Last 50 Rule Changes

Results from Main web retrieved at 07:36 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M1`; flow:established,to server; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious Zipped Filename in Outbound POST Request (screenshot.) M1`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M1`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Inbound JS Downloader Using Array Push Obfuscation`; flow:established,from server; content:`200 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Dorv Stealer Exfiltrating Data to CnC`; flow:established,to server; content:`POST`; http method ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Gootkit CnC)`; flow:from server,established; content:` 82 1c ws.diminishedvalueoregon ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Unk/JS.Downloader CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`?b ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt`; flow:established,to server; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE 2013 3568)`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Rails Arbitrary File Disclosure Attempt`; flow:established,to server; http accept; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Netgear DGN2200 RCE (CVE 2017 6077)`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET 9080 (msg:`ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE 2018 17173)`; flow:established,to server; content:`GET`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible WePresent WIPG1000 File Inclusion`; flow:established,to server; content:`GET`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Win32/Dorv InfoStealer CnC DNS Query`; dns query; content:`googleservice info.ru`; nocase; isdataat:1,relative; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible ZyXEL P660HN T v1 RCE`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Netgear DGN2200 RCE (CVE 2017 6334)`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Tomcat Web Application Manager scanning`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Inbound PowerShell via Invoke PSImage Stego`; flow:established,to client; file data; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Gozi CnC)`; flow:from server,established; tls cert subject; content:`CN poladidlei ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Android CVE 2014 6041`; flow:from server,established; file data; content:` 5c u001` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Android CVE 2014 6041`; flow:from server,established; file data; content:` 5c u0020javascript ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Android CVE 2014 6041`; flow:from server,established; file data; content:` 5c u000` ...
alert tcp $HOME NET any any any (msg:`ET TROJAN Win32/Termite Agent Implant CnC Checkin`; flow:established,to server; dsize: Added 2019 03 14 20:19:57 UTC
alert tcp $HOME NET any any any (msg:`ET TROJAN Win32/Termite Agent Implant Keep Alive`; flow:established,to server; dsize: Added 2019 03 14 20:19:57 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Retadup CnC Checkin M1`; flow:established,to server; content:`GET`; http method; content:` 2f 1 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Retadup CnC Checkin M2`; flow:established,to server; content:`GET`; http method; content:`4D53473A213A ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS PirateBay Phish Possibly PirateMatryoshka Related`; flow:established,from server; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Retadup Success Response from CnC`; flow:established,from server; content:`200`; http stat code ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET ATTACK RESPONSE Metasploit Meterpreter Reverse HTTPS certificate`; flow:from server,established; content:` A3 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Win32/PirateMatryoshka CnC DNS Query`; dns query; content:`mobilekey.pw`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET MOBILE MALWARE iOS/Bahamut DNS Lookup 13`; dns query; content:`32player.com`; depth:12; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Wget Request for Executable`; flow:established,to server; content:`GET`; http method; content:`.exe`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M2`; flow:established,to server; content:`X Requested With 3a 20 ShockwaveFlash ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Spelevo EK Landing M3`; flow:from server,established; file data; content:` 427364576470626b526c6447566a64 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Spelevo EK Landing M1`; flow:from server,established; file data; content:` 554778315a326c75524756305a574e30 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT CVE 2018 8174 Common Construct B64 M3`; flow:from server,established; file data; content:` 6f5532686c6247786a6232526c5157526b636c4268636d4674 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT CVE 2018 8174 Common Construct B64 M2`; flow:from server,established; file data; content:` 68546147567362474e765a4756425a475279554746795957 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Spelevo EK Post Compromise Data Dump`; flow:to server,established; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Spelevo EK Landing M2`; flow:from server,established; file data; content:` 516248566e615735455a58526c5933 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO eSentire Possible Kali Linux Updates`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT CVE 2018 8174 Common Construct B64 M1`; flow:from server,established; file data; content:` 4b464e6f5a5778735932396b5a55466b5a484a5159584a6862 ...
alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET P2P Libtorrent User Agent`; flow:to server,established; content:`libtorrent`; nocase; http user agent ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related`; flow:established,to server; content:` ...
Number of topics: 50
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats