Last 50 Rule Changes

Results from Main web retrieved at 14:48 (GMT)

alert dns $HOME NET any any any (msg:`ET MALWARE MageCart CnC Domain Observed in DNS Query`; dns query; content:`jqueryextplugin.com`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nemty Ransomware Payment Page ID File Upload`; flow:established,to server; content:`POST`; http method ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (AZORult CnC)`; flow:established,to client; tls cert subject; content:`CN ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Nemty Ransomware Payment Page`; flow:established,to client; content:`200`; http stat code; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nemty Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (AZORult CnC)`; flow:established,to client; tls cert subject; content:`CN ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M3`; flow:established,to server; urilen:13; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M4`; flow:established,to server; urilen:10; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Group 21 CnC Domain Observed in DNS Query`; dns query; content:`quwa paf.servehttp.com`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M5`; flow:established,to server; urilen: Added 2020 01 16 19:12:06 UTC
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/MillionLoader CnC Init Activity`; flow:established,to server; dsize:16; content:`ggin 00 00 00 00 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M2`; flow:established,to server; urilen:11; content:`GET`; http method; content ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/MillionLoader CnC Activity (Inbound)`; flow:established,from server; content:`ggin 00 00 00 00 00 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/MillionLoader CnC Activity (Outbound)`; flow:established,to server; content:`ggin 0b 00 00 00 ` ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Generic Miarroba Phishing Landing`; flow:established,to client; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SMS Bomber Activity`; flow:to server,established; content:`POST`; http method; content:` v `; http client ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Base64 Encoded Executable Inbound`; flow:established,to client; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Containing Possible Base64 Encoded Powershell Inbound`; flow:established,to client ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Containing Double Base64 Encoded Executable Inbound`; flow:established,to client ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Possible PowerSploit/PowerView .ps1 Inbound`; flow:established,to client; content:`200`; http ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerSploit/PowerView SMTP Data Exfil`; flow:established,to server; content:`Subject 3a 20 DC 3a `; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Known Key 2`; flow:established,to server; content:`POST`; http method; content:`p1 ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Known Key 1`; flow:established,to server; content:`POST`; http method; content:`p1 P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download ver1 bot`; flow:established,to server; content:`GET`; http method; content:`?x UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download ver2 bot`; flow:established,to server; content:`GET`; http method; content:`?a irs ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download bot known key`; flow:established,to server; content:`GET`; http method; content: ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores`; flow:from server,established ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Checkin M1`; flow:established,to server; content:`POST`; http method; content:`p3 Qzpc ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Satan Ransomware CnC Activity`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Checkin M2`; flow:established,to server; content:`POST`; http method; content:`p3 `; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Request`; flow:established,to server; content:`POST`; http method; content:`p t p1 ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OilRig APT PowDesk Powershell Check`; flow:established,to server; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET POLICY GG Url Shortener Observed in DNS Query`; dns query; content:`gg.gg`; nocase; depth:5; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET WEB CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain`; dns query; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Observed Malicious SSL Cert (Office365 Phish Landing Page 2020 01 09)`; flow:established,to client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Answer`; flow:established,to server; content:`POST`; http method; content:`p3 `; http ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn google eu.com`; nocase; depth:17 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`securecloudbase.com`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn digicert i31.com`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`mozilla yahoo.com`; nocase; depth:17 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`google download.com`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN 401TRG PS/PowDesk Checkin (APT34)`; flow:to server,established; content:`.php?devicename `; http uri ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup CnC Domain Observed in DNS Query`; dns query; content:`mimestyle.xyz`; nocase; isdataat:1,relative; metadata ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats