Last 50 Rule Changes

Results from Main web retrieved at 22:20 (GMT)

alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`vosmas ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`pervas ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tretas ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`vtoras ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`medsource ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`devata ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)`; flow:established,to client; tls cert subject ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tdreg ...
alert dns $HOME NET any any any (msg:`ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query`; dns query; content:`accounts.protonvpn.store`; nocase; depth:24; isdataat ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tdreg ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`semasa ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`dolodos ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`piasuna ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`piastas ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Webhancer Data Post`; flow: to server,established; content:`POST`; nocase; http method; content:`http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE SurfSidekick Download`; flow: established,to server; content:`/requestimpression.aspx?ver `; nocase ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN VBScript Redirect Style Exe File Download`; flow:to client,established; flowbits:isset,ET.Locky; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE 180solutions Spyware Keywords Download`; flow: to server,established; content:`GET`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS PHPNuke general SQL injection attempt`; flow: to server,established; content:`/modules ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Related CnC`; flow:established,to server; content:`GET`; http method; content:`.php?WORD com ...
alert dns $HOME NET any any any (msg:`ET POLICY Observed DNS Query for Suspicious TLD (.management)`; dns query; content:`.management`; nocase; isdataat:1,relative ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart CnC)`; flow:from server,established; tls cert subject; content: ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Charming Kitten Backdoor CnC Activity`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mermaid Ransomware Variant CnC Activity M4`; flow:established,to server; content:`GET`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M2`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspected Gamaredon Downloader Activity`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M1`; flow:established,to server; content:`GET`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Spark Backdoor CnC Domain Query`; dns query; content:`nysura.com`; nocase; depth:10; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Onliner Mailer Module Communicating with CnC`; flow:established,to server; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR Possible Response for LNKR js file`; flow:established,from server; content:`200`; http stat code ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nexus Stealer CnC Data Exfil`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Powershell Download Command Observed within Flash File Probable EK Activity`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BadPatch CnC Activity`; flow:established,to server; content:`python requests/`; http user agent; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN GanDownloader CnC Checkin`; flow:established,to server; content:` 2f 00 00 00 `; depth:4; http client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex AlphaNum DL Feb 10 2016`; flow:established,to server; urilen:1550; content:`MSIE 7.0 3b 20 Windows ...
alert http $EXTERNAL NET any $HOME NET 9080 (msg:`ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE 2018 17173)`; flow:established,to server; content:`GET`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M3`; flow:established,from server; content:`200`; http ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Possible Glitch.me Phishing Domain`; dns query; content:`.glitch.me`; nocase; isdataat:1,relative; pcre ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M2`; flow:established,from server; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M5`; flow:established,from server; content:`200`; http ...
Number of topics: 50


This topic: Main > WebHome > RuleChanges
Topic revision: r7 - 2018-07-19 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats