suricata/rules: better CINI flag rules

suricata/rules/suricata.rules

@@ -9,12 +9,12 @@
 # As PCRE is slow, please use a content filter before.
 # Please test your regex at https://regex101.com/ using "PCRE2" mode.
 # Some rules match also in 'file.data' in case of compressed payload.
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 1;)
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 2;)
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 3;)
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3D"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 4;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; pcre: "/(\d[A-Z0-9][0-2][A-Z0-9]{28}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 1;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/(\d[A-Z0-9][0-2][A-Z0-9]{28}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 2;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/(3[0-9][345][0-9a-f]3[0-2](?:[345][0-9a-f]){28}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 3;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3D"; pcre: "/(3[0-9][345][0-9A-F]3[0-2](?:[345][0-9A-F]){28}3D)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 4;)
 alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (base64)"; flow:to_client; content: "0="; pcre: "/((?:[MNOQ-W][DEFjkl01TUVz][014589ABEFIJMNQRUVYZcdghklopstwx][0-5B-Zawxyz]){10}[MNOQ-W][jDzT]0=)/, flow:match"; distance: -44; metadata: tag FLAG OUT B64, color danger; sid: 5;)
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG IN, color success; sid: 6;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/(\d[A-Z0-9][0-2][A-Z0-9]{28}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG IN, color success; sid: 6;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 11;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; file.data; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 12;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 13;)