Last 50 Rule Changes

Results from Main web retrieved at 22:00 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zebrocy Backdoor CnC Activity`; flow:to server,established; content:`POST`; http method; content:`.php ...
alert tcp $EXTERNAL NET $SSH PORTS any any (msg:`ET POLICY Potentially Vulnerable LibSSH Server Observed Possible Authentication Bypass (CVE 2018 10933)`; flow ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DDoS Stage 2 CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`LuaSocket ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (Windows XP)`; flow:to server,established; content:`Windows XP`; depth:10 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (Windows 7)`; flow:to server,established; content:`Windows 7`; depth:9; http ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/BlackCarat Response from CnC`; flow:established,from server; dsize:13; content:` 72 50 bf 9e `; ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin`; flow:established,to server; dsize: 800; content:` 77 77 ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (Windows 8)`; flow:to server,established; content:`Windows 8`; depth:9; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (Windows 10)`; flow:to server,established; content:`Windows 10`; depth:10 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (set) 2018 10 18`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN XLS.Unk DDE rar Drop Attempt (.live)`; flow:established,to server; content:`GET`; http method; urilen ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Suspicious Redirect to Download EXE from Bitbucket`; flow:established,to client; content:`302`; http stat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Phish Generic Credential POST to Ngrok.io`; flow:established,to server ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed GandCrab Payment Domain (gandcrab in DNS Lookup)`; dns query; content:`gandcrab`; depth:8; nocase; pcre ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Locky CnC Checkin`; flow:to server,established; content:`POST`; http method; urilen:14; content:`/imageload ...
#alert tcp any any any any (msg:`ET TROJAN NCSC APT28 CompuTrace Beacon UserAgent`; flow:established; content:` 0d0a TagId 3a `; fast pattern; content: `POST / ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Remcos RAT Checkin 73`; flow:established,to server; content:` 2e 11 6e fe 1c 00 92 21 3c ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Remcos RAT Checkin 72`; flow:established,to server; content:` eb e7 a2 ec 6e 3e cc a8 34 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 68`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Remcos RAT Checkin 70`; flow:established,to server; content:` 35 cd 13 07 49 3a 45 81 02 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 58`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 67`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 60`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Remcos RAT Checkin 71`; flow:established,to server; content:` 38 b6 1d 2b 3b 5c 11 b4 d8 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 66`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Remcos RAT Checkin 69`; flow:established,to server; content:` e3 34 a1 ef b4 32 58 d0 f0 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 59`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 62`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 61`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 65`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 64`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 63`; flow:established,to server; dsize: Added 2018 10 16 18:06:21 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 54`; flow:established,to server; dsize: Added 2018 10 16 18:06:20 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 56`; flow:established,to server; dsize: Added 2018 10 16 18:06:20 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (set) 2018 10 16`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (set) 2018 10 16`; flow:established,to server; content:`POST`; http ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 57`; flow:established,to server; dsize: Added 2018 10 16 18:06:20 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 55`; flow:established,to server; dsize: Added 2018 10 16 18:06:20 UTC
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN XLS.Unk DDE rar Drop Fake 404 Response`; flow:established,to client; content:`200`; http stat code; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN XLS.Unk DDE rar Drop Attempt (.online)`; flow:established,to server; content:`GET`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)`; flow:established,to server; content:`GET`; http method; urilen ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE Android APT C 23 (christopher .fun in DNS Lookup)`; dns query; content:`christopher.fun`; isdataat:1,relative ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android APT C 23 (mail goog1e .com in TLS SNI)`; flow:established,to server; tls sni; content ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE Android APT C 23 (pml help .site in DNS Lookup)`; dns query; content:`pml help.site`; isdataat:1,relative ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android APT C 23 (pml help .site in TLS SNI)`; flow:established,to server; tls sni; content:`pml ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE 2018 8495)`; flow:established,to client ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android APT C 23 (christopher .fun in TLS SNI)`; flow:established,to server; tls sni; content ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE Android APT C 23 (mail goog1e .com in DNS Lookup)`; dns query; content:`mail goog1e.com`; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE Android APT C 23 (chat often .com in DNS Lookup)`; dns query; content:`chat often.com`; isdataat:1,relative ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android APT C 23 (harvey ross .info in TLS SNI)`; flow:established,to server; tls sni; content ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats