Last 50 Rule Changes

Results from Main web retrieved at 22:17 (GMT)

alert tcp any ! 21,25,110,143,443,465,587,636,989:995,5061,5222,8443 any any (msg:`ET POLICY TLS possible TOR SSL traffic`; flow:established,from server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Paypal Phish Mar 22 2017`; flow:to server,established; content:`POST`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED AAD CnC Communication`; flow:established,to server; content:`filename 22 C 3A 5C WINDOWS 5C system32 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ACUT CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Apache Struts OGNL Expression Injection (CVE 2017 5638) (Content Disposition ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Windows Settings Phishing Landing Jul 22`; flow:from server,established; content:`200`; http ...
#alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:`ET DELETED Possible Apache Struts OGNL Expression Injection (CVE 2017 5638) (Content Disposition) M2 ...
#alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:`ET DELETED Possible Apache Struts OGNL Expression Injection (CVE 2017 5638) (Content Length) M1`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Weevely PHP backdoor detected (pcntl exec() function used)`; flow:to server,established; content ...
alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN Sality Variant Downloader Activity (3)`; flow:established,to server; content:`/?id`; nocase; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED DustySky Checkin`; flow:established,to server; urilen:10; content:`GET`; http method; content:`/index ...
#alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:`ET DELETED Possible Apache Struts OGNL Expression Injection (CVE 2017 5638) (Content Length) M2`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Weevely PHP backdoor detected (python eval() function used)`; flow:to server,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4`; flow:established,from server; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Common Downloader Install Report URL (farfly checkin)`; flow:established,to server; content:`GET`; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic`; flow:established,to server; content:`/search?hl `; http ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK March 15 2017 M2`; flow:established,from server; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK March 15 2017`; flow:established,from server; file data; content ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)`; flow:established ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MagikPOS Downloader Checkin`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe`; flow:to server,established; content:`.exe ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/CryptFile2 / Revenge Ransomware Checkin M3`; flow:established,to server; content:`POST`; http method ...
alert ip $EXTERNAL NET any $HOME NET any (msg:`ET SHELLCODE Linux/x86 64 Reverse Shell Shellcode`; content:` 6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02 `; content:` ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WS/JS Downloader Mar 07 2017 M1`; flow:established,to server; content:`/counter/`; http uri; fast pattern ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MagikPOS Downloader Retrieving Payload`; flow:established,to server; content:`GET`; http method; content ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Phishing Redirect Dec 13 2016`; flow:from server,established; content:`200`; http stat ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicious Macro EXE DL AlphaNumL`; flow:established,to server; urilen:1040; content ...
alert tls $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)`; flow:established,from ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MagikPOS CnC Beacon`; flow:established,to server; content:`POST`; http method; content:`/api/?act in ...
Number of topics: 50
Topic revision: r5 - 2014-01-10 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats