alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP? Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; metadata: former_category HUNTING; classtype:bad-unknown; sid:2016581; rev:4; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

Added 2019-10-09 19:08:49 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP? Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

Added 2018-09-13 19:46:34 UTC


Added 2018-09-13 17:57:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP? Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

Added 2017-08-07 21:10:20 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP? Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4;)

Added 2014-07-22 18:37:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP? Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|www\.biz|z\.info)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amic(?:dns\.(?:(?:org|co|me)\.uk|biz)|-dns\.net)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|p(?:ort(?:relay\.com|25\.biz)|canywhere\.net|roxydns\.com)|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|(?:rebatesrule|3-a)\.net|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:1;)

Added 2013-03-14 23:58:22 UTC


Topic revision: r1 - 2019-10-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats