[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/09

rmkml rmkml at yahoo.fr
Mon Feb 12 11:12:27 HST 2018


Thx for sharing update,

Could you check possible FN because /r/n -> \r\n ?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic .EDU Phish (Legit Set)"; 
flow:to_server,established; content:".edu|0d 0a|"; http_header; pcre:"/^Host\x3a\x20[^/r/n]+\.edu/r/n/Hmi"; 
flowbits:set,ET.realEDUrequest; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:not-suspicious; sid:2025333; 
rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

Discovered during http://etplc.org open source project update.

Best Regards
@Rmkml


On Fri, 9 Feb 2018, Travis Green wrote:

> 
> [***]            Summary:            [***]
> 
> 9 new Open, 19 new Pro (9 + 10). Shurl0ckr Ransomware, OilRig RGDoor, Various Phishing.
> 
> 
> [+++]          Added rules:          [+++]
> 
> Open:
> 
>  2025332 - ET TROJAN Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup) (trojan.rules)
>  2025333 - ET CURRENT_EVENTS Successful Generic .EDU Phish (Legit Set) (current_events.rules)
>  2025334 - ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M1 (current_events.rules)
>  2025335 - ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M1 (current_events.rules)
>  2025336 - ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M2 (current_events.rules)
>  2025337 - ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-09 (current_events.rules)
>  2025338 - ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M2 (current_events.rules)
>  2025339 - ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-09 (current_events.rules)
>  2025340 - ET CURRENT_EVENTS Mailbox Revalidation Phishing Landing 2018-02-09 (current_events.rules)
> 
> Pro:
> 
>  2829617 - ETPRO EXPLOIT Adobe Flash Use After Free (CVE-2017-4877) (exploit.rules)
>  2829618 - ETPRO TROJAN Chthonic CnC Beacon 13 (trojan.rules)
>  2829619 - ETPRO TROJAN OilRig RGDoor Implant Communicating with CnC (trojan.rules)
>  2829620 - ETPRO TROJAN Chthonic CnC Beacon Generic M1 (trojan.rules)
>  2829621 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-09 1) (trojan.rules)
>  2829622 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-09 2) (trojan.rules)
>  2829623 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-09 3) (trojan.rules)
>  2829624 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-09 4) (trojan.rules)
>  2829625 - ETPRO TROJAN Chthonic CnC Beacon 14 (trojan.rules)
>  2829626 - ETPRO TROJAN NameCoin .bit DNS Sinkhole Response (trojan.rules)
> 
> 
> [///]     Modified active rules:     [///]
> 
>  2827572 - ETPRO CURRENT_EVENTS Successful Generic .EDU Phish Aug 17 2017 (current_events.rules)
>  2828734 - ETPRO TROJAN Powerstats C2 (trojan.rules)
>  2829308 - ETPRO TROJAN MSIL/Remcos Variant CnC Checkin (trojan.rules)
>  2829459 - ETPRO TROJAN Win32/Agent.ZGL Variant W32/UDPOS Checkin (trojan.rules)
> 
> 
> --
> PGP: 0xBED7B297
> 
>


More information about the Emerging-sigs mailing list