#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:4; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)

Added 2022-05-19 19:06:40 UTC


#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)

Added 2022-01-14 20:12:30 UTC


#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)

Added 2022-01-14 18:55:32 UTC


#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_10;)

Added 2020-08-05 19:12:01 UTC


#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_01, updated_at 2019_10_10;)

Added 2019-10-10 19:42:46 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;)

Added 2019-09-19 19:26:35 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;)

Added 2017-08-07 21:17:23 UTC


alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC?)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:2;)

Added 2016-02-01 17:29:12 UTC


Topic revision: r1 - 2022-05-19 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats