ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2
for the records, this IPS’ rule ID is 2029708, and its raw content can be accessed here.
It seems to trigger in case the SNI field of a TLS connection contains “corona” and is not related to those FQDNs, which seem to be legitimate sites containing COVID-19 information:
*.jhu.edu
*.ncsc.gov.ie
*.nhs.wales
*.govt.nz
*.nhp.gov.in
*.oracle.com (interesting to see)
*.cdc.gov
In case your user does not use IPFire’s web proxy (and you turned on logging requests), you probably need to sniff for DNS lookups (IPFire does not log DNS requests for privacy reasons) or TLS traffic containing this pattern by yourself.
If those IPS alerts appear at distinct times, you could also check which clients were active at that time, and in case it was only one, it’s user probably caused that alert.