2001
From: Travis Green <travis@travisgreen.net>
Date: Wed, 31 Jul 2019 19:19:12 -0600
Subject: [PATCH] Correction to 3222.org

Corrected 3222.org to 3322.org per issue #5
---
 dyndns-dns.rules                 | 22 ++++++++--------
 dyndns-drop.rules                | 22 ++++++++--------
 dyndns-http-alert-and-drop.rules | 22 ++++++++--------
 dyndns-http-alert.rules          | 22 ++++++++--------
 dyndns-tls.rules                 | 44 ++++++++++++++++----------------
 dyndns.rules                     | 22 ++++++++--------
 6 files changed, 77 insertions(+), 77 deletions(-)

diff --git a/dyndns-dns.rules b/dyndns-dns.rules
index 45f9e39..c902a38 100644
--- a/dyndns-dns.rules
+++ b/dyndns-dns.rules
@@ -1067,17 +1067,17 @@ alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query ChangeIP.com d
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query ChangeIP.com domain ygto.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|ygto|03|com|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111066; rev:1;)
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to DYNU.com domain dynu.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|dynu|03|com|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111067; rev:1;)
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to DYNU.com domain dynu.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|dynu|03|net|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111068; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 6600.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|6600|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111069; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 7766.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|7766|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111070; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 8800.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8800|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111071; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain webok.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|webok|03|net|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111072; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 2288.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|2288|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111073; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 9966.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|9966|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111074; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 8866.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111075; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain 3322.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111076; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain f3322.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|f3322|03|net|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111077; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain eatuo.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|eatuo|03|com|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111078; rev:1;)
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3222.org domain x3322.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|x3322|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111079; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 6600.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|6600|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111069; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 7766.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|7766|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111070; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 8800.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8800|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111071; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain webok.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|webok|03|net|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111072; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 2288.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|2288|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111073; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 9966.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|9966|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111074; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 8866.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111075; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain 3322.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111076; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain f3322.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|f3322|03|net|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111077; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain eatuo.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|eatuo|03|com|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111078; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org domain x3322.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|x3322|03|org|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111079; rev:1;)
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to Freenom domain co.vu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|vu|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111080; rev:1;)
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to Freenom domain gq"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gq|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111081; rev:1;)
 alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to Freenom domain ml"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ml|00|"; nocase; fast_pattern:only; classtype:misc-activity; sid:10111082; rev:1;)
diff --git a/dyndns-drop.rules b/dyndns-drop.rules
index 0411fb0..394cbe6 100644
--- a/dyndns-drop.rules
+++ b/dyndns-drop.rules
@@ -1067,17 +1067,17 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Req
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to ChangeIP.com domain ygto.com"; flow:established,to_server; content:".ygto.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011066; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.com"; flow:established,to_server; content:".dynu.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011067; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.net"; flow:established,to_server; content:".dynu.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011068; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain co.vu"; flow:established,to_server; content:".co.vu"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011080; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain gq"; flow:established,to_server; content:".gq"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011081; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain ml"; flow:established,to_server; content:".ml"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011082; rev:1; classtype:misc-activity;)
diff --git a/dyndns-http-alert-and-drop.rules b/dyndns-http-alert-and-drop.rules
index f609bf5..c828f12 100644
--- a/dyndns-http-alert-and-drop.rules
+++ b/dyndns-http-alert-and-drop.rules
@@ -1067,17 +1067,17 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Req
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to ChangeIP.com domain ygto.com"; flow:established,to_server; content:".ygto.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011066; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.com"; flow:established,to_server; content:".dynu.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011067; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.net"; flow:established,to_server; content:".dynu.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011068; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain co.vu"; flow:established,to_server; content:".co.vu"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011080; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain gq"; flow:established,to_server; content:".gq"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011081; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain ml"; flow:established,to_server; content:".ml"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011082; rev:1; classtype:misc-activity;)
diff --git a/dyndns-http-alert.rules b/dyndns-http-alert.rules
index c225de2..4cd9b4c 100644
--- a/dyndns-http-alert.rules
+++ b/dyndns-http-alert.rules
@@ -1067,17 +1067,17 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Req
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to ChangeIP.com domain ygto.com"; flow:established,to_server; content:".ygto.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011066; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.com"; flow:established,to_server; content:".dynu.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011067; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.net"; flow:established,to_server; content:".dynu.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011068; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain co.vu"; flow:established,to_server; content:".co.vu"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011080; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain gq"; flow:established,to_server; content:".gq"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011081; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain ml"; flow:established,to_server; content:".ml"; http_host; isdataat:!1,relative; flowbits:set,ET.DynDNS.HTTP; sid:10011082; rev:1; classtype:misc-activity;)
diff --git a/dyndns-tls.rules b/dyndns-tls.rules
index fed4856..84a8357 100644
--- a/dyndns-tls.rules
+++ b/dyndns-tls.rules
@@ -2136,28 +2136,28 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert f
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for DYNU.com domain dynu.com in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".dynu.com"; fast_pattern; distance:-9; within:9; sid:10122135; rev:1; classtype:misc-activity;)
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for DYNU.com domain dynu.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".dynu.net"; distance:-9; within:9; sid:10122136; rev:1; classtype:misc-activity;)
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for DYNU.com domain dynu.net in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".dynu.net"; fast_pattern; distance:-9; within:9; sid:10122137; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 6600.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".6600.org"; distance:-9; within:9; sid:10122138; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 6600.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".6600.org"; fast_pattern; distance:-9; within:9; sid:10122139; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 7766.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".7766.org"; distance:-9; within:9; sid:10122140; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 7766.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".7766.org"; fast_pattern; distance:-9; within:9; sid:10122141; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 8800.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".8800.org"; distance:-9; within:9; sid:10122142; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 8800.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".8800.org"; fast_pattern; distance:-9; within:9; sid:10122143; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain webok.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".webok.net"; distance:-10; within:10; sid:10122144; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain webok.net in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".webok.net"; fast_pattern; distance:-10; within:10; sid:10122145; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 2288.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".2288.org"; distance:-9; within:9; sid:10122146; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 2288.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".2288.org"; fast_pattern; distance:-9; within:9; sid:10122147; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 9966.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".9966.org"; distance:-9; within:9; sid:10122148; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 9966.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".9966.org"; fast_pattern; distance:-9; within:9; sid:10122149; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 8866.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".8866.org"; distance:-9; within:9; sid:10122150; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 8866.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".8866.org"; fast_pattern; distance:-9; within:9; sid:10122151; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 3322.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".3322.org"; distance:-9; within:9; sid:10122152; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain 3322.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".3322.org"; fast_pattern; distance:-9; within:9; sid:10122153; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain f3322.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".f3322.net"; distance:-10; within:10; sid:10122154; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain f3322.net in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".f3322.net"; fast_pattern; distance:-10; within:10; sid:10122155; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain eatuo.com"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".eatuo.com"; distance:-10; within:10; sid:10122156; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain eatuo.com in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".eatuo.com"; fast_pattern; distance:-10; within:10; sid:10122157; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain x3322.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".x3322.org"; distance:-10; within:10; sid:10122158; rev:1; classtype:misc-activity;)
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3222.org domain x3322.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".x3322.org"; fast_pattern; distance:-10; within:10; sid:10122159; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 6600.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".6600.org"; distance:-9; within:9; sid:10122138; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 6600.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".6600.org"; fast_pattern; distance:-9; within:9; sid:10122139; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 7766.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".7766.org"; distance:-9; within:9; sid:10122140; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 7766.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".7766.org"; fast_pattern; distance:-9; within:9; sid:10122141; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 8800.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".8800.org"; distance:-9; within:9; sid:10122142; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 8800.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".8800.org"; fast_pattern; distance:-9; within:9; sid:10122143; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain webok.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".webok.net"; distance:-10; within:10; sid:10122144; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain webok.net in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".webok.net"; fast_pattern; distance:-10; within:10; sid:10122145; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 2288.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".2288.org"; distance:-9; within:9; sid:10122146; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 2288.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".2288.org"; fast_pattern; distance:-9; within:9; sid:10122147; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 9966.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".9966.org"; distance:-9; within:9; sid:10122148; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 9966.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".9966.org"; fast_pattern; distance:-9; within:9; sid:10122149; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 8866.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".8866.org"; distance:-9; within:9; sid:10122150; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 8866.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".8866.org"; fast_pattern; distance:-9; within:9; sid:10122151; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 3322.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".3322.org"; distance:-9; within:9; sid:10122152; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain 3322.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".3322.org"; fast_pattern; distance:-9; within:9; sid:10122153; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain f3322.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".f3322.net"; distance:-10; within:10; sid:10122154; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain f3322.net in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".f3322.net"; fast_pattern; distance:-10; within:10; sid:10122155; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain eatuo.com"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".eatuo.com"; distance:-10; within:10; sid:10122156; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain eatuo.com in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".eatuo.com"; fast_pattern; distance:-10; within:10; sid:10122157; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain x3322.org"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".x3322.org"; distance:-10; within:10; sid:10122158; rev:1; classtype:misc-activity;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for 3322.org domain x3322.org in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".x3322.org"; fast_pattern; distance:-10; within:10; sid:10122159; rev:1; classtype:misc-activity;)
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for Freenom domain co.vu"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".co.vu"; distance:-6; within:6; sid:10122160; rev:1; classtype:misc-activity;)
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for Freenom domain co.vu in (SAN)"; flow:established,from_server; content:"|55 1d 11|"; content:"|82|"; distance:0; byte_jump:1,0,relative; content:".co.vu"; fast_pattern; distance:-6; within:6; sid:10122161; rev:1; classtype:misc-activity;)
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for Freenom domain gq"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".gq"; distance:-3; within:3; sid:10122162; rev:1; classtype:misc-activity;)
diff --git a/dyndns.rules b/dyndns.rules
index 64f52e5..8344087 100644
--- a/dyndns.rules
+++ b/dyndns.rules
@@ -1067,17 +1067,17 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Req
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to ChangeIP.com domain ygto.com"; flow:established,to_server; content:".ygto.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011066; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.com"; flow:established,to_server; content:".dynu.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011067; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to DYNU.com domain dynu.net"; flow:established,to_server; content:".dynu.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011068; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3222.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 6600.org"; flow:established,to_server; content:".6600.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011069; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 7766.org"; flow:established,to_server; content:".7766.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011070; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8800.org"; flow:established,to_server; content:".8800.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011071; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain webok.net"; flow:established,to_server; content:".webok.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011072; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 2288.org"; flow:established,to_server; content:".2288.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011073; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 9966.org"; flow:established,to_server; content:".9966.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011074; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 8866.org"; flow:established,to_server; content:".8866.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011075; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain 3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011076; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain f3322.net"; flow:established,to_server; content:".f3322.net"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011077; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain eatuo.com"; flow:established,to_server; content:".eatuo.com"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011078; rev:1; classtype:misc-activity;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to 3322.org domain x3322.org"; flow:established,to_server; content:".x3322.org"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011079; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain co.vu"; flow:established,to_server; content:".co.vu"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011080; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain gq"; flow:established,to_server; content:".gq"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011081; rev:1; classtype:misc-activity;)
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Freenom domain ml"; flow:established,to_server; content:".ml"; http_host; isdataat:!1,relative; flowbits:noalert; flowbits:set,ET.DynDNS.HTTP; sid:10011082; rev:1; classtype:misc-activity;)