Last 50 Rule Changes

Results from Main web retrieved at 18:58 (GMT)

alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN SSL/TLS Certificate Observed (Quasar Related)`; flow:established,to client; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Shade Ransomware Payment Domain in DNS Lookup`; dns query; content:`cryptsen7f043rr6.onion`; nocase; isdataat:1 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Router EK Landing Page Inbound 2019 05 24`; flow:established,from server; content:`200 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound`; flow:established,from server; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BabyShark HTTP Exfil`; flow:established,to server; content:`POST`; http method; content:`/upload.php ...
#alert tcp any any $HOME NET 445 (msg:`ET POLICY Executable Transfer in SMB`; flow:established,to server; content:`SMB`; depth:8; content:`MZ`; distance:0; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Eir D1000 Remote Command Injection Attempt Outbound`; flow:established,to server; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound`; flow:established,to server; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown VBScript Loader with Encoded PowerShell Execution Inbound`; flow:established,from server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Chthonic Check in`; flow:to server,established; content:`POST`; http method; content:` MSIE `; fast pattern ...
alert tcp any any $HOME NET 139,445 (msg:`ET TROJAN Suspected ExtraPulsar Backdoor`; flow:established,to server; content:`ExPu`; depth:11; offset:4; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Probable OneLouder downloader (Zeus P2P)`; flow:to server,established; urilen:17; content:` 20 MSIE 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Locky Payload DL Sept 26 2017 M3`; flow:established,to server; urilen: 6; content:`MSIE ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FAKEIE Minimal Headers (flowbit set)`; flow:to server,established; content:`GET`; http method ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Nuclear EK Landing Apr 08 2015`; flow:established,from server; content:`Server 3a 20 nginx` ...
alert dns $HOME NET any any any (msg:`ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)`; dns query; content:`iplocation.truevue ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup iplocation .truevue .org`; flow:established,to server; content:`iplocation.truevue ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Panda Banker CnC`; flow:established,to server; content:`POST`; http method; content:!`.php`; http uri ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Wordpress Slideshow Gallery 1.4.6 Shell Upload`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Geodo Checkin`; flow:established,to server; urilen:1620; content:`POST`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Probable OneLouder downloader (Zeus P2P)`; flow:to server,established; content:`GET`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Worm.Win32.Vobfus Checkin 3`; flow:established,to server; content:`GET`; http method; content:` 3f ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CryptoWall Check in`; flow:established,to server; urilen: Added 2019 05 22 20:30:36 UTC alert ...
alert tcp any any any 3389 (msg:`ET EXPLOIT NCC GROUP Possible Inbound RDP Exploitation Attempt (CVE 2019 0708)`; flow:to server,established; content:` 03 00 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO GET Minimal HTTP Headers Flowbit Set`; flow:established,to server; content:`GET`; http method; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (set) 2019 05 21`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BabyShark Checkin`; flow:established,to server; content:`GET`; http method; content:`/expres.php?op ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)`; flow:from server,established; tls cert subject; content ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN Mirai Variant Checkin Response`; flow:established,to client; content:` 21 2a 20 LOLNOBYE`; isdataat ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Cisco Prime Infrastruture RCE CVE 2019 1821`; content:`POST`; http method; content:`/servlet ...
alert dns $HOME NET any any any (msg:`ET DNS Query for Suspicious shell .now .sh Domain`; dns query; content:`shell.now.sh`; nocase; isdataat:1,relative; metadata ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Donot Group/APT C 35 CnC)`; flow:from server,established; tls cert subject ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS AppControls.com User Agent`; flow:established,to server; content:`acHTTP component (AppControls ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech Plead CnC in DNS Lookup`; dns query; content:`dns report.com`; nocase; isdataat:1,relative; pcre:`/^ a ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Winnti Payload XORed Check in to Infected System (0xd4413890)`; flow:established,to server; dsize: Added ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech Plead CnC in DNS Lookup`; dns query; content:`ssmailer.com`; nocase; isdataat:1,relative; pcre:`/^ a z0 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN BlackTech Plead Fake Favicon`; flow:established,from server; content:`200`; http stat code; http content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO AutoIt User Agent Downloading ZIP`; flow:established,to server; content:`GET`; http method; content:`.zip ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound`; flow:established,to server; content:`POST ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5`; flow:established,to server; content:`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4`; flow:established,to server; content:`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2`; flow:established,to server; content:`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea ...
alert dns $HOME NET any any any (msg:`ET TROJAN MirrorThief CnC in DNS Lookup`; dns query; content:`jqueryextd.at`; nocase; isdataat:1,relative; metadata: former ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MirrorThief CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Almashreq Executing New Processes`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Almashreq CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`MS 20 ...
alert dns $HOME NET any any any (msg:`ET TROJAN SystemdMiner C2 Domain in DNS Lookup`; dns query; content:`aptgetgxqs3secda`;depth:16; metadata: former category ...
alert dns $HOME NET any any any (msg:`ET TROJAN SystemdMiner C2 Domain in DNS Lookup`; dns query; content:`rapid7cpfqnwxodo`;depth:16; metadata: former category ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats