[Emerging-Sigs] COVID-19

Jason Williams jwilliams at emergingthreats.net
Mon Mar 30 13:50:42 HDT 2020


Orion,

These rules are in the INFO category ( HUNTING category for Suricata 5 ) so
they are not solely indicative of malicious activity.

With the rise in malicious activity tied to the pandemic, we have observed
these to be useful in hunting on the network for new threats.

If there are noisy uninteresting things that are cluttering up your logs,
please let us know and we will always be happy to look at making some
modifications to the rules.

Thanks,

Jason

On Mon, Mar 30, 2020 at 3:21 PM Orion Poplawski <orion at nwra.com> wrote:

> Why are we alerting on DNS queries for "coronavirus.jhu.edu"?  That seem
> pretty reputable.  Also alerting on "covid19info.live" - not so sure about
> that but I believe it's legit.
>
> Packet:
>
>
> CGBuaRgFrB9rEGH+CABFAABBVSgAAH8Rz0gKDAIOCgABIsaRADUALShY994BAAABAAAAAAAAC2Nvcm9uYXZpcnVzA2podQNlZHUAAAEAAQ==
>
>
> ACToTYJXAAiiCaQnCABFAABD8r4AAH8RKKAKCwI2CgoKAeoiADUALzNgpPoBAAABAAAAAAAABGRhdGELY292aWQxOWluZm8EbGl2ZQAAHAAB
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200330/44fd3f88/attachment.html>


More information about the Emerging-sigs mailing list