-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy paththreat-hunting.rules
287 lines (287 loc) · 78.1 KB
/
threat-hunting.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .tk in DNS"; flow:established; dns_query; content:".tk"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610020; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ml in DNS"; flow:established; dns_query; content:".ml"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610021; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ga in DNS"; flow:established; dns_query; content:".ga"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610022; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .cf in DNS"; flow:established; dns_query; content:".cf"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610023; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gq in DNS"; flow:established; dns_query; content:".gq"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610024; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .work in DNS"; flow:established; dns_query; content:".work"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610025; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in DNS"; flow:established; dns_query; content:".date"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610026; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .top in DNS"; flow:established; dns_query; content:".top"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610027; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .review in DNS"; flow:established; dns_query; content:".review"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610028; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .stream in DNS"; flow:established; dns_query; content:".stream"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610029; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .trade in DNS"; flow:established; dns_query; content:".trade"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610030; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .loan in DNS"; flow:established; dns_query; content:".loan"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610031; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .science in DNS"; flow:established; dns_query; content:".science"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610032; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gdn in DNS"; flow:established; dns_query; content:".gdn"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610033; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .click in DNS"; flow:established; dns_query; content:".click"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610034; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in DNS"; flow:established; dns_query; content:".date"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610035; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .racing in DNS"; flow:established; dns_query; content:".racing"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610036; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .tk in HTTP Host"; flow:established; content:".tk"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610037; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ml in HTTP Host"; flow:established; content:".ml"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610038; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ga in HTTP Host"; flow:established; content:".ga"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610039; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .cf in HTTP Host"; flow:established; content:".cf"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610040; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gq in HTTP Host"; flow:established; content:".gq"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610041; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .work in HTTP Host"; flow:established; content:".work"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610042; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in HTTP Host"; flow:established; content:".date"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610043; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .top in HTTP Host"; flow:established; content:".top"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610044; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .review in HTTP Host"; flow:established; content:".review"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610045; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .stream in HTTP Host"; flow:established; content:".stream"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610046; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .trade in HTTP Host"; flow:established; content:".trade"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610047; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .loan in HTTP Host"; flow:established; content:".loan"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610048; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .science in HTTP Host"; flow:established; content:".science"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610049; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gdn in HTTP Host"; flow:established; content:".gdn"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610050; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .click in HTTP Host"; flow:established; content:".click"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610051; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in HTTP Host"; flow:established; content:".date"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610052; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .racing in HTTP Host"; flow:established; content:".racing"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610053; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .tk in SNI"; flow:established,to_server; tls_sni; content:".tk"; endswith; classtype:bad-unknown; sid:2610054;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ml in SNI"; flow:established,to_server; tls_sni; content:".ml"; endswith; classtype:bad-unknown; sid:2610055;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ga in SNI"; flow:established,to_server; tls_sni; content:".ga"; endswith; classtype:bad-unknown; sid:2610056;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .cf in SNI"; flow:established,to_server; tls_sni; content:".cf"; endswith; classtype:bad-unknown; sid:2610057;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gq in SNI"; flow:established,to_server; tls_sni; content:".gq"; endswith; classtype:bad-unknown; sid:2610058;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .work in SNI"; flow:established,to_server; tls_sni; content:".work"; endswith; classtype:bad-unknown; sid:2610059;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in SNI"; flow:established,to_server; tls_sni; content:".date"; endswith; classtype:bad-unknown; sid:2610060;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .top in SNI"; flow:established,to_server; tls_sni; content:".top"; endswith; classtype:bad-unknown; sid:2610061;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .review in SNI"; flow:established,to_server; tls_sni; content:".review"; endswith; classtype:bad-unknown; sid:2610062;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .stream in SNI"; flow:established,to_server; tls_sni; content:".stream"; endswith; classtype:bad-unknown; sid:2610063;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .trade in SNI"; flow:established,to_server; tls_sni; content:".trade"; endswith; classtype:bad-unknown; sid:2610064;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .loan in SNI"; flow:established,to_server; tls_sni; content:".loan"; endswith; classtype:bad-unknown; sid:2610065;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .science in SNI"; flow:established,to_server; tls_sni; content:".science"; endswith; classtype:bad-unknown; sid:2610066;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .gdn in SNI"; flow:established,to_server; tls_sni; content:".gdn"; endswith; classtype:bad-unknown; sid:2610067;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .click in SNI"; flow:established,to_server; tls_sni; content:".click"; endswith; classtype:bad-unknown; sid:2610068;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .date in SNI"; flow:established,to_server; tls_sni; content:".date"; endswith; classtype:bad-unknown; sid:2610069;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .racing in SNI"; flow:established,to_server; tls_sni; content:".racing"; endswith; classtype:bad-unknown; sid:2610070;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ug in DNS"; flow:established; dns_query; content:".ug"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610071; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ug in SNI"; flow:established,to_server; tls_sni; content:".ug"; endswith; classtype:bad-unknown; sid:2610072;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ug in HTTP Host"; flow:established,to_server; content:".ug"; http_host; endswith; classtype:bad-unknown; sid:2610073;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .pw in DNS"; flow:established; dns_query; content:".pw"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610074; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .pw in SNI"; flow:established,to_server; tls_sni; content:".pw"; endswith; classtype:bad-unknown; sid:2610075;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .pw in HTTP Host"; flow:established,to_server; content:".pw"; http_host; endswith; classtype:bad-unknown; sid:2610076;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .info in DNS"; flow:established; dns_query; content:".info"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610077; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .info in SNI"; flow:established,to_server; tls_sni; content:".info"; endswith; classtype:bad-unknown; sid:2610078;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .info in HTTP Host"; flow:established,to_server; content:".info"; http_host; endswith; classtype:bad-unknown; sid:2610079;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ooo in SNI"; flow:established,to_server; tls_sni; content:".ooo"; endswith; classtype:bad-unknown; sid:2610080;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ooo in HTTP Host"; flow:established,to_server; content:".ooo"; http_host; endswith; classtype:bad-unknown; sid:2610081;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ooo in DNS Request"; flow:established,to_server; dns_query; content:".ooo"; endswith; classtype:bad-unknown; sid:2610082;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .world in SNI"; flow:established,to_server; tls_sni; content:".world"; endswith; classtype:bad-unknown; sid:2610083;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .world in HTTP Host"; flow:established,to_server; content:".world"; http_host; endswith; classtype:bad-unknown; sid:2610084;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .world in DNS Request"; flow:established,to_server; dns_query; content:".world"; endswith; classtype:bad-unknown; sid:2610085;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .desi in SNI"; flow:established,to_server; tls_sni; content:".desi"; endswith; classtype:bad-unknown; sid:2610086;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .desi in HTTP Host"; flow:established,to_server; content:".desi"; http_host; endswith; classtype:bad-unknown; sid:2610087;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .desi in DNS Request"; flow:established,to_server; dns_query; content:".desi"; endswith; classtype:bad-unknown; sid:2610088;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .life in SNI"; flow:established,to_server; tls_sni; content:".life"; endswith; classtype:bad-unknown; sid:2610089;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .life in HTTP Host"; flow:established,to_server; content:".life"; http_host; endswith; classtype:bad-unknown; sid:2610090;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .life in DNS Request"; flow:established,to_server; dns_query; content:".life"; endswith; classtype:bad-unknown; sid:2610091;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ryukyu in SNI"; flow:established,to_server; tls_sni; content:".ryukyu"; endswith; classtype:bad-unknown; sid:2610092;)
alert http any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ryukyu in HTTP Host"; flow:established,to_server; content:".ryukyu"; http_host; endswith; classtype:bad-unknown; sid:2610093;)
alert dns any any -> any any (msg:"TThreatHunter Rule - Abused TLD .ryukyu in DNS Request"; flow:established,to_server; dns_query; content:".ryukyu"; endswith; classtype:bad-unknown; sid:2610094;)
alert http any any -> any any (msg:"TThreatHunter Rule - unknown command 610cker"; flow:to_server,established; content:"POST"; http_method; content:"/command.php"; http_uri; content:"cmd="; http_client_body; depth:4; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610098; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - unknown etherium server probe"; flow:to_server,established; content:"POST"; http_method; urilen:1; content:"method|22 3a 22|eth_accounts"; http_client_body; http_content_type; content:"application/json"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610099; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Graves Accent (backtick) in HTTP Header"; flow:established,to_server; content:"`"; http_header; content:!"`"; http_client_body; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610100; rev:2;)
alert http any any -> any any (msg:"TThreatHunter Rule - Content-Type jpeg serving PE likely hostile"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|image/jpeg"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610101; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - directory traversal in Zip"; flow:established; content:"PK"; content:"|2e 2e 5c|"; distance:28; within:3; fast_pattern; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610102; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - unsafe PHP function in HTTP POST"; flow:established; content:"shell_exec("; http_client_body; fast_pattern; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610104; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - unsafe PHP function in HTTP"; flow:established; content:"eval("; http_client_body; fast_pattern; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610105; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - two %25 in HTTP URI"; flow:to_server,established; content:"%25"; http_raw_uri; content:"%25"; http_raw_uri; distance:0; within:4; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610106; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in HTTP POST"; flow:to_server,established; content:"%2525"; nocase; http_client_body; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610107; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Serialized PHP inbound"; flow:established,to_server; content:"O|3a|"; pcre:"/\bO\x3a\d+\x3a[^\r\n]*?\{/i"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610108; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in URI <>"; flow:to_server,established; content:"%253C"; nocase; http_raw_uri; content:"%253E"; nocase; http_raw_uri; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610109; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in URI x28 x29"; flow:to_server,established; content:"%2528"; nocase; http_raw_uri; content:"%2529"; nocase; http_raw_uri;threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610110; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in URI x3a"; flow:to_server,established; content:"%253A"; nocase; http_raw_uri; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610111; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in URI x3b"; flow:to_server,established; content:"%253B"; nocase; http_raw_uri; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610112; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - Suspicous HTTP URI and Referer are the same"; flow:established,to_server; content:"GET "; depth:4; pcre:"/^\/(.+) HTTP.*Referer[^\r\n]+\1\r\n/Rs"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610113; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Double Transfer-Encoding Header (possible evasion)"; flow:established,to_server; content:"Transfer-Encoding|3a 20|"; http_header; fast_pattern; content:"Transfer-Encoding|3a 20|"; http_header; distance:0; reference:url,noxxi.de/research/http-evader-explained-3-chunked.html; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610114; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - HTTP/1.0 and Transfer-Encoding Header (possible evasion)"; flow:established,to_server; content:"Transfer-Encoding|3a 20|"; http_header; fast_pattern; content:"HTTP/1.0"; depth:8; reference:url,noxxi.de/research/http-evader-explained-3-chunked.html; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610115; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - HTTP POST to wp-.* without referer"; flow:established,to_server; content:"POST"; http_method; content:"/wp-"; http_uri; http_header_names; content:!"Referer"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown;sid:2610116; rev:1;)
#alert tcp $EXTERNAL_NET any -> any any (msg:"TThreatHunter Rule - Oracle Server Probe"; flow:to_server,established; content:"(DESCRIPTION=(CONNECT_DATA=(SID=";threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610117; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - BurpSuite string in TLS"; flow:established; content:"|0b|PortSwigger"; distance:1; within:12; reference:url,portswigger.net/burp/proxy.html; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610118; rev:1;)
alert tcp any any -> any [25,587] (msg:"TThreatHunter Rule - suspicious x-library Indy"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy|20|"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610119; rev:6;)
alert tcp any any -> any [25,587] (msg:"TThreatHunter Rule - suspicious x-mailer MS CDO"; flow:established; content:"X-Mailer|3a 20|Microsoft CDO for Windows"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610120; rev:6;)
alert tcp any any -> any [25,587] (msg:"TThreatHunter Rule - suspicious x-mailer Blat"; flow:established; content:"X-Mailer|3a 20|Blat v"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610121; rev:6;)
#alert tcp-pkt any any -> any any (msg:"TThreatHunter Rule - Too many \x41"; flow:established; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610122; rev:1;)
#alert tcp-pkt any any -> any any (msg:"TThreatHunter Rule - Too many \x90"; flow:established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610123; rev:1;)
#alert dns any any -> any any (msg:"TThreatHunter Rule - WPAD Request"; dns_query; content:"wpad"; nocase; startswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610124; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - netsh firewall"; flow:established; content:"netsh firewall"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610125; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - netsh advfirewall"; flow:established; content:"netsh advfirewall"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610126; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - MS Copyright Banner"; flow:established; content:"Copyright |28|C|29|"; content:"Microsoft Corp"; distance:0; content:!"ASP.NET SignalR JavaScript Library"; content:!"// MicrosoftMvcAjax.js"; content:!"MicrosoftAjaxWebForms.js"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610127; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - WMIC Prompt"; flow:established; content:"wmic|3a|root|5c|cli>"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610128; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - sc output"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610129; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - Unknown Login Attempt"; flow:established; content:"Action|3a 20|Login"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610130; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - non printable char in HTTP Header"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/H"; http_content_type; content:!"application/ocsp-response"; threshold:type limit, track by_src, seconds 180, count 1; classtype:bad-unknown; sid:2610131; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - fromcharcode in HTTP"; flow:established; content:!"jQuery Foundation, Inc"; content:"fromcharcode"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610132; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - PHP magic bytes in HTTP response"; flow:established,to_client; content:"<?php"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610133; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"DELETE"; http_header; content:"FROM"; http_header; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610134; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"EXEC"; http_header; content:"FROM"; http_header; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610135; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"INSERT"; http_header; content:"INTO"; http_header; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610136; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"SELECT"; http_header; pcre:"/\b(?:INTO|FROM|USER|UPPER|LOWER|CONCAT)\b/RH";threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610137; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"SHOW"; http_header; pcre:"/\b(?:CHAR|CUR|TABLE|VAR)/RH";threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610138; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"UNION"; http_header; content:"SELECT"; http_header; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610139; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - SQL verb in HTTP"; flow:established,to_server; content:"UPDATE"; http_header; content:"SET"; http_header; distance:0; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610140; rev:1;)
#alert http any any -> !$HOME_NET any (msg:"TThreatHunter Rule - HTTP uncommon version Request"; flow:established,to_server; content:"|20|HTTP/"; content:!"1.1"; within:3; content:!"1.0"; within:3; flowbits:isnotset,hunt.entrust_entelligence; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610141; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - HTTP suspicious UA"; flow:established; content:"bot"; nocase; http_user_agent; content:!"YandexBot/"; http_user_agent; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610142; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - HTTP uncommon version Response"; flow:established,to_client; content:"HTTP/"; depth:5; content:!"1.1"; within:3; content:!"1.0"; within:3; flowbits:isnotset,hunt.entrust_entelligence; content:!"BigIP"; http_header; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610143; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - WScript.Shell Inbound"; flow:established,to_client; file_data; content:"WScript.Shell"; nocase; classtype:bad-unknown; sid:2610145; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - .bin HTTP download missing headers"; flow:established,to_server; content:".bin"; http_uri; endswith; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:bad-unknown; sid:2610146; rev:1;)
alert tcp any any -> any any (msg:"TThreatHunter Rule - wmic process call create"; flow:established; content:"wmic process call create"; classtype:bad-unknown; sid:2610147; rev:1;)
alert tcp any any -> any any (msg:"IBM WebSphere Application Server probe"; flow:established; content:"SOAPAction: urn:AdminService|0d 0a|"; http_header; reference:url,github.com/breenmachine/JavaUnserializeExploits/blob/master/websphere-soap-exploit.request; classtype:bad-unknown; sid:2610148; rev:1;)
#alert ftp any any -> any any (msg:"TThreatHunter Rule - FTP STOR Command"; flow:established; content:"STOR|20|"; classtype:bad-unknown; sid:2610149; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - PHP Magic Bytes in HTTP Request"; flow:established,to_server; content:"<?php"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610150; rev:1;)
#alert http any any -> any any (msg:"TThreatHunter Rule - POST Without Referer Header"; flow:established,to_server; content:"POST"; http_method; http_header_names; content:!"Referer"; threshold:type limit, track by_src, seconds 180, count 1; http_content_type; content:!"application/ocsp-response"; classtype:bad-unknown; sid:2610151; rev:1;)
alert ip any any -> any any (msg:"TThreatHunter Rule - sameip Keyword Test Rule"; flow:established,to_server; sameip; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610152; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - TLS Suspicious facebook.com"; tls_cert_subject; content:"facebook.com"; tls_cert_fingerprint; content:!"98:e4:dd:9d:21:83:d5:29:9e:80:43:73:ff:f2:a7:e1:c4:87:9f:5e"; classtype:bad-unknown; sid:2610153; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Content-Type jpeg Serving Zip"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|image/jpeg"; http_header; file_data; content:"PK"; depth:2; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610154; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Suspicious vbs Function Inbound"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"new-object -com|20|"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610155; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"TThreatHunter Rule - Large DNS Query not TCP"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>512; classtype:bad-unknown; sid:2610156; rev:8;)
# turns out double encoded characters are quite common in redirect urls
#alert http any any -> any any (msg:"TThreatHunter Rule - Double Encoded Characters in HTTP URI"; flow:to_server,established; content:"%2525"; http_uri; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610157; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Suspicious HTTP Path"; flow:to_server,established; content:"/Panel/"; http_uri; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610158; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Suspicious HTTP Server Response (localhost)"; flow:to_client,established; content:"Server|3a 20|localhost|0d 0a|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610159; rev:1;)
#alert ip any any -> any any (msg:"TThreatHunter Rule - non-DiffServ aware TOS setting"; flow:established,to_server; tos:!0; tos:!8; tos:!16; tos:!24; tos:!32; tos:!40; tos:!48; tos:!56; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610160; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - MimiKatz String in HTTP Response"; flow:to_client,established; file_data; content:"There's been an awakening... have you felt it?"; threshold:type limit,track by_src,seconds 60,count 1; classtype:bad-unknown; sid:2610161; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - MimiKatz String in HTTP Response x86 1"; flow:to_client,established; file_data; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:8; threshold:type limit,track by_src,seconds 60,count 1; reference:url,github.com/gentilkiwi/mimikatz/releases; classtype:bad-unknown; sid:2610162; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - MimiKatz String in HTTP Response x86 2"; flow:to_client,established; file_data; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; within:6; content:"|89 01 85 ff 74|"; within:6; threshold:type limit,track by_src,seconds 60,count 1; reference:url,github.com/gentilkiwi/mimikatz/releases; classtype:bad-unknown; sid:2610163; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - MimiKatz String in HTTP Response x64 1"; flow:to_client,established; file_data; content:"|33 ff|"; content:"|89 37|"; within:3; content:"|8b f3 45 85|"; within:5; content:"|74|"; within:2; threshold:type limit,track by_src,seconds 60,count 1; reference:url,github.com/gentilkiwi/mimikatz/releases; classtype:bad-unknown; sid:2610164; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - MimiKatz String in HTTP Response x64 2"; flow:to_client,established; file_data; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:8; content:"|8b cb 4c 03|"; within:8; content:"|d8|"; within:2; threshold:type limit,track by_src,seconds 60,count 1; reference:url,github.com/gentilkiwi/mimikatz/releases; classtype:bad-unknown; sid:2610165; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - LaZagne Artifact in HTTP POST"; flow:to_server,established; content:"LaZagne Project"; http_client_body; classtype:bad-unknown; sid:2610166; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - LaZagne Artifact in HTTP POST 2"; flow:to_server,established; content:"|20|passwords -----------------"; http_client_body; classtype:bad-unknown; sid:2610167; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - DNS over TLS JA3 SSL-Client Fingerprint Detected (Stubby)"; ja3_hash; content:"c369db2c355ad05c76f5660af3179b01"; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; sid:2610168; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - JA3 SSL-Client Fingerprint Detected (Emotet/AutoIt/Ursnif)"; ja3_hash; content:"4d7a28d6f2263ed61de88ca66eb011e3"; reference:url,engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; sid:2610170; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - JA3 SSL-Client Fingerprint Detected (Trickbot)"; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; reference:url,engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; sid:2610171; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - JA3 SSL-Client Fingerprint Detected (Trickbot)"; ja3_hash; content:"e7d705a3286e19ea42f587b344ee6865"; reference:url,engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; sid:2610172; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - mimikatz Artifacts in HTTP POST"; flow:to_server,established; content:"S-1-5-21-"; nocase; http_client_body; content:"Username"; nocase; http_client_body; content:"Domain"; nocase; http_client_body; content:"NTLM"; nocase; http_client_body; content:"SHA1"; nocase; http_client_body; classtype:bad-unknown; sid:2610173; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Invoke-ReflectivePEInjection Likely Malicious PS Inbound"; flow:from_server,established; content:"Write-BytesToMemory"; content:"Invoke-CreateRemoteThread"; content:"VirtualAllocEx"; content:"WriteProcessMemory"; classtype:bad-unknown; sid:2610174; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Non Browser HTTP to Pastebin"; flow:to_server,established; content:"pastebin.com"; http_host; content:!"Mozilla"; nocase; http_user_agent; classtype:bad-unknown; sid:2610175; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - JA3 SSL-Client Fingerprint Detected (IcedID/Orcus/.net WebClient().DownloadString()/js.griffon/WinHttpConnect)"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:md5,de3ea56487dd2ebfcc5cb4d430aa51a9; sid:2610177; rev:1;)
#alert tls any any -> any any (msg:"TThreatHunter Rule - JA3 SSL-Client Fingerprint Detected (GoldenAxe Ransomware)"; ja3_hash; content:"5001b4c2a48c94b76ca1f0199345fe60"; reference:md5,87c1b3e2b788dd54d196fb67ba0da6dc; sid:2610178; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - directory traversal chars in HTTP Request Header"; flow:established,to_server; content:"|2e 2e 5c|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610179; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - directory traversal chars in HTTP Request Header"; flow:established,to_server; content:"|2e 2e 2f|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610180; rev:1;)
alert ftp-data $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Password Artifact Outbound in FTP"; flow:established,to_server; content:"Password"; fast_pattern; pcre:"/\bPassword\b/"; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2610181; rev:1;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Cookie STOR Outbound in FTP"; flow:established,to_server; content:"STOR|20|"; depth:5; content:"cookies"; nocase; distance:0; fast_pattern; pcre:"/\bcookies\b/i"; classtype:trojan-activity; sid:2610182; rev:1;)
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - log STOR Outbound in FTP"; flow:established,to_server; content:"STOR|20|"; depth:5; content:"log"; nocase; distance:0; fast_pattern; pcre:"/\blog\b/i"; classtype:trojan-activity; sid:2610183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - CobaltStrike Artifact in DNS"; flow:established,to_server; dns_query; content:".stage.123456."; reference:url,threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/; classtype:trojan-activity; sid:2610184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - CobaltStrike Artifact in DNS"; flow:established,to_server; dns_query; content:".resources.123456."; reference:url,threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/; classtype:trojan-activity; sid:2610185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - CobaltStrike Artifact in DNS"; flow:established,to_server; dns_query; content:".feeds.123456."; reference:url,threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/; classtype:trojan-activity; sid:2610186; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Anomalous DNS >512 bytes over UDP"; dsize:>512; prefilter; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; reference:url,tools.ietf.org/html/rfc5966; classtype:trojan-activity; sid:2610187; rev:1;)
alert ftp any any -> any any (msg:"TThreatHunter Rule - abnormally long STOR in FTP"; flow:established,to_server; content:"STOR"; depth:4; isdataat:256,relative; classtype:bad-unknown; sid:2610188; rev:1;)
alert ftp any any -> any any (msg:"TThreatHunter Rule - abnormally long SIZE in FTP"; flow:established,to_server; content:"SIZE"; depth:4; isdataat:256,relative; classtype:bad-unknown; sid:2610189; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Frequently Abused Java Invocation in HTTP POST Body"; flow:established,to_server; content:"java.lang.ProcessBuilder"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; reference:url,blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html; sid:2610190; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - Suspicious Filename Powershell Download"; flow:established,to_server; content:"GET"; http_method; content:".ps1"; http_uri; endswith; fast_pattern; pcre:"/(?:keylogger|rat|stealer|remote)[^/]*\.ps1$/Ui"; http_header_names; content:!"Referer"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610191; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - .hta File in Referer"; flow:established,to_server; http_referer; content:".hta"; endswith; fast_pattern; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610192; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm)"; flow:established; content:"52b2tlLUNvbW1hbm"; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610193; rev:2;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1)"; flow:established; content:"52b2tlLUNvbW1"; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610194; rev:2;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21)"; flow:established; content:"dm9rZS1Db21";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610195; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW)"; flow:established; content:"dm9rZS1Db21tYW";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610196; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW)"; flow:established; content:"nZva2UtQ29tbW";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610197; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29)"; flow:established; content:"Zva2UtQ29";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610198; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1)"; flow:established; content:"52b2tlLVdtaU1";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610199; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG)"; flow:established; content:"52b2tlLVdtaU1ldG";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610200; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR)"; flow:established; content:"dm9rZS1XbWlNZXR";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610201; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2)"; flow:established; content:"dm9rZS1XbWlNZXRob2";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610202; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG)"; flow:established; content:"nZva2UtV21pTWV0aG";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610203; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV)"; flow:established; content:"Zva2UtV21pTWV";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610204; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (ctT2J)"; flow:established; content:"ctT2J"; distance:0; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610205; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (dy1PYmp)"; flow:established; content:"dy1PYmp"; distance:0; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610206; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3)"; flow:established; content:"dy1PYmplY3";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610207; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (V3LU9iam)"; flow:established; content:"V3LU9iam"; distance:0; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610208; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (V3LU9)"; flow:established; content:"V3LU9"; distance:0; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610209; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW)"; flow:established; content:"XctT2JqZW"; distance:0; reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610210; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9)"; flow:established; content:"FydC1Qcm9";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610211; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX)"; flow:established; content:"GFydC1Qcm9jZX";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610212; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ)"; flow:established; content:"RhcnQtUHJ";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610213; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_02_19, malware_family DNSlivery, updated_at 2019_02_19;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2)"; flow:established; content:"RhcnQtUHJvY2";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610214; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N)"; flow:established; content:"YXJ0LVByb2N";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610215; rev:1;)
alert ip any any -> $HOME_NET any (msg:"TThreatHunter Rule - PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3)"; flow:established; content:"YXJ0LVByb2Nlc3";reference:url,github.com/no0be/DNSlivery; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610216; rev:1;)
alert tcp any any -> $HOME_NET 3389 (msg:"TThreatHunter Rule - Likely MSF BlueKeep Auxilliary Scan Inbound"; flow:established; content:"|03 00 00|"; depth:3; content:"Cookie="; distance:0; content:"|0d 0a|"; distance:5; within:2; content:"|00 00 00 00|"; distance:5; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610217; rev:1;)
alert tcp any any -> $HOME_NET 3389 (msg:"TThreatHunter Rule - Likely RDPScan Scan Inbound"; flow:established; content:"|03 00 00|"; depth:3; content:"Cookie="; distance:0; content:"|0d 0a|"; distance:8; within:2; content:"|01 00 00 00|"; distance:5; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; threshold:type limit, track by_src, seconds 60, count 1; classtype:attempted-admin; sid:2610218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Possible Cobalt Strike Malleable C2 Null Response (Flowbit Set)"; flow:established,to_server; content:"!microsoft.com"; http_host; endswith; http_header_names; content:!"Referer"; content:"Cookie"; flowbits:set,hunt.cs_null_response; flowbits:noalert; threshold:type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2610221; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TThreatHunter Rule - Possible Cobalt Strike Malleable C2 Null Response"; flow:established,to_client; content:"200"; http_stat_code; depth:3; content:"Content-Length:|20|0|0d 0a|"; fast_pattern; flowbits:isset,hunt.cs_null_response; threshold:type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2610223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Entrust Entelligence Security Provider (Flowbits Set)"; flow:established,to_server; content:"Entrust Entelligence Security Provider"; http_user_agent; flowbits:set,hunt.entrust_entelligence; flowbits:noalert; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider; classtype:trojan-activity; sid:2610225; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TThreatHunter Rule - Possible Cobalt Strike Extra Whitespace HTTP Response"; flow:established,to_client; content:"HTTP/1.1|20|200|20|OK|20 0d 0a|Content-Type|3a|"; flowbits:isnotset,hunt.entrust_entelligence; content:!"WEBrick"; http_header; reference:url,github.com/fox-it/cobaltstrike-extraneous-space; threshold:type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2610227; rev:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - Cobalt Strike C2 Meterpreter Profile Artifact"; flow:established,to_server; content:"UMJjAiNUUtvNww0lBj9tzWegwphuIn6hNP9eeIDfOrcHJ3nozYFPT-Jl7WsmbmjZnQXUesoJkcJkpdYEdqgQFE6QZgjWVsLSSDonL28DYDVJ"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/meterpreter.profile; classtype:trojan-activity; sid:2610229; rev:1;)
alert tls any any -> any [465,25,587] (msg:"TThreatHunter Rule - Suspicious Null in TLS SNI"; tls_sni; content:"|00|"; flow:established,to_server; ssl_state:client_hello; classtype:attempted-admin; sid:2610231; rev:1;)
alert dns any any -> any any (msg:"TThreatHunter Rule - honeytokens.org in DNS"; flow:established; dns_query; content:"honeytokens.org"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610232; rev:1;)
alert http any any -> any any (msg:"TThreatHunter Rule - honeytokens.org in HTTP Host"; flow:established; content:"honeytokens.org"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610233; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - honeytokens.org in SNI"; flow:established,to_server; tls_sni; content:"honeytokens.org"; endswith; classtype:bad-unknown; sid:2610234;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - PS Execution Policy Registry Key Name in B64"; content:"SEtFWV9MT0NBTF9NQUNISU5FXFNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFBvd2VyU2hlbGxc"; classtype:attempted-user; sid:2610235; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - PS Execution Policy Registry Key Name in B64"; content:"hLRVlfTE9DQUxfTUFDSElORVxTb2Z0d2FyZVxQb2xpY2llc1xNaWNyb3NvZnRcV2luZG93c1xQb3dlclNoZWxsX"; classtype:attempted-user; sid:2610236; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - PS Execution Policy Registry Key Name in B64"; content:"IS0VZX0xPQ0FMX01BQ0hJTkVcU29mdHdhcmVcUG9saWNpZXNcTWljcm9zb2Z0XFdpbmRvd3NcUG93ZXJTaGVsbF"; classtype:attempted-user; sid:2610237; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TThreatHunter Rule - gitrepo HTTP Probe"; flow:established,to_server; content:"/.git/HEAD"; http_uri; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - DS Metasploit Meterpreter HTTP Checkin"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:23<>24,norm; content:"POST"; http_method; pcre:"/^\/[a-z0-9]{4,5}_[a-z0-9]{16}\/$/Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:2610239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - DS Metasploit User Agent String"; flow:to_server,established; content:"Mozilla/4.0 (compatible\; MSIE 6.1\; Windows NT)|0d 0a|"; http_user_agent; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:2610240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - DS Metasploit User Agent String"; flow:to_server,established; content:"Mozilla/4.0 (compatible\; MSIE 7.0\; Windows NT 6.0\; Trident/4.0\; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}\; SLCC1\; .N|0d 0a|"; http_user_agent; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:2610241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - DS Metasploit User Agent String"; flow:to_server,established; content:"Mozilla/4.0 (compatible\; Metasploit RSPEC)|0d 0a|"; http_user_agent; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:2610242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TThreatHunter Rule - DS Metasploit User Agent String"; flow:to_server,established; content:"Mozilla/5.0 (compatible\; Googlebot/2.1\; +http://www.google.com/bot.html)|0d 0a|"; http_user_agent; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/; sid:2610243; rev:1;)
alert tls any any -> any any (msg:"TThreatHunter Rule - Dynamic DNS Domain in SNI"; flow:established,to_server; tls_sni; content:"duckdns.org"; endswith; classtype:bad-unknown; sid:2610244;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"TThreatHunter Rule - Dynamic DNS Domain in Cert Subject"; flow:established,to_client; tls_cert_subject; content:"duckdns.org"; nocase; endswith; sid:2610245; rev:1;)
alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - SMB URI in Inbound SMTP"; flow:established; content:"smb://"; sid:2610246; rev:1;)
#alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Office Doc Inbound"; flow:established; content:"0M8R4KGxGuE"; sid:2610247; rev:1;)
alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Office Doc With Macro Inbound (VBAProject)"; flow:established; file_data; content:"VBAProject"; nocase; sid:2610248; rev:1;)
alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Office Doc With Macro Inbound (ActiveMime)"; flow:established; file_data; content:"ActiveMime"; nocase; sid:2610249; rev:1;)
alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Office Doc With Macro Inbound (_VBA_PROJECT_CUR)"; flow:established; file_data; content:"_VBA_PROJECT_CUR"; nocase; sid:2610250; rev:1;)
alert smtp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Office Doc With Macro Inbound (Attribute VB_)"; flow:established; file_data; content:"Attribute VB_"; nocase; sid:2610251; rev:1;)
alert smb any any -> $HOME_NET any (msg:"TThreatHunter Rule - SMB Administrator Brute Force"; flow:to_server,established; content:"NTLMSSP|00|"; content:"A|00|d|00|m|00|i|00|n|00|i|00|s|00|t|00|r|00|a|00|t|00|o|00|r"; distance:0; threshold:type both, track by_src, seconds 60, count 5; classtype:bad-unknown; sid:2610252; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Possiblly Malicious SP Name"; content:"sp_dropextendedproc"; classtype:attempted-user; sid:2610253; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Possiblly Malicious SP Name"; content:"sp_dropextendedproc"; classtype:attempted-user; sid:2610254; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"TThreatHunter Rule - Possiblly Malicious PyExe Import Name"; content:"impacket("; classtype:attempted-user; sid:2610255; rev:1;)
alert http any any -> any any (msg: "TThreatHunter Rule - "Behinder3 PHP HTTP Request"; flow: established, to_server; content:".php"; http_uri; pcre:"/[a-zA-Z0-9+/]{1000,}=/i"; flowbits:set,behinder3;noalert; classtype:shellcode-detect; sid: 3016017; rev: 1; metadata:created_at 2020_08_17,by al0ne;)
alert http any any -> any any (msg: "TThreatHunter Rule - "Behinder3 PHP HTTP Response"; flow: established,to_client; content:"200"; http_stat_code; flowbits: isset,behinder3; pcre:"/[a-zA-Z0-9+/]{100,}=/i"; classtype:shellcode-detect; sid: 3016018; rev: 1; metadata:created_at 2020_08_17,by al0ne;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "CobaltStrike login server"; flow:established; content:"Cyberspace"; depth:200; content:"Somewhere"; distance:0; content:"cobaltstrike"; distance:0; content:"AdvancedPenTesting";distance:0; classtype:exploit-kit; sid:3016001; rev:1; metadata:by al0ne;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TThreatHunter Rule - "CobaltStrike download.windowsupdate.com C2 Profile"; flow: established; content:"msdownload"; http_uri; pcre:"/\/c\/msdownload\/update\/others\/[\d]{4}/\d{2}/\d{7,8}_[\d\w-_]{50,}\.cab/UR"; reference:url,github.com/bluscreenofjeff/MalleableC2Profiles/blob/master/microsoftupdate_getonly.profile; classtype:exploit-kit; sid: 3016002; rev: 1; metadata:created_at 2018_09_25,by al0ne; )
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "CobaltStrike HTTP beacon response"; flow:to_client,established; content:"200"; http_stat_code; content:!"Server: "; http_header; content:"application/octet-stream"; http_header; distance:0; content:"Date: "; http_header; within:10; content:"Content-Length: 0"; http_header; distance:0; threshold: type both, track by_src, count 5, seconds 60; sid: 3016003; rev: 1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TThreatHunter Rule - "CobaltStrike ARP Scan module"; flow:established; content:"POST"; http_method; content:"/submit.php?id="; http_uri; content:"(ARP)"; http_client_body; content:"Scanner module is complete"; http_client_body; distance:0; classtype:exploit-kit; sid:3016004; rev:1; metadata:created_at 2018_11_15,by al0ne;)
#alert http any any -> any any (msg: "TThreatHunter Rule - CobatlStrikt team servers 200 OK Space"; flow:from_server,established; content:"200"; http_stat_code; content:"HTTP/1.1 200 OK|20|"; threshold: type both, track by_src, count 3, seconds 60; reference:url,blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/; sid:3016011; rev:1; metadata:created_at 2019_02_27,by al0ne;)
alert tcp any any -> any any (msg: "TThreatHunter Rule - CobaltStrike C2 Server"; flow:to_client; content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; content:"Date: "; pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; threshold:type limit, track by_dst, count 1, seconds 600; classtype:exploit-kit; priority:2; sid:3016012; metadata:created_at 2019_08_05; rev:3;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; dns_query; content:"pool.minergate.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017000; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (pool.minergate.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|pool|09|minergate|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017001; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (pool.minexmr.com)"; dns_query; content:"pool.minexmr.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017002; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (pool.minexmr.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|pool|07|minexmr|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:301703; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (opmoner.com)"; dns_query; content:"opmoner.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017004; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (opmoner.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|opmoner|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017005; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (crypto-pool.fr)"; dns_query; content:"crypto-pool.fr"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017006; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (crypto-pool.fr)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|crypto-pool|02|fr|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017007; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (backup-pool.com)"; dns_query; content:"backup-pool.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017008; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (backup-pool.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|backup-pool|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017009; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (monerohash.com)"; dns_query; content:"monerohash.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017010; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (monerohash.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|monerohash|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017011; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (poolto.be)"; dns_query; content:"poolto.be"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017012; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (poolto.be)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|poolto|02|be|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017013; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (xminingpool.com)"; dns_query; content:"xminingpool.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017014; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (xminingpool.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|xminingpool|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017015; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (prohash.net)"; dns_query; content:"prohash.net"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017016; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (prohash.net)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|prohash|03|net|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017017; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (dwarfpool.com)"; dns_query; content:"dwarfpool.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017018; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (dwarfpool.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|dwarfpool|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017019; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (crypto-pools.org)"; dns_query; content:"crypto-pools.org"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017020; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (crypto-pools.org)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|crypto-pools|03|org|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017021; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (monero.net)"; dns_query; content:"monero.net"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017022; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (monero.net)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|monero|03|net|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017023; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (hashinvest.net)"; dns_query; content:"hashinvest.net"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017024; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (hashinvest.net)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|hashinvest|03|net|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017025; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (moneropool.com)"; dns_query; content:"moneropool.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017026; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (moneropool.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|moneropool|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017027; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (xmrpool.eu)"; dns_query; content:"xmrpool.eu"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017028; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (xmrpool.eu)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|xmrpool|02|eu|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017029; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (ppxxmr.com)"; dns_query; content:"ppxxmr.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017030; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (ppxxmr.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|ppxxmr|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017031; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (alimabi.cn)"; dns_query; content:"alimabi.cn"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017032; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (alimabi.cn)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|alimabi|02|cn|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017033; rev:1;)
alert dns $HOME_NET any -> any any (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (aeon-pool.com)"; dns_query; content:"aeon-pool.com"; nocase; isdataat:!1,relative; classtype:coin-mining; sid:3017034; rev:1;)
alert udp $HOME_NET any -> any 53 (msg: "TThreatHunter Rule - Observed DNS Query to public CryptoMining pool Domain (aeon-pool.com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|aeon-pool|03|com|00|"; nocase; distance:0; fast_pattern; classtype:coin-mining; sid:3017035; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg: "TThreatHunter Rule - Suspicious dns request"; flow:established,to_server; content:"|01 00|"; depth:4; pcre:"/\x00\x10\x00\x01|\x00\x0f\x00\x01|\x00\x05\x00\x01/"; dsize:>200; classtype:trojan-activity; sid:3011001; rev:1; metadata:created_at 2018_11_09,by al0ne;)
alert icmp any any -> any any (msg: "TThreatHunter Rule - ICMP Tunnel Detection Of Type Eight"; icode:0; itype:8; content:!"|101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637|"; content:!"|6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869|"; threshold: type both, track by_src, count 100, seconds 30; sid:3017037; rev:1;)
alert icmp any any -> any any (msg: "TThreatHunter Rule - ICMP Tunnel Detection Of Type Zero"; icode:0; itype:0; content:!"|101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637|"; content:!"|6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869|"; threshold: type both, track by_src, count 100, seconds 30; sid:3017038; rev:1;)
alert tcp any any -> any any (msg: "TThreatHunter Rule - "Hacker backdoor or shell Microsoft Corporation"; flow:to_server,established; content:"|20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e|"; depth:200; content:"WHOIS database"; nocase; classtype:trojan-activity; sid:3003001; rev:2; metadata:created_at 2018_09_26,updated_at 2019_08_06,by al0ne;)
alert tcp any any -> any any (msg: "TThreatHunter Rule - "Hacker backdoor or shell Microsoft Windows"; flow:established; content:"|4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 5B|"; depth:200; classtype:trojan-activity; sid:3003002; rev:1; metadata:by al0ne;)
alert http any any -> any any (msg: "TThreatHunter Rule - ***Windows Powershell Request UserAgent***"; flow:established; content:"PowerShell"; http_user_agent; pcre:"/PowerShell|WindowsPowerShell/i"; classtype:trojan-activity; sid:3013001; rev:1; metadata:by al0ne;)
alert http any any -> any any (msg: "TThreatHunter Rule - ***Linux wget/curl download .sh script***"; flow:established,to_server; content:".sh"; http_uri; pcre:"/curl|Wget|linux-gnu/Vi"; classtype:trojan-activity; sid:3013002; rev:1; metadata:by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "Suspicious netstat command traffic"; flow: established,to_client; content:"Active Internet connections"; http_server_body; depth:28; content:"tcp"; http_server_body; distance:0; classtype:trojan-activity; sid: 3013003; rev: 1; metadata:created_at 2018_09_26,by al0ne;)
alert tcp $HOME_NET any -> any any (msg: "TThreatHunter Rule - "http GET data"; flow: established; content:"|47 45 54|"; depth: 10; content:"|0d 0a 0d 0a|"; depth:500; pcre:"/\x0d\x0a\x0d\x0a[^GETPOSTPUTHEAD\{\<\-][\x00-\xff]{100,200}/"; classtype:trojan-activity; sid: 3013004; rev: 1; metadata:created_at 2018_10_17,by al0ne;)
alert tcp any any -> any any (msg: "TThreatHunter Rule - System Information Collection By Trojan"; flow:to_server; content:"GET"; http_method; content:"mac="; nocase; http_uri; content:"version="; nocase; http_uri; content:"bit="; nocase; http_uri; content:"domain="; nocase; http_uri; content:"user="; nocase; http_uri; sid:3017036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "TThreatHunter Rule - Cryptocurrency Miner Check By Submit"; flow:to_server,established; content:"|22|method|22 3a|"; fast_pattern; content:"|22|submit|22 2c|"; distance:0; within:10; content:"|22|params|22 3a 7b|"; distance:0; within:15; content:"result|22 3a|"; nocase; distance:0; classtype:trojan-activity; sid:3013015; rev:1; metadata:Detecting Mining Rules by Charmly;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - Pools Response Cryptocurrency Miner"; flow:to_client,established; content:"|22|method|22 3a|"; nocase; content:"|22|params|22 3a|"; nocase; content:"|22|blob|22 3a|"; nocase; content:"|22|job_id|22 3a|"; nocase; classtype:trojan-activity; sid:3013016; rev:1; metadata:Detecting Mining Rules by Charmly;)
alert http any any -> any any (msg: "TThreatHunter Rule - msfconsole powershell response"; flow:established; content:!"<html>"; content:!"<script>"; content:"|70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65|"; http_server_body; content:"|46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67|"; http_server_body; classtype:exploit-kit; sid:3016005; rev:1;)
alert tcp $HOME_NET any -> any 3306 (msg: "TThreatHunter Rule - "mysql general_log write file"; flow: established; content:"|03|"; depth: 5; content:"|67 65 6e 65 72 61 6c 5f 6c 6f 67 5f 66 69 6c 65|"; distance:0; classtype:trojan-activity; sid: 3013005; rev: 1; metadata:created_at 2018_11_20,by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "Weevely PHP Backdoor Response"; flow: established,to_client; content:"200"; http_stat_code; content:!"<html>"; pcre:"/<(\w+)>[a-zA-Z0-9+\/]{20,}(?:[a-zA-Z0-9+\/]{1}[a-zA-Z0-9+\/=]{1}|==)<\/\w+>/Q"; classtype:shellcode-detect; sid: 3016006; rev: 1; metadata:created_at 2018_09_03,by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "Weevely PHP Backdoor Response"; flow: established,to_client; content:"200"; http_stat_code; content:!"<html>"; pcre:"/<(\w+)>[a-zA-Z0-9+\/]{20,}(?:[a-zA-Z0-9+\/]{1}[a-zA-Z0-9+\/=]{1}|==)<\/\w+>/Q"; classtype:shellcode-detect; sid: 3016006; rev: 1; metadata:created_at 2018_09_03,by al0ne;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TThreatHunter Rule - "Powershell Empire HTTP Request "; flow: established, to_server; content:".php"; http_uri; pcre:"/session=[a-zA-Z0-9+/]{20,300}([a-zA-Z0-9+/]{1}[a-zA-Z0-9+/=]{1}|==)/ACi"; flowbits:set,empire; classtype:shellcode-detect; sid: 3016007; rev: 1; metadata:created_at 2018_09_03,by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "Powershell Empire HTTP Response "; flow: established,to_client; content:"200"; http_stat_code; flowbits: isset,empire; content:"Cache-Control: no-cache, no-store, must-revalidate"; http_header; content: "Server: Microsoft-IIS/7.5"; http_header; distance: 0; classtype:shellcode-detect; sid: 3016008; rev: 1; metadata:created_at 2018_09_03,by al0ne;)
alert http any any -> any any (msg: "TThreatHunter Rule - webshell_caidao_php"; flow:established; content:"POST";http_method; content:".php"; http_uri; content:"base64_decode"; http_client_body; classtype:shellcode-detect; sid:3016009; rev:1; metadata:by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TThreatHunter Rule - "China hacker tools caidao response - column directory"; flow: established,to_client; content:"200"; http_stat_code; content:!"<html>"; http_server_body; content:"|2d 3e|"; http_server_body; depth:2; pcre:"/[\w\d]+\.\w{2,3}\s+\d{4}-\d{2}-\d{2}\s[\d:]{8}/RQ"; classtype:shellcode-detect; sid: 3016010; rev: 1; metadata:created_at 2018_09_13,by al0ne; )