Last 50 Rule Changes

Results from Main web retrieved at 19:41 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Punto Loader Checkin`; flow:established,to server; content:`POST`; http method; content:`/klog.php`; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (LazarusGroup CnC)`; flow:from server,established; tls cert serial; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (RhcnQtUHJvY2) in DNS TXT Reponse`; content:` 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (dm9rZS1Db21tYW) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse`; content: ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (nZva2UtQ29tbW) in DNS TXT Reponse`; content: ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (Zva2UtQ29) in DNS TXT Reponse`; content:` 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (dm9rZS1Db21) in DNS TXT Reponse`; content:` 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (GFydC1Qcm9jZX) in DNS TXT Reponse`; content:` ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse`; content ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Invoke Command (52b2tlLUNvbW1) in DNS TXT Reponse`; content: ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (V3LU9) in DNS TXT Reponse`; content:` 00 00 10 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (YXJ0LVByb2N) in DNS TXT Reponse`; content:` 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (ctT2J) in DNS TXT Reponse`; content:` 00 00 10 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (FydC1Qcm9) in DNS TXT Reponse`; content:` 00 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded Start Process (RhcnQtUHJ) in DNS TXT Reponse`; content:` 00 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (dy1PYmplY3) in DNS TXT Reponse`; content:` 00 00 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (dy1PYmp) in DNS TXT Reponse`; content:` 00 00 10 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (XctT2JqZW) in DNS TXT Reponse`; content:` 00 00 10 ...
alert dns any any $HOME NET any (msg:`ET CURRENT EVENTS PowerShell Execution String Base64 Encoded New Object (V3LU9iam) in DNS TXT Reponse`; content:` 00 00 10 ...
alert tcp $EXTERNAL NET any $HOME NET 44818 (msg:`ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE 2017 7924)`; flow:to server,established; content: ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN DirectsX Checkin Response`; flow:established,from server; dsize:25; content:` 19 00 00 00 `; offset:17 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible SharpShooter Framework Generated VBS Script`; flow:established,to client; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible SharpShooter Framework Generated Script`; flow:established,to client; file data; content:`rc4 ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Powershell Command With Encoded Argument Over SMB Likely Lateral Movement`; flow:established,to server; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Cayosin/Mirai CnC Domain in DNS Lookup`; dns query; content:`hostnamepxssy.club`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DirectsX CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`AAAAAAAAAAAAAA ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/Shlayer CnC Activity M4`; flow:established,to server; content:`GET`; http method; content:`/sd/?c ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/Shlayer CnC Activity M2`; flow:established,to server; content:`GET`; http method; content:`/hyllkjit ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Suspicious SSN Parameter in HTTP POST Possible Phishing`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/Shlayer CnC Activity M3`; flow:established,to server; content:`GET`; http method; content:`/?campid ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Suspicious CVV Parameter in HTTP POST Possible Phishing`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/Shlayer CnC Activity M1`; flow:established,to server; content:`GET`; http method; content:`/?b9zd1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS SFML User Agent (libsfml network) `; flow:established,to server; content:`libsfml network/`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish (set) 2019 02 13`; flow:to server,established; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Astaroth User Agent Observed`; flow:established,to server; content:`Mozilla/4.0 (compatible ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android/Xnore Fake Facebook Login Credentials Collected`; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 84`; flow:established,to server; dsize: Added 2019 02 13 16:58:14 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish (set) 2019 02 13`; flow:to server,established; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish (set) 2019 02 13`; flow:to server,established; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish (set) 2019 02 13`; flow:to server,established; content:`POST ...
alert tls $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN BrushaLoader CnC Domain in SNI`; flow:to server,established; tls sni; content:`traderserviceinfo.info ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M2`; flow:established,to server; content:`X Requested With 3a 20 ShockwaveFlash ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:established,from server; content:`traderserviceinfo ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats