Last 50 Rule Changes

Results from Main web retrieved at 15:17 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (KtulhuBrowser)`; flow:established,to server; content:`KtulhuBrowser`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (explorersvc)`; flow:established,to server; content:`explorersvc`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (xPCAP)`; flow:established,to server; content:`xPCAP`; http user agent; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Meterpreter)`; flow:established,to server; urilen:175; content:`/ucD`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MegalodonHTTP/LuciferHTTP Client Action`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Downloaded via ge.tt Filesharing Service`; content:`GET`; http method; content:`/gett/`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Magnitude EK)`; flow:established,to server; urilen: 235; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (OneDrive)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Uploaded to ge.tt Filesharing Service`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 26`; flow:established,to client; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Havex APT)`; flow:established,to server; content:` `; http cookie; offset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Adobe RTMP)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Milum CnC`; flow:established,to server; content:` 0d 0a 0d 0a md `; fast pattern; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Colleagues Quarantined with COVID 19 Phish 2020 03 25`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 25`; flow:established,to server; flowbits:isset,ET.genericphish ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed MSIL/n2019cov (COVID 19) Ransomware CnC Domain in TLS SNI`; flow:established,to server; tls sni ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/n2019cov (COVID 19) Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Microsoft Tech Support Scam 2020 03 24`; flow:established,to client; file data; content:`Microsoft ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful World Health Organization COVID 19 Phish 2020 03 23`; flow:established,to server; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Unhidebody Function Observed in Phishing Landing`; flow:established,to client; file data ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)`; flow:established,to client; tls cert subject; content ...
alert tcp $HOME NET any $EXTERNAL NET 8000:9000 (msg:`ET TROJAN Win32/RaaLoader CnC Activity`; flow:established,to server; dsize:12; content:` 12 10 00 00 00 00 ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)`; flow:established,to server; tls sni; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0x4fc271.tk`; nocase; isdataat:1,relative; metadata ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT KeepAlive Message`; flow:established,to server; content:` 74 69 6d 65 2f 44 44 48 63 6b 2f ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful NHS Webmail Phish 2020 03 23`; flow:established,to server; content:`POST`; http method ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN CoreDDRAT CnC Activity`; flow:established,to client; dsize:18; content:` 69 6e 66 6f 2f 44 44 48 63 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`change password.ml`; nocase; isdataat:1,relative ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Screenshot Exfil`; flow:established,to server; content:` 40 2f 44 44 48 63 6b 2f 2e `; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`yahoo change password.com`; nocase; isdataat:1 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS UK GOV Identity Verification Phishing Landing`; flow:established,to client; file data; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id451295.com`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`546874.tk`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sekhmet Ransomware CnC Activity`; flow:established,to server; content:`Mozilla/4.0 (compatible 3b MSIE ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a5.tk`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id6589.com`; nocase; isdataat:1,relative; metadata ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Initial Checkin`; flow:established,to server; content:` 41 57 2f 44 44 48 63 6b 2f `; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a54cf56.tk`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id24556.tk`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Initial Request`; flow:established,to server; content:`GET`; http method; content:`/?t ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Activity`; flow:established,to server; content:`GET`; http method; content:`/?e `; depth ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (plugin)`; flow:established,from server; content:`plugin 7c 7c `; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw)`; flow:established,from server; dsize: Added 2020 03 24 02:58 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful EDU Phish 2017 12 04`; flow:established,to client; flowbits:isset,ET.eduphish; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Checkin (DesktopPreview)`; flow:established,to server; content:`DesktopPreview 7c 7c ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Patchwork.Backdoor Communicating with CnC`; flow:established,to server; content:`POST`; http method ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats