cisco-umbrella.rules

# Sagan cisco-umbrella.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# 03/27/2023
# reference: https://docs.umbrella.com/deployment-umbrella/docs/new-content-category-definitions

#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Adult domain category detected"; program:umbrella*; content:"Allowed"; content:"Adult"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011441; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Advertisements domain category detected"; program:umbrella*; content:"Allowed"; content:"Advertisements"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011442; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Alcohol domain category detected"; program:umbrella*; content:"Allowed"; content:"Alcohol"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011443; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Animals and Pets domain category detected"; program:umbrella*; content:"Allowed"; content:"Animals and Pets"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011444; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Arts domain category detected"; program:umbrella*; content:"Allowed"; content:"Arts"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011445; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Astrology domain category detected"; program:umbrella*; content:"Allowed"; content:"Astrology"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011446; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Auctions domain category detected"; program:umbrella*; content:"Allowed"; content:"Auctions"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011447; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Business and Industry domain category detected"; program:umbrella*; content:"Allowed"; content:"Business and Industry"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011448; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cannabis domain category detected"; program:umbrella*; content:"Allowed"; content:"Cannabis"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011449; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Chat and Instant Messaging domain category detected"; program:umbrella*; content:"Allowed"; content:"Chat and Instant Messaging"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011450; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cheating and Plagiarism domain category detected"; program:umbrella*; content:"Allowed"; content:"Cheating and Plagiarism"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011451; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Child Abuse Content domain category detected"; program:umbrella*; content:"Allowed"; content:"Child Abuse Content"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011452; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cloud and Data Centers domain category detected"; program:umbrella*; content:"Allowed"; content:"Cloud and Data Centers"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011453; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Computer Security domain category detected"; program:umbrella*; content:"Allowed"; content:"Computer Security"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011454; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Computers and Internet domain category detected"; program:umbrella*; content:"Allowed"; content:"Computers and Internet"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011455; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Conventions, Conferences and Trade Shows domain category detected"; program:umbrella*; content:"Allowed"; content:"Conventions, Conferences and Trade Shows"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011456; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cryptocurrency domain category detected"; program:umbrella*; content:"Allowed"; content:"Cryptocurrency"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011457; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cryptomining domain category detected"; program:umbrella*; content:"Allowed"; content:"Cryptomining"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011458; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Dating domain category detected"; program:umbrella*; content:"Allowed"; content:"Dating"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011459; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Digital Postcards domain category detected"; program:umbrella*; content:"Allowed"; content:"Digital Postcards"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011460; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Dining and Drinking domain category detected"; program:umbrella*; content:"Allowed"; content:"Dining and Drinking"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011461; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DIY Projects domain category detected"; program:umbrella*; content:"Allowed"; content:"DIY Projects"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011462; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DNS-Tuneling domain category detected"; program:umbrella*; content:"Allowed"; content:"DNS-Tuneling"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011463; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DoH and DoT domain category detected"; program:umbrella*; content:"Allowed"; content:"DoH and DoT"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011464; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Dynamic and Residential domain category detected"; program:umbrella*; content:"Allowed"; content:"Dynamic and Residential"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011465; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Dynamic DNS Provider domain category detected"; program:umbrella*; content:"Allowed"; content:"Dynamic DNS Provider"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011466; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Education domain category detected"; program:umbrella*; content:"Allowed"; content:"Education"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011467; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Entertainment domain category detected"; program:umbrella*; content:"Allowed"; content:"Entertainment"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011468; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Extreme domain category detected"; program:umbrella*; content:"Allowed"; content:"Extreme"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011469; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Fashion domain category detected"; program:umbrella*; content:"Allowed"; content:"Fashion"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011470; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] File Transfer Services domain category detected"; program:umbrella*; content:"Allowed"; content:"File Transfer Services"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011471; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Filter Avoidance domain category detected"; program:umbrella*; content:"Allowed"; content:"Filter Avoidance"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011472; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Finance domain category detected"; program:umbrella*; content:"Allowed"; content:"Finance"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011473; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Freeware and Shareware domain category detected"; program:umbrella*; content:"Allowed"; content:"Freeware and Shareware"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011474; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Gambling domain category detected"; program:umbrella*; content:"Allowed"; content:"Gambling"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011475; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Games domain category detected"; program:umbrella*; content:"Allowed"; content:"Games"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011476; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Government and Law domain category detected"; program:umbrella*; content:"Allowed"; content:"Government and Law"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011477; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Hacking domain category detected"; program:umbrella*; content:"Allowed"; content:"Hacking"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011478; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Hate Speech domain category detected"; program:umbrella*; content:"Allowed"; content:"Hate Speech"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011479; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Health and Medicine domain category detected"; program:umbrella*; content:"Allowed"; content:"Health and Medicine"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011480; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Humor domain category detected"; program:umbrella*; content:"Allowed"; content:"Humor"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011481; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Hunting domain category detected"; program:umbrella*; content:"Allowed"; content:"Hunting"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011482; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Illegal Activities domain category detected"; program:umbrella*; content:"Allowed"; content:"Illegal Activities"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011483; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Illegal Downloads domain category detected"; program:umbrella*; content:"Allowed"; content:"Illegal Downloads"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011484; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Illegal Drugs domain category detected"; program:umbrella*; content:"Allowed"; content:"Illegal Drugs"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011485; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Infrastructure and Content Delivery Networks domain category detected"; program:umbrella*; content:"Allowed"; content:"Infrastructure and Content Delivery Networks"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011486; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Internet of Things domain category detected"; program:umbrella*; content:"Allowed"; content:"Internet of Things"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011487; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Internet Telephony domain category detected"; program:umbrella*; content:"Allowed"; content:"Internet Telephony"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011488; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Job Search domain category detected"; program:umbrella*; content:"Allowed"; content:"Job Search"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011489; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Lingerie and Swimsuits domain category detected"; program:umbrella*; content:"Allowed"; content:"Lingerie and Swimsuits"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011490; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Lotteries domain category detected"; program:umbrella*; content:"Allowed"; content:"Lotteries"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011491; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Military domain category detected"; program:umbrella*; content:"Allowed"; content:"Military"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011492; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Mobile Phones domain category detected"; program:umbrella*; content:"Allowed"; content:"Mobile Phones"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011493; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Museums domain category detected"; program:umbrella*; content:"Allowed"; content:"Museums"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011494; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Nature and Conservation domain category detected"; program:umbrella*; content:"Allowed"; content:"Nature and Conservation"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011495; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] News domain category detected"; program:umbrella*; content:"Allowed"; content:"News"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011496; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Non-governmental Organizations domain category detected"; program:umbrella*; content:"Allowed"; content:"Non-governmental Organizations"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011497; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Non-sexual Nudity domain category detected"; program:umbrella*; content:"Allowed"; content:"Non-sexual Nudity"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011498; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Not Actionable domain category detected"; program:umbrella*; content:"Allowed"; content:"Not Actionable"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011499; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Online Communities domain category detected"; program:umbrella*; content:"Allowed"; content:"Online Communities"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011500; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Online Document Sharing and Collaboration domain category detected"; program:umbrella*; content:"Allowed"; content:"Online Document Sharing and Collaboration"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011501; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Online Meetings domain category detected"; program:umbrella*; content:"Allowed"; content:"Online Meetings"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011502; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Online Storage and Backup domain category detected"; program:umbrella*; content:"Allowed"; content:"Online Storage and Backup"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011503; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Online Trading domain category detected"; program:umbrella*; content:"Allowed"; content:"Online Trading"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011504; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Organizational Email domain category detected"; program:umbrella*; content:"Allowed"; content:"Organizational Email"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011505; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Paranormal domain category detected"; program:umbrella*; content:"Allowed"; content:"Paranormal"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011506; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Parked Domains domain category detected"; program:umbrella*; content:"Allowed"; content:"Parked Domains"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011507; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Peer File Transfer domain category detected"; program:umbrella*; content:"Allowed"; content:"Peer File Transfer"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011508; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Personal Sites domain category detected"; program:umbrella*; content:"Allowed"; content:"Personal Sites"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011509; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Personal VPN domain category detected"; program:umbrella*; content:"Allowed"; content:"Personal VPN"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011510; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Photo Search and Images domain category detected"; program:umbrella*; content:"Allowed"; content:"Photo Search and Images"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011511; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Politics domain category detected"; program:umbrella*; content:"Allowed"; content:"Politics"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011512; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Pornography domain category detected"; program:umbrella*; content:"Allowed"; content:"Pornography"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011513; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Private IP Addresses as Host domain category detected"; program:umbrella*; content:"Allowed"; content:"Private IP Addresses as Host"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011514; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Professional Networking domain category detected"; program:umbrella*; content:"Allowed"; content:"Professional Networking"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011515; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Real Estate domain category detected"; program:umbrella*; content:"Allowed"; content:"Real Estate"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011516; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Recipes and Food domain category detected"; program:umbrella*; content:"Allowed"; content:"Recipes and Food"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011517; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Reference domain category detected"; program:umbrella*; content:"Allowed"; content:"Reference"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011518; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Regional Restricted Sites (Germany) domain category detected"; program:umbrella*; content:"Allowed"; content:"Regional Restricted Sites (Germany)"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011519; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Regional Restricted Sites (Great Britain) domain category detected"; program:umbrella*; content:"Allowed"; content:"Regional Restricted Sites (Great Britain)"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011520; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Regional Restricted Sites (Italy) domain category detected"; program:umbrella*; content:"Allowed"; content:"Regional Restricted Sites (Italy)"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011521; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Regional Restricted Sites (Poland) domain category detected"; program:umbrella*; content:"Allowed"; content:"Regional Restricted Sites (Poland)"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011522; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Religion domain category detected"; program:umbrella*; content:"Allowed"; content:"Religion"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011523; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] SaaS and B2B domain category detected"; program:umbrella*; content:"Allowed"; content:"SaaS and B2B"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011524; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Safe for Kids domain category detected"; program:umbrella*; content:"Allowed"; content:"Safe for Kids"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011525; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Science and Technology domain category detected"; program:umbrella*; content:"Allowed"; content:"Science and Technology"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011526; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Search Engines and Portals domain category detected"; program:umbrella*; content:"Allowed"; content:"Search Engines and Portals"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011527; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Sex Education domain category detected"; program:umbrella*; content:"Allowed"; content:"Sex Education"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011528; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Shopping domain category detected"; program:umbrella*; content:"Allowed"; content:"Shopping"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011529; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Social Networking domain category detected"; program:umbrella*; content:"Allowed"; content:"Social Networking"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011530; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Social Science domain category detected"; program:umbrella*; content:"Allowed"; content:"Social Science"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011531; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Society and Culture domain category detected"; program:umbrella*; content:"Allowed"; content:"Society and Culture"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011532; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Software Updates domain category detected"; program:umbrella*; content:"Allowed"; content:"Software Updates"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011533; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Sports and Recreation domain category detected"; program:umbrella*; content:"Allowed"; content:"Sports and Recreation"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011534; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Streaming Audio domain category detected"; program:umbrella*; content:"Allowed"; content:"Streaming Audio"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011535; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Streaming Video domain category detected"; program:umbrella*; content:"Allowed"; content:"Streaming Video"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011536; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Terrorism and Violent Extremism domain category detected"; program:umbrella*; content:"Allowed"; content:"Terrorism and Violent Extremism"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011537; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Tobacco domain category detected"; program:umbrella*; content:"Allowed"; content:"Tobacco"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011538; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Transportation domain category detected"; program:umbrella*; content:"Allowed"; content:"Transportation"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011539; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Travel domain category detected"; program:umbrella*; content:"Allowed"; content:"Travel"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011540; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] URL Shorteners domain category detected"; program:umbrella*; content:"Allowed"; content:"URL Shorteners"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011541; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Weapons domain category detected"; program:umbrella*; content:"Allowed"; content:"Weapons"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011542; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Web Cache and Archives domain category detected"; program:umbrella*; content:"Allowed"; content:"Web Cache and Archives"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011543; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Web Hosting domain category detected"; program:umbrella*; content:"Allowed"; content:"Web Hosting"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011544; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Web Page Translation domain category detected"; program:umbrella*; content:"Allowed"; content:"Web Page Translation"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011545; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Web-based Email domain category detected"; program:umbrella*; content:"Allowed"; content:"Web-based Email"; parse_src_ip:1; classtype:suspicious-traffic; reference:url,docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning; sid:5011546; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Malware Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Malware"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014314; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Newly Seen Domains Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Newly Seen Domains"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014315; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Command Control Callbacks Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Command Control Callbacks"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014316; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Phishing Attacks Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Phishing Attacks"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014317; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Dynamic DNS Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Dynamic DNS"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014318; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Potentially Harmful Domains Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Potentially Harmful Domains"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014319; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DNS Tunneling VPN Domains Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"DNS Tunneling VPN"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014320; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] Cryptomining VPN Domains Security Category Detected and Allowed"; program:umbrella*; content:"Allowed"; content:"Cryptomining"; parse_src_ip:1; classtype:system-event; reference:url,https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories; sid:5014321; rev:1;)

#References:
#https://docs.umbrella.com/umbrella-user-guide/docs/built-in-data-classifications
#https://cisco.app.box.com/s/j11d2p6yopluazi9xf3ix4msb9tzx0bd
#https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats

#MONITOR
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity INFO"; program:UMBRELLA*; content:",|22|INFO|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015162; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity LOW"; program:UMBRELLA*; content:",|22|LOW|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015163; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity WARNING"; program:UMBRELLA*; content:",|22|WARNING|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015164; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity MEDIUM"; program:UMBRELLA*; content:",|22|MEDIUM|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015165; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity HIGH"; program:UMBRELLA*; content:",|22|HIGH|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015166; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity CRITICAL"; program:UMBRELLA*; content:",|22|CRITICAL|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015167; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity ALERT"; program:UMBRELLA*; content:",|22|ALERT|22|,"; content:",|22|MONITOR|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015168; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)

#BLOCKED
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity INFO (Blocked)"; program:UMBRELLA*; content:",|22|INFO|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015169; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity LOW (Blocked)"; program:UMBRELLA*; content:",|22|LOW|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015170; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity WARNING (Blocked)"; program:UMBRELLA*; content:",|22|WARNING|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015171; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity MEDIUM (Blocked)"; program:UMBRELLA*; content:",|22|MEDIUM|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015172; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity HIGH (Blocked)"; program:UMBRELLA*; content:",|22|HIGH|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015173; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity CRITICAL (Blocked)"; program:UMBRELLA*; content:",|22|CRITICAL|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015174; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-UMBRELLA] DLP Log Detected - Severity ALERT (Blocked)"; program:UMBRELLA*; content:",|22|ALERT|22|,"; content:",|22|BLOCK|22|,"; parse_src_ip:1; normalize; reference:url,https://docs.umbrella.com/umbrella-user-guide/docs/dlp-log-formats; classtype:system-event; sid:5015175; rev:1; metadata:created_at 2024_01_20, updated_at 2024_01_20;)