Rule-based network-threat detection for encrypted communications

What is claimed is: 1. A packet-filtering system comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: generate, based on a plurality of network-threat indicators, one or more packet-filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the first network-threat indicator comprises domain name criteria that is associated with a potential network threat; receive a plurality of first packets comprising unencrypted data; determine, based on determining that a domain name in the unencrypted data matches the domain name criteria of the first packet-filtering rule, that the at least a portion of the plurality of first packets are associated with the potential network threat corresponding to the first packet-filtering rule; generate, based on the determining that the at least a portion of the plurality of first packets are associated with the potential network threat corresponding to the first packet-filtering rule, log data comprising: an indication of an action corresponding to the first packet-filtering rule; and an Internet Protocol (IP) address corresponding to the domain name; receive, after the receiving the plurality of first packets and as part of an encrypted communication session, one or more second packets comprising: encrypted data, and respective packet headers comprising second unencrypted data; determine, without decrypting the one or more second packets, whether the one or more second packets are associated with the potential network threat by correlating the one or more second packets and the plurality of first packets based on determining that the second unencrypted data of the respective packet headers of the one or more second packets comprises the logged IP address corresponding to the domain name; and filter, based on a determination that the one or more second packets are associated with the potential network threat, the one or more second packets comprising the encrypted data by applying the action corresponding to the first packet-filtering rule. 2. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: identify the IP address associated with the domain name using a Domain Name System (DNS) query. 3. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more second packets and the plurality of first packets based on comparing one or more first timestamps corresponding to the plurality of first packets with one or more second timestamps corresponding to the one or more second packets. 4. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more second packets and the plurality of first packets based on state information in the unencrypted data. 5. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more second packets and the plurality of first packets based on comparing first application-layer information corresponding to the plurality of first packets with second application-layer information corresponding to the one or more second packets. 6. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more second packets by causing the packet-filtering system to: generate a new rule by correlating at least two log entries in the log data, wherein the new rule causes the one or more second packets to be dropped. 7. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: send at least a portion of the filtered one or more second packets to a proxy configured to apply the action corresponding to the first packet-filtering rule to the at least a portion of the filtered one or more second packets. 8. The packet-filtering system of claim 7 , wherein the proxy is configured to prevent further transmission of the filtered one or more second packets. 9. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the plurality of network-threat indicators by causing the packet-filtering system to: receive, from a plurality of different third-party network threat-intelligence providers located external to a network comprising the packet-filtering system, the plurality of network-threat indicators, wherein each of the plurality of different third-party network threat-intelligence providers provides at least a portion of the plurality of network-threat indicators, and wherein the plurality of network-threat indicators comprises the domain name. 10. The packet-filtering system of claim 1 , wherein the plurality of first packets comprise at least a portion of a Domain Name System (DNS) query. 11. The packet-filtering system of claim 1 , wherein the plurality of first packets comprise at least a portion of a Transport Layer Security (TLS) handshake. 12. A method comprising: generating, based on a plurality of network-threat indicators, one or more packet-filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the first network-threat indicator comprises domain name criteria that is associated with a potential network threat; receiving a plurality of first packets comprising unencrypted data; determining, based on determining that a domain name in the unencrypted data matches the domain name criteria of the first packet-filtering rule, that the at least a portion of the plurality of first packets are associated with the potential network threat corresponding to the first packet-filtering rule; generating, by a packet-filtering system and based on the determining that the at least a portion of the plurality of first packets are associated with the potential network threat corresponding to the first packet-filtering rule, log data comprising: an indication of an action corresponding to the first packet-filtering rule; and an Internet Protocol (IP) address corresponding to the domain name; receiving, by the packet-filtering system and after the receiving the plurality of first packets and as part of an encrypted communication session, one or more second packets comprising: encrypted data, and respective packet headers comprising second unencrypted data; determining, by the packet-filtering system and without decrypting the one or more second packets, whether the one or more second packets are associated with the potential network threat by correlating the one or more second packets and the plurality of first packets based on determining that the second unencrypted data of the respective packet headers of the one or more second packets comprises the logged IP address corresponding to the domain name; and filtering, by the packet-filtering system and based on a determination that the one or more second packets are ass