Last 50 Rule Changes

Results from Main web retrieved at 20:23 (GMT)

alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish Jan 14 2016`; flow:established,to client; flowbits:isset,ET ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PTsecurity Possible Cobalt Strike payload`; flow:established,from server; content:`200`; http stat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (secured mail .online)`; dns query; content:`secured mail.online`; nocase ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Unattributed CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (wipro365 .com)`; dns query; content:`wipro365.com`; nocase; isdataat:1,relative ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Unattributed CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (xsecuremail .com)`; dns query; content:`xsecuremail.com`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)`; dns query; content:`myservicessapps.com ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (microsoftonline secure login .com)`; dns query; content:`microsoftonline ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (internal message .app)`; dns query; content:`internal message.app`; nocase ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Unattributed CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (encrypted message .cloud)`; dns query; content:`encrypted message.cloud` ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (encrypt email .online)`; dns query; content:`encrypt email.online`; nocase ...
alert dns $HOME NET any any any (msg:`ET TROJAN Unattributed CnC Domain in DNS Lookup (secure message .online)`; dns query; content:`secure message.online`; nocase ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup CnC Domain in DNS Lookup (drivethrough .top)`; dns query; content:`drivethrough.top`; nocase; isdataat ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS JS Obfuscation Possible Phishing 2016 03 01`; flow:from server,established; content:`200`; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup CnC Domain in DNS Lookup (drinkeatgood .space)`; dns query; content:`drinkeatgood.space`; nocase; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS ESET Installer`; flow:established,to server; content:`ESET Installer`; http user agent; depth:14 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Observed SSL Cert (URL Shortener Service tiny .cc)`; flow:from server,established; tls cert subject ...
alert dns $HOME NET any any any (msg:`ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)`; dns query; content:`tiny.cc`; nocase; isdataat:1,relative ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M1`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO HTTP Request with Double Cache Control`; flow:established,to server; content:`Cache Control 3a 20 no cache ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outbound POST Request with ps PowerShell Command Output`; flow:established,to server; content:`POST` ...
alert dns $HOME NET any any any (msg:`ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji msi .2waky .com)`; dns query; content:`dji msi.2waky ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M3`; flow:established,to server; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time loss .dns05 .com)`; dns query; content:`time loss ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Powershell Activity Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Possible Powershell .ps1 Script Use Over SMB`; flow:established,to server; content:`SMB`; depth:8; content:` 00 ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Powershell Activity Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Possible Powershell .ps1 Script Use Over SMB`; flow:established,to server; content:`SMB`; depth:8; content:`.ps1 ...
alert smb any any $HOME NET any (msg:`ET POLICY WMIC WMI Request Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Possible WMI .mof Managed Object File Use Over SMB`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET any (msg:`ET POLICY WMIC WMI Request Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET 445 (msg:`ET POLICY Possible WMI .mof Managed Object File Use Over SMB`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET any (msg:`ET POLICY WMIC WMI Request Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
alert smb any any $HOME NET any (msg:`ET POLICY WMIC WMI Request Over SMB Likely Lateral Movement`; flow:established,to server; content:`SMB`; depth:8; content ...
#alert tcp any any $HOME NET any (msg:`ET NETBIOS DCERPC DCOM ShellExecute Likely Lateral Movement`; flow:established,to server; content:` 00 S 00 h 00 e 00 l ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET WEB SPECIFIC APPS Webmoney Advisor ActiveX Control DoS Function Call`; flow:to client,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Tech Support Scam Landing M1 2019 04 15`; flow:established,from server; content:`200`; http stat ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP`; flow:established,from server; content:`explorer ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Tech Support Scam Landing M2 2019 04 15`; flow:established,from server; content:`200`; http stat ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET WEB SPECIFIC APPS Yahoo CD Player ActiveX Open Stack Overflow Function Call`; flow:to client,established ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET WEB SPECIFIC APPS Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (set) 2019 04 12`; flow:established,to server; flowbits:noalert; flowbits ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)`; flow:from server,established; tls cert ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Check myexternalip.com`; flow:established,to server; content:`GET`; http method; content ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats