[Emerging-updates] [Etpro-sigs] Daily Ruleset Update Summary 2020/02/17

James Emery-Callcott jcallcott at emergingthreats.net
Tue Feb 18 00:13:01 HST 2020


Hey,

This definitely seems like a mistake to me.  I'll have the classtype on
this changed today.

Thanks.

On Tue, Feb 18, 2020 at 7:23 AM Pin-Ren Chiou 邱品仁 <prchiou at chtsecurity.com>
wrote:

> Hi there,
>
>
>
>         May I know the reason of putting cloudflare dns domain in
> trojan-activity category? Since Mozilla is going to enable DNS over HTTPS
> by default in their browser, this might cause certain false alarms...
>
>
>
> The related rule is as following:
>
>
>
> alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed
> Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)";
> flow:established,to_server; tls_sni; content:"cloudflare-dns.com";
> isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds
> 600; metadata: former_category POLICY; reference:url,
> developers.cloudflare.com/1.1.1.1/dns-over-https/json-format;
> classtype:trojan-activity; sid:2027695; rev:2; metadata:chts_severity 4,
> affected_product Any, attack_target Client_Endpoint, deployment Perimeter,
> signature_severity Informational, created_at 2019_07_09, performance_impact
> Low, updated_at 2019_09_28;)
>
>
>
>
>
> Thank you!!
>
>
>
>
>
>
> Best Regards,
>
> Pin-Ren Chiou
>
>
>
> CISM, ECSA, ISO 27001:2013 LA
>
> CHT Security Co., Ltd.
> R&D Dept.
>
>
>
>
>
> *寄件者**: *Etpro-sigs <etpro-sigs-bounces at lists.emergingthreats.net> 代表
> James Emery-Callcott <jcallcott at emergingthreats.net>
> *日期**: *2020年2月18日 星期二 上午8:56
> *收件者**: *ETPro-sigs List <etpro-sigs at emergingthreatspro.com>,
> Emerging-updates redirect <emerging-updates at emergingthreats.net>,
> Emerging Sigs <emerging-sigs at emergingthreats.net>
> *主旨**: *[Etpro-sigs] Daily Ruleset Update Summary 2020/02/17
>
>
>
> [***]            Summary:            [***]
>
>   5 new Open, 18 new Pro (5 + 13).  AZORult, Parallax, Kimsuky, Various
> SSL/TLS, Various Phish, Others.
>
>   Thanks @james_inthe_box.
>
>   Please share issues, feedback, and requests at
> https://feedback.emergingthreats.net/feedback
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>   2029471 - ET TROJAN Win32/Sarwent Variant CnC Activity (trojan.rules)
>   2029472 - ET TROJAN ELF/Mirai User-Agent Observed (Outbound)
> (trojan.rules)
>   2029473 - ET SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
>   2029474 - ET TROJAN Win32/Sarwent Initial Checkin (trojan.rules)
>   2029475 - ET TROJAN Win32/Sarwent Initial Checkin CnC Response
> (trojan.rules)
>
> Pro:
>
>   2841060 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2020-02-15 1) (trojan.rules)
>   2841061 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
> 2020-02-17 (current_events.rules)
>   2841062 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2020-02-17
> (current_events.rules)
>   2841063 - ETPRO CURRENT_EVENTS Successful Google Drive Phish 2020-02-17
> (current_events.rules)
>   2841064 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-02-17
> (current_events.rules)
>   2841065 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
> (trojan.rules)
>   2841066 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
>   2841067 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
> Information Phish 2020-02-17 (current_events.rules)
>   2841068 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
> Information Phish 2020-02-17 (current_events.rules)
>   2841069 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-02-17
> (current_events.rules)
>   2841070 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M5
> (trojan.rules)
>   2841071 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M6
> (trojan.rules)
>   2841072 - ETPRO TROJAN Win32/Remcos RAT Checkin 347 (trojan.rules)
>
> [///]     Modified active rules:     [///]
>
>   2029236 - ET TROJAN Vidar/Arkei/Megumin/Oski Stealer Data Exfil
> (trojan.rules)
>
> [---]         Disabled rules:        [---]
>
>   2014471 - ET POLICY DRIVEBY Generic - EXE Download by Java (policy.rules)
>
>
>
> ---------------------------------------
>
>
>
> James Emery-Callcott
>
> *Security Researcher* | ProofPoint Inc | Emerging Threats Team
>
>
>


-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200218/dc4a934c/attachment-0001.html>


More information about the Emerging-updates mailing list