Rule-based network-threat detection for encrypted communications

What is claimed is: 1. A packet-filtering system comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: receive, from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, a plurality of network-threat indicators previously determined, by at least one of the plurality of third-party network threat intelligence providers, to be associated with one or more network threats, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators; receive one or more unencrypted packets; analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the at least a portion of the DNS query comprises a domain name; determine that at least a portion of the one or more unencrypted packets corresponds to a first network-threat indicator of the plurality of network-threat indicators by comparing the domain name of the first unencrypted data to the first network-threat indicator, wherein the first network-threat indicator comprises domain name matching criteria associated with a potential network threat; generate, in response to the determination that the at least a portion of the one or more unencrypted packets corresponds to the first network-threat indicator, log data indicating: an indication of the first network-threat indicator; and a second Internet Protocol (IP) address corresponding to the domain name; receive, after receiving the one or more unencrypted packets, one or more encrypted packets; determine, without decrypting the one or more encrypted packets, that the one or more encrypted packets correspond to the potential network threat associated with the first network-threat indicator based on: correlating, based on the log data, at least one of the one or more encrypted packets with the one or more unencrypted packets based on determining that an IP address, in a header of the at least one of the one or more encrypted packets, matches the second IP address in the log data; and the determining that at least the portion of the one or more unencrypted packets corresponds to the first network-threat indicator; filter the one or more encrypted packets based on: the determining that the one or more encrypted packets correspond to the potential network threat; determine, based on the logged indication of the first network-threat indicator, an action corresponding to the first network-threat indicator; and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply the determined action corresponding to the first network-threat indicator to the at least a portion of the filtered one or more encrypted packets. 2. The packet-filtering system of claim 1 , wherein the DNS query comprises one or more of: a DNS query request, or a DNS query reply. 3. The packet-filtering system of claim 1 , wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: determine, based on the domain name in the DNS query, the IP address. 4. The packet-filtering system of claim 1 , wherein correlating the at least one of the one or more encrypted packets with the one or more unencrypted packets is further based on a time stamp entry associated with the first unencrypted data. 5. The packet-filtering system of claim 1 , wherein correlating the at least one of the one or more encrypted packets with the one or more unencrypted packets is further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data. 6. The packet-filtering system of claim 1 , wherein correlating the at least one of the one or more encrypted packets with the one or more unencrypted packets is further based on a port number associated with the first unencrypted data. 7. The packet-filtering system of claim 1 , wherein the proxy is configured to prevent further transmission of the one or more encrypted packets based on a rule associated with the first network-threat indicator. 8. The packet-filtering system of claim 1 , wherein the at least a portion of the DNS query comprises the IP address. 9. The packet-filtering system of claim 1 , wherein the action comprises decrypting, by the proxy, the at least the portion of the filtered one or more encrypted packets. 10. The packet-filtering system of claim 1 , wherein the action comprises dropping, by the proxy, the at least the portion of the filtered one or more encrypted packets. 11. A packet-filtering system comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: receive, from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, a plurality of network-threat indicators previously determined, by at least one of the plurality of third-party network threat intelligence providers, to be associated with one or more network threats, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators; receive one or more unencrypted packets; analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises a domain name; identify an Internet Protocol (IP) address corresponding to the domain name; determine that at least a portion of the one or more unencrypted packets corresponds to a first network-threat indicator of the plurality of network-threat indicators by comparing the domain name of the first unencrypted data to the first network-threat indicator, wherein the first network-threat indicator comprises domain name matching criteria associated with a potential network threat; generate, in response to the determination that the at least a portion of the one or more unencrypted packets corresponds to the first network-threat indicator, log data indicating: an indication of the first network-threat indicator; and the IP address corresponding to the domain name; receive, after receiving the one or more unencrypted packets, one or more encrypted packets; determine, without decrypting the one or more encrypted packets, that the one or more encrypted packets correspond to the potential network threat associated with the first network-threat indicator based on: correlating, based on the log data, at least one of the one or more encrypted packets with the one or more unencrypted packets based on comparing a second IP address, in a header of the at least one of the one or more encrypted packets, with the logged IP address corresponding to the domain name; and the determining that at least the portion of the one or more unencrypted packets corresponds to the first network-threat indicator; filter the one or more encrypted packets based on: the determining that the one or more encrypted packets correspond to the potential network threat; determine, based on the logged indication of the first network-threat indicator, an action corresponding to the first network-threat indicator; and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply the determined action corresponding to the first network-threat in