EmergingThreats> Main Web>RuleChanges (revision 2)EditAttach

Last 50 Site Changes

Results from Main web retrieved at 12:05 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Outbound (CVE 2020 8515) M1`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 XTC BOTNET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 XTC 0d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Malicious VBE Script (COVID 19 Phish 04 03 2020)`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT29 Implant8 MAL REFERER`; flow:established,to server; content:`GET`; http method; content:` bvm ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Dridex Download URI Struct with no referer`; flow:established,to server; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer Init Activity`; flow:established,to server; content:`POST`; http method; content:`guid ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Inbound (CVE 2020 8515) M2`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Outbound (CVE 2020 8515) M2`; flow:established ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 XTC BOTNET 0d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE EQO Variant CnC Activity`; flow:established,to server; content:`POST`; http method; content: ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 XTC 0d 0a `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer CnC Activity`; flow:established,to server; content:`POST`; http method; content:`l dj0 ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Inbound (CVE 2020 8515) M1`; flow:established,to server ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (persistence enable)`; flow:established,to client; dsize:25; content:`cGVyc2lzdGVuY2VfZW5hYmxl ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (getos)`; flow:established,to client; dsize:9; content:`Z2V0b3M 0a `; metadata ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (screenshot command)`; flow:established,to client; dsize:17; content:`c2NyZWVuc2hvdA ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (keylogger start)`; flow:established,to client; dsize:21; content:`a2V5bG9nZ2VyX3N0YXJ0 ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (upload command)`; flow:established,to client; dsize:9; content:`dXBsb2Fk ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (download command)`; flow:established,to client; dsize:13; content:`ZG93bmxvYWQ ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (openurl)`; flow:established,to client; dsize:13; content:`b3BlbnVybA 0a ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Canada Revenue Agency COVID 19 Assistance Eligability Phishing Landing 2020 04 01`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 Hello ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Canada Revenue Agency COVID 19 Assistance Eligability Phishing Landing 2020 04 01`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M2`; content:`GET`; http method; content:`corona`; http ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 Hello/`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M1`; content:`POST`; http method; content:`covid`; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M1`; content:`GET`; http method; content:`covid`; http ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspected Stitch Variant Backdoor CnC`; flow:established,to server; content:` 00 00 00 0f stitch626hctits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M2`; content:`POST`; http method; content:`corona`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET GAMES Growtopia Hack WrongGrow CnC Activity`; flow:established,to client; content:`200`; http stat code; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Canada Revenue Agency COVID 19 Assistance Eligability Phish 2020 04 01`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Canada Revenue Agency COVID 19 Assistance Eligability (FR) Phish 2020 04 01`; flow ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Linux/Agent.HX CnC Activity M1`; flow:established,to server; flowbits:isset,ET.LinuxAgent.HX; flowbits ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Linux/Agent.HX CnC Activity (set)`; flow:established,to server; flowbits:set,ET.LinuxAgent.HX; content ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN Linux/Agent.HX CnC Activity M2`; flow:established,to client; flowbits:isset,ET.LinuxAgent.HX; flowbits ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M3`; flow:to server,established; content:`covid19 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 NoIr x.86 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Buer Loader Update Request`; flow:established,to server; urilen: 200; content:`GET`; http method; content ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M5`; flow:to server,established; content:`covid 19 ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M4`; flow:to server,established; content:`corona ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Shadowcoin Cryptocurrency UA Observed`; flow:established,to server; content:`User Agent 3a 20 ShadowCoin ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; content:`system0 update04driver roots.dynamic dns.net`; nocase; depth:44 ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M6`; flow:to server,established; content:`sars cov ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 NoIr x.86/`; http ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M2`; flow:to server,established; content:`coronavirus ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Malformed Spam Template String`; flow:to server,established; content:`receive 20 further ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Unique Email Body Byte Sequence Observed`; flow:to server,established; content:` 0d 0a 0d ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Covid19 Spam Template 1 Active Outbound Email Spam`; flow:to server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Willowcoin Cryptocurrency UA Observed`; flow:established,to server; content:`User Agent 3a 20 WillowCoin ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; dns query; content:`sys andriod20 designer.dynamic dns.net`; nocase; depth ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M1`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 DVRBOT ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 iamdelta`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 iamdelta ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M1`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M2`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M2`; content:`GET`; http method; content:`/Telerik ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Lightspy Implant CnC`; flow:established,to server; content:` 0d 0a 0d 0a udid `; fast ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 DVRBOT`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (Http connect)`; flow:established,to server; content:`Http connect`; http ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Glupteba CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`myinfoart.xyz ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (KtulhuBrowser)`; flow:established,to server; content:`KtulhuBrowser`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (explorersvc)`; flow:established,to server; content:`explorersvc`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (xPCAP)`; flow:established,to server; content:`xPCAP`; http user agent; depth ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 26`; flow:established,to client; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Meterpreter)`; flow:established,to server; urilen:175; content:`/ucD`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Downloaded via ge.tt Filesharing Service`; content:`GET`; http method; content:`/gett/`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MegalodonHTTP/LuciferHTTP Client Action`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Uploaded to ge.tt Filesharing Service`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Adobe RTMP)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Magnitude EK)`; flow:established,to server; urilen: 235; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (OneDrive)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Havex APT)`; flow:established,to server; content:` `; http cookie; offset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Milum CnC`; flow:established,to server; content:` 0d 0a 0d 0a md `; fast pattern; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Colleagues Quarantined with COVID 19 Phish 2020 03 25`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 25`; flow:established,to server; flowbits:isset,ET.genericphish ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed MSIL/n2019cov (COVID 19) Ransomware CnC Domain in TLS SNI`; flow:established,to server; tls sni ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/n2019cov (COVID 19) Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Microsoft Tech Support Scam 2020 03 24`; flow:established,to client; file data; content:`Microsoft ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt`; flow:established,to server; content:`POST`; http method ...
alert tcp $HOME NET any $EXTERNAL NET 8000:9000 (msg:`ET TROJAN Win32/RaaLoader CnC Activity`; flow:established,to server; dsize:12; content:` 12 10 00 00 00 00 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Unhidebody Function Observed in Phishing Landing`; flow:established,to client; file data ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful World Health Organization COVID 19 Phish 2020 03 23`; flow:established,to server; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)`; flow:established,to client; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`change password.ml`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a54cf56.tk`; nocase; isdataat:1,relative; ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)`; flow:established,to server; tls sni; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sekhmet Ransomware CnC Activity`; flow:established,to server; content:`Mozilla/4.0 (compatible 3b MSIE ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS UK GOV Identity Verification Phishing Landing`; flow:established,to client; file data; content ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Screenshot Exfil`; flow:established,to server; content:` 40 2f 44 44 48 63 6b 2f 2e `; depth ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN CoreDDRAT CnC Activity`; flow:established,to client; dsize:18; content:` 69 6e 66 6f 2f 44 44 48 63 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id451295.com`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id24556.tk`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`yahoo change password.com`; nocase; isdataat:1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful NHS Webmail Phish 2020 03 23`; flow:established,to server; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0x4fc271.tk`; nocase; isdataat:1,relative; metadata ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Initial Checkin`; flow:established,to server; content:` 41 57 2f 44 44 48 63 6b 2f `; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`546874.tk`; nocase; isdataat:1,relative; metadata ...
Number of topics: 100

-- MattJonkman - 28 Feb 2007

Edit | Attach | Print version | History: r7 | r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-09-28 - RajendraPalnaty?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats