alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:3;)

Added 2012-08-01 20:16:42 UTC

This alerts on a Russia website - 101.ru - which is in Russia's Top 1000 sites on Alexa - http://www.alexa.com/siteinfo/101.ru

-- RyPeck - 2014-04-02

It seems that there are false positives for domains:

I) 101.ru - it's a Russian online radio station, Google knows about it, no malicious behavior is noticed with virustotal II) 9366858.ru - it's an online shop of Chinease auto parts in Russia, numbers of 9366858 is a part of their mobile number. one of their mobile phone contacts: (812) 936-68-58, and email box 9219366858@mail.ru (here is a link on page of contact on their web-site: http://9366858.ru/kontakty-nashih-magazinov). VirusTotal? and other sites of checking web-site trust doesn't show any malicious behiour on this site.

-- VadymChakrian - 2017-06-26


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:2;)

Added 2011-10-12 19:34:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:2;)

Added 2011-07-07 22:33:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:2;)

Added 2011-07-07 21:26:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/[0-9]{2,30}\.cn\x0d\x0a/i"; classtype:misc-activity; sid:2012649; rev:1;)

Added 2011-04-08 18:04:15 UTC


Topic revision: r3 - 2017-06-26 - VadymChakrian
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats