Last 50 Rule Changes

Results from Main web retrieved at 19:14 (GMT)

alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Mailbox Update Phishing Landing M2 2016 05 16`; flow:from server,established; content:`200`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Possible SQLi Attempt in User Agent (Outbound)`; flow:established,from client; content:`User Agent 3a ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Mailbox Update Phishing Landing M1 2016 05 16`; flow:from server,established; content:`200`; ...
alert udp $EXTERNAL NET 53 $HOME NET any (msg:`ET TROJAN CobaltStrike DNS Beacon Response`; content:` 81 80 00 01 00 01 `; depth:6; offset:2; content:` c0 0c 00 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DCRat CnC Activity`; flow:established,to server; urilen: 100; content:`GET`; http method; content:` ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Magento Shoplift Exploit Inbound`; flow:to server,established; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DCRat Initial CnC Activity`; flow:established,to server; urilen: 100; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Darpapox/Jaku Initial C2 Checkin`; flow:to server,established; urilen:10; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT.Fwits CnC Beacon M1`; flow:established,to server; content:`GET`; http method; content:`/al?`; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT.Fwits CnC Beacon M2`; flow:established,to server; content:`GET`; http method; content:`? `; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET USER AGENTS BLEXBot User Agent`; flow:established,to server; content:`Mozilla/5.0 (compatible 3b 20 BLEXBot ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET DOS Linux/Tsunami DOS User Agent (x00 gawa.sa.pilipinas.2015) INBOUND`; flow:to server,established; content ...
alert http any any $HOME NET 8080 (msg:`ET WORM TheMoon.linksys.router 3`; flow:to server,established; content:`POST`; http method; content:`/hndUnblock.cgi`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Gaudox Checkin`; flow:to server,established; content:`.php`; http uri; content:`Mozilla/5.0 (X11 ...
alert http any any $HOME NET 8080 (msg:`ET WORM TheMoon.linksys.router 2`; flow:to server,established; content:`POST`; http method; content:`/tmUnblock.cgi`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Blackmoon/Banbra Configuration Request`; flow:to server,established; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt`; flow:to server,established; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Windows Quicktime User Agent EOL With Known Bugs`; flow:established,to server; content:`QuickTime`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Virus Encoder Ransomware Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)`; flow:to server,established; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN XST/UP007 Checkin 2`; flow:established,to server; content:`POST`; http method; content:!`Referer 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY HotSpotShield Activity`; flow:established,to server; content:`POST`; http method; content:`Content Type ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Ponmocup.A Checkin`; flow:to server,established; content:`GET`; http method; urilen:10; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Likely Evil Macro EXE DL mar 28 2016`; flow:established,to server; content:`HEAD`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG Exploit URI Struct March 20 2015`; flow:established,to server; urilen: 220; content:`/index ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set`; flow:established,from server; content:`Cookie 3a visited ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO PhishMe.com Phishing Exercise Client Plugins`; flow:to server,established; urilen:15; content:`POST` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Genome User Agent (Http Down)`; flow:established,to server; content:`User Agent 3a 20 Http Down`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ransomware Locky CnC Beacon`; flow:established,to server; content:`POST`; http method; urilen:11; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PunkeyPOS HTTP CnC Beacon 2`; flow:established,to server; content:`POST`; http method; content:!`Accept ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN IrcBot Fantasy Name Gen`; flow:established,to server; content:`Host 3a 20 www.fantasynamegen.com`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Likely PadCrypt Locker PKG DL`; flow:established,to server; content:`.pdcr`; http uri; nocase; pcre: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Dridex Base64 Executable`; flow:from server,established; content:`200`; http stat code; content:` 47 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Operation Blockbuster User Agent (Mozillar)`; flow:to server,established; content:`Mozillar`; depth:8 ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible Custom Content Type Manager WP Backdoor Access`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible OceanLotus C2 Checkin`; flow:to server,established; content:`GET`; http method; content:`.db ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible Apache Struts OGNL Command Execution CVE 2013 2251 action`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY HotSpotShield Activity`; flow:established,to server; content:`POST`; http method; content:`Content Type ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible Apache Struts OGNL Command Execution CVE 2013 2251 redirectAction`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Banload Downloading Executable`; flow:established,from server; flowbits:isset,ET.autoit.ua; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT D Link DCS 930L Remote Command Execution attempt`; flow:to server,established; urilen:17; content:`POST ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible Apache Struts OGNL Command Execution CVE 2013 2251 redirect`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Syndicasec.Backdoor CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/GCman.Backdoor CnC Beacon`; flow:established,to server; content:`POST`; http method; content:`/cgi ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mokes CnC Keep Alive`; flow:established,to server; urilen:3; content:`GET`; http method; content:`/v1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Download Request Containing Suspicious Filename Crypted`; flow:to server,established; content:`GET ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET WEB SERVER Possible Compromised Webserver Retriving Inject`; flow:established,to server; content:`/blog ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Fluxer CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`/gate.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex POST Retrieving Second Stage M2`; flow:established,to server; content:`POST / HTTP/1.1 0d 0a ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats