[Emerging-Sigs] Bot CNC Rule update

Bill Lariviere Bill.LaRiviere at regions.com
Mon Aug 19 09:46:39 HDT 2019


Hello all,

Current Rule firing when ip is blocked:

emerging-botcc.rules:alert tcp $HOME_NET any -> [207.244.97.230,212.109.192.235] any (msg:"ET CNC Ransomware Tracker Reported CnC Server TCP group 61"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404520; rev:5185; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_11_16;)


Getting False positives on Bot CNC rules firing when ip is blocked.   Thoughts on using flags:SA from ip identified?

Sample technique:

emerging-botcc.rules:alert tcp [207.244.97.230,212.109.192.235] any -> $HOME_NET any (msg:"ET CNC Ransomware Tracker Reported CnC Server TCP group 61"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_dst, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404520; rev:5185; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_11_16;)

Regards,


Bill LaRiviere  GCIA LCHP
Regions Bank IDS/IPS/NAC
205.261.4079
 




More information about the Emerging-sigs mailing list