*********************** suricata-4.0-enhanced etpro *********************** [***] Results from Oinkmaster started Mon Aug 17 17:58:11 2020 [***] [+++] Added rules: [+++] 2030688 - ET TROJAN Echelon/DarkStealer Variant CnC Exfil (trojan.rules) 2030689 - ET TROJAN Suspected REDCURL CnC Activity M2 (trojan.rules) 2030690 - ET TROJAN Possible KONNI URI Path Observed (trojan.rules) 2030691 - ET TROJAN Possible KONNI CnC Activity (trojan.rules) 2030692 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules) 2030693 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules) 2030694 - ET INFO BitNinja IO Security Check (info.rules) 2030695 - ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish 2020-08-17 (current_events.rules) 2030697 - ET TROJAN Suspected REDCURL CnC Activity M1 (trojan.rules) 2844008 - ETPRO POLICY Observed Java Web Client/JNLP Requesting jar/jnlp (policy.rules) 2844009 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 1) (trojan.rules) 2844010 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 2) (trojan.rules) 2844011 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 3) (trojan.rules) 2844012 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 (current_events.rules) 2844013 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-17 (current_events.rules) 2844014 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-17 (current_events.rules) 2844015 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-08-17 (current_events.rules) 2844016 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 (current_events.rules) 2844017 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 (current_events.rules) 2844018 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-17 (current_events.rules) 2844019 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-08-17 (current_events.rules) 2844020 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 (current_events.rules) 2844021 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2020-08-17 (current_events.rules) 2844022 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-08-17 (current_events.rules) 2844023 - ETPRO TROJAN Banload Variant CnC Host Checkin (trojan.rules) 2844024 - ETPRO INFO VBS extension in DNS TXT Response (info.rules) 2844025 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (8d7a4) (web_client.rules) 2844026 - ETPRO TROJAN MalDoc Retrieving powershell Commands via DNS TXT (trojan.rules) 2844027 - ETPRO INFO Nslookup in DNS TXT Response (info.rules) 2844028 - ETPRO TROJAN Wscript Object Creation in DNS TXT Response (trojan.rules) 2844029 - ETPRO TROJAN Powershell Run Command Structure in DNS TXT Response (trojan.rules) 2844030 - ETPRO TROJAN Schedule Tasks Create Command Structure in DNS TXT Response (trojan.rules) 2844031 - ETPRO TROJAN Suspected OILRIG CnC Domain in DNS Lookup (trojan.rules) 2844032 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules) 2844033 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules) 2844034 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules) 2844035 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules) 2844036 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules) 2844037 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC) (trojan.rules) [///] Modified active rules: [///] 2010515 - ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source) (web_server.rules) 2023545 - ET TROJAN Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon (trojan.rules) 2024943 - ET CURRENT_EVENTS Raiffeisen Phishing Domain Nov 03 2017 (current_events.rules) 2024944 - ET CURRENT_EVENTS Sparkasse Phishing Domain Nov 03 2017 (current_events.rules) 2024947 - ET CURRENT_EVENTS Successful Raiffeisen Phish Nov 03 2017 (current_events.rules) 2024948 - ET CURRENT_EVENTS Successful Sparkasse Phish Nov 03 2017 (current_events.rules) 2024950 - ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set) (mobile_malware.rules) 2024951 - ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse Bank Targeting (set) (mobile_malware.rules) 2024952 - ET MOBILE_MALWARE Android Marcher Trojan Download - BankAustria Targeting (set) (mobile_malware.rules) 2024953 - ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian Bank Targeting (mobile_malware.rules) 2024954 - ET TROJAN SAD Ransomware CnC Activity (trojan.rules) 2024955 - ET TROJAN [PTsecurity] Win32/Randrew!rfn CnC Activity (trojan.rules) 2024966 - ET TROJAN Volex - OceanLotus JavaScript Load (connect.js) (trojan.rules) 2024978 - ET INFO Browser Plugin Detect - Observed in Apple Phishing (info.rules) 2025006 - ET WEB_CLIENT Possible Phishing Redirect Feb 09 2016 (web_client.rules) 2029672 - ET CURRENT_EVENTS Successful Facebook Phish 2019-04-12 (current_events.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound group 1 (drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound group 2 (drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound group 3 (drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound group 4 (drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound group 5 (drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound group 6 (drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound group 7 (drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound group 8 (drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound group 9 (drop.rules) 2400009 - ET DROP Spamhaus DROP Listed Traffic Inbound group 10 (drop.rules) 2400010 - ET DROP Spamhaus DROP Listed Traffic Inbound group 11 (drop.rules) 2400011 - ET DROP Spamhaus DROP Listed Traffic Inbound group 12 (drop.rules) 2400012 - ET DROP Spamhaus DROP Listed Traffic Inbound group 13 (drop.rules) 2400013 - ET DROP Spamhaus DROP Listed Traffic Inbound group 14 (drop.rules) 2400014 - ET DROP Spamhaus DROP Listed Traffic Inbound group 15 (drop.rules) 2400015 - ET DROP Spamhaus DROP Listed Traffic Inbound group 16 (drop.rules) 2400016 - ET DROP Spamhaus DROP Listed Traffic Inbound group 17 (drop.rules) 2400017 - ET DROP Spamhaus DROP Listed Traffic Inbound group 18 (drop.rules) 2400018 - ET DROP Spamhaus DROP Listed Traffic Inbound group 19 (drop.rules) 2400019 - ET DROP Spamhaus DROP Listed Traffic Inbound group 20 (drop.rules) 2400020 - ET DROP Spamhaus DROP Listed Traffic Inbound group 21 (drop.rules) 2400021 - ET DROP Spamhaus DROP Listed Traffic Inbound group 22 (drop.rules) 2400022 - ET DROP Spamhaus DROP Listed Traffic Inbound group 23 (drop.rules) 2400023 - ET DROP Spamhaus DROP Listed Traffic Inbound group 24 (drop.rules) 2400024 - ET DROP Spamhaus DROP Listed Traffic Inbound group 25 (drop.rules) 2400025 - ET DROP Spamhaus DROP Listed Traffic Inbound group 26 (drop.rules) 2400026 - ET DROP Spamhaus DROP Listed Traffic Inbound group 27 (drop.rules) 2400027 - ET DROP Spamhaus DROP Listed Traffic Inbound group 28 (drop.rules) 2400028 - ET DROP Spamhaus DROP Listed Traffic Inbound group 29 (drop.rules) 2400029 - ET DROP Spamhaus DROP Listed Traffic Inbound group 30 (drop.rules) 2400030 - ET DROP Spamhaus DROP Listed Traffic Inbound group 31 (drop.rules) 2402000 - ET DROP Dshield Block Listed Source group 1 (dshield.rules) 2403300 - ET CINS Active Threat Intelligence Poor Reputation IP group 1 (ciarmy.rules) 2403301 - ET CINS Active Threat Intelligence Poor Reputation IP group 2 (ciarmy.rules) 2403302 - ET CINS Active Threat Intelligence Poor Reputation IP group 3 (ciarmy.rules) 2403303 - ET CINS Active Threat Intelligence Poor Reputation IP group 4 (ciarmy.rules) 2403304 - ET CINS Active Threat Intelligence Poor Reputation IP group 5 (ciarmy.rules) 2403305 - ET CINS Active Threat Intelligence Poor Reputation IP group 6 (ciarmy.rules) 2403306 - ET CINS Active Threat Intelligence Poor Reputation IP group 7 (ciarmy.rules) 2403307 - ET CINS Active Threat Intelligence Poor Reputation IP group 8 (ciarmy.rules) 2403308 - ET CINS Active Threat Intelligence Poor Reputation IP group 9 (ciarmy.rules) 2403309 - ET CINS Active Threat Intelligence Poor Reputation IP group 10 (ciarmy.rules) 2403310 - ET CINS Active Threat Intelligence Poor Reputation IP group 11 (ciarmy.rules) 2403311 - ET CINS Active Threat Intelligence Poor Reputation IP group 12 (ciarmy.rules) 2403312 - ET CINS Active Threat Intelligence Poor Reputation IP group 13 (ciarmy.rules) 2403313 - ET CINS Active Threat Intelligence Poor Reputation IP group 14 (ciarmy.rules) 2403314 - ET CINS Active Threat Intelligence Poor Reputation IP group 15 (ciarmy.rules) 2403315 - ET CINS Active Threat Intelligence Poor Reputation IP group 16 (ciarmy.rules) 2403316 - ET CINS Active Threat Intelligence Poor Reputation IP group 17 (ciarmy.rules) 2403317 - ET CINS Active Threat Intelligence Poor Reputation IP group 18 (ciarmy.rules) 2403318 - ET CINS Active Threat Intelligence Poor Reputation IP group 19 (ciarmy.rules) 2403319 - ET CINS Active Threat Intelligence Poor Reputation IP group 20 (ciarmy.rules) 2403320 - ET CINS Active Threat Intelligence Poor Reputation IP group 21 (ciarmy.rules) 2403321 - ET CINS Active Threat Intelligence Poor Reputation IP group 22 (ciarmy.rules) 2403322 - ET CINS Active Threat Intelligence Poor Reputation IP group 23 (ciarmy.rules) 2403323 - ET CINS Active Threat Intelligence Poor Reputation IP group 24 (ciarmy.rules) 2403324 - ET CINS Active Threat Intelligence Poor Reputation IP group 25 (ciarmy.rules) 2403325 - ET CINS Active Threat Intelligence Poor Reputation IP group 26 (ciarmy.rules) 2403326 - ET CINS Active Threat Intelligence Poor Reputation IP group 27 (ciarmy.rules) 2403327 - ET CINS Active Threat Intelligence Poor Reputation IP group 28 (ciarmy.rules) 2403328 - ET CINS Active Threat Intelligence Poor Reputation IP group 29 (ciarmy.rules) 2403329 - ET CINS Active Threat Intelligence Poor Reputation IP group 30 (ciarmy.rules) 2403330 - ET CINS Active Threat Intelligence Poor Reputation IP group 31 (ciarmy.rules) 2403331 - ET CINS Active Threat Intelligence Poor Reputation IP group 32 (ciarmy.rules) 2403332 - ET CINS Active Threat Intelligence Poor Reputation IP group 33 (ciarmy.rules) 2403333 - ET CINS Active Threat Intelligence Poor Reputation IP group 34 (ciarmy.rules) 2403334 - ET CINS Active Threat Intelligence Poor Reputation IP group 35 (ciarmy.rules) 2403335 - ET CINS Active Threat Intelligence Poor Reputation IP group 36 (ciarmy.rules) 2403336 - ET CINS Active Threat Intelligence Poor Reputation IP group 37 (ciarmy.rules) 2403337 - ET CINS Active Threat Intelligence Poor Reputation IP group 38 (ciarmy.rules) 2403338 - ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules) 2403339 - ET CINS Active Threat Intelligence Poor Reputation IP group 40 (ciarmy.rules) 2403340 - ET CINS Active Threat Intelligence Poor Reputation IP group 41 (ciarmy.rules) 2403341 - ET CINS Active Threat Intelligence Poor Reputation IP group 42 (ciarmy.rules) 2403342 - ET CINS Active Threat Intelligence Poor Reputation IP group 43 (ciarmy.rules) 2403343 - ET CINS Active Threat Intelligence Poor Reputation IP group 44 (ciarmy.rules) 2403344 - ET CINS Active Threat Intelligence Poor Reputation IP group 45 (ciarmy.rules) 2403345 - ET CINS Active Threat Intelligence Poor Reputation IP group 46 (ciarmy.rules) 2403346 - ET CINS Active Threat Intelligence Poor Reputation IP group 47 (ciarmy.rules) 2403347 - ET CINS Active Threat Intelligence Poor Reputation IP group 48 (ciarmy.rules) 2403348 - ET CINS Active Threat Intelligence Poor Reputation IP group 49 (ciarmy.rules) 2403349 - ET CINS Active Threat Intelligence Poor Reputation IP group 50 (ciarmy.rules) 2403350 - ET CINS Active Threat Intelligence Poor Reputation IP group 51 (ciarmy.rules) 2403351 - ET CINS Active Threat Intelligence Poor Reputation IP group 52 (ciarmy.rules) 2403352 - ET CINS Active Threat Intelligence Poor Reputation IP group 53 (ciarmy.rules) 2403353 - ET CINS Active Threat Intelligence Poor Reputation IP group 54 (ciarmy.rules) 2403354 - ET CINS Active Threat Intelligence Poor Reputation IP group 55 (ciarmy.rules) 2403355 - ET CINS Active Threat Intelligence Poor Reputation IP group 56 (ciarmy.rules) 2403356 - ET CINS Active Threat Intelligence Poor Reputation IP group 57 (ciarmy.rules) 2403357 - ET CINS Active Threat Intelligence Poor Reputation IP group 58 (ciarmy.rules) 2403358 - ET CINS Active Threat Intelligence Poor Reputation IP group 59 (ciarmy.rules) 2403359 - ET CINS Active Threat Intelligence Poor Reputation IP group 60 (ciarmy.rules) 2403360 - ET CINS Active Threat Intelligence Poor Reputation IP group 61 (ciarmy.rules) 2403361 - ET CINS Active Threat Intelligence Poor Reputation IP group 62 (ciarmy.rules) 2403362 - ET CINS Active Threat Intelligence Poor Reputation IP group 63 (ciarmy.rules) 2403363 - ET CINS Active Threat Intelligence Poor Reputation IP group 64 (ciarmy.rules) 2403364 - ET CINS Active Threat Intelligence Poor Reputation IP group 65 (ciarmy.rules) 2403365 - ET CINS Active Threat Intelligence Poor Reputation IP group 66 (ciarmy.rules) 2403366 - ET CINS Active Threat Intelligence Poor Reputation IP group 67 (ciarmy.rules) 2403367 - ET CINS Active Threat Intelligence Poor Reputation IP group 68 (ciarmy.rules) 2403368 - ET CINS Active Threat Intelligence Poor Reputation IP group 69 (ciarmy.rules) 2403369 - ET CINS Active Threat Intelligence Poor Reputation IP group 70 (ciarmy.rules) 2403370 - ET CINS Active Threat Intelligence Poor Reputation IP group 71 (ciarmy.rules) 2403371 - ET CINS Active Threat Intelligence Poor Reputation IP group 72 (ciarmy.rules) 2403372 - ET CINS Active Threat Intelligence Poor Reputation IP group 73 (ciarmy.rules) 2403373 - ET CINS Active Threat Intelligence Poor Reputation IP group 74 (ciarmy.rules) 2403374 - ET CINS Active Threat Intelligence Poor Reputation IP group 75 (ciarmy.rules) 2403375 - ET CINS Active Threat Intelligence Poor Reputation IP group 76 (ciarmy.rules) 2403376 - ET CINS Active Threat Intelligence Poor Reputation IP group 77 (ciarmy.rules) 2403377 - ET CINS Active Threat Intelligence Poor Reputation IP group 78 (ciarmy.rules) 2403378 - ET CINS Active Threat Intelligence Poor Reputation IP group 79 (ciarmy.rules) 2403379 - ET CINS Active Threat Intelligence Poor Reputation IP group 80 (ciarmy.rules) 2403380 - ET CINS Active Threat Intelligence Poor Reputation IP group 81 (ciarmy.rules) 2403381 - ET CINS Active Threat Intelligence Poor Reputation IP group 82 (ciarmy.rules) 2403382 - ET CINS Active Threat Intelligence Poor Reputation IP group 83 (ciarmy.rules) 2403383 - ET CINS Active Threat Intelligence Poor Reputation IP group 84 (ciarmy.rules) 2403384 - ET CINS Active Threat Intelligence Poor Reputation IP group 85 (ciarmy.rules) 2403385 - ET CINS Active Threat Intelligence Poor Reputation IP group 86 (ciarmy.rules) 2403386 - ET CINS Active Threat Intelligence Poor Reputation IP group 87 (ciarmy.rules) 2403387 - ET CINS Active Threat Intelligence Poor Reputation IP group 88 (ciarmy.rules) 2403388 - ET CINS Active Threat Intelligence Poor Reputation IP group 89 (ciarmy.rules) 2403389 - ET CINS Active Threat Intelligence Poor Reputation IP group 90 (ciarmy.rules) 2403390 - ET CINS Active Threat Intelligence Poor Reputation IP group 91 (ciarmy.rules) 2403391 - ET CINS Active Threat Intelligence Poor Reputation IP group 92 (ciarmy.rules) 2403392 - ET CINS Active Threat Intelligence Poor Reputation IP group 93 (ciarmy.rules) 2403393 - ET CINS Active Threat Intelligence Poor Reputation IP group 94 (ciarmy.rules) 2403394 - ET CINS Active Threat Intelligence Poor Reputation IP group 95 (ciarmy.rules) 2403395 - ET CINS Active Threat Intelligence Poor Reputation IP group 96 (ciarmy.rules) 2403396 - ET CINS Active Threat Intelligence Poor Reputation IP group 97 (ciarmy.rules) 2403397 - ET CINS Active Threat Intelligence Poor Reputation IP group 98 (ciarmy.rules) 2403398 - ET CINS Active Threat Intelligence Poor Reputation IP group 99 (ciarmy.rules) 2403399 - ET CINS Active Threat Intelligence Poor Reputation IP group 100 (ciarmy.rules) 2525000 - ET 3CORESec Poor Reputation IP group 1 (3coresec.rules) 2525001 - ET 3CORESec Poor Reputation IP group 2 (3coresec.rules) 2525002 - ET 3CORESec Poor Reputation IP group 3 (3coresec.rules) 2525003 - ET 3CORESec Poor Reputation IP group 4 (3coresec.rules) 2525004 - ET 3CORESec Poor Reputation IP group 5 (3coresec.rules) 2525005 - ET 3CORESec Poor Reputation IP group 6 (3coresec.rules) 2525006 - ET 3CORESec Poor Reputation IP group 7 (3coresec.rules) 2525007 - ET 3CORESec Poor Reputation IP group 8 (3coresec.rules) 2525008 - ET 3CORESec Poor Reputation IP group 9 (3coresec.rules) 2525009 - ET 3CORESec Poor Reputation IP group 10 (3coresec.rules) 2525010 - ET 3CORESec Poor Reputation IP group 11 (3coresec.rules) 2525011 - ET 3CORESec Poor Reputation IP group 12 (3coresec.rules) 2525012 - ET 3CORESec Poor Reputation IP group 13 (3coresec.rules) 2525013 - ET 3CORESec Poor Reputation IP group 14 (3coresec.rules) 2525014 - ET 3CORESec Poor Reputation IP group 15 (3coresec.rules) 2525015 - ET 3CORESec Poor Reputation IP group 16 (3coresec.rules) 2525016 - ET 3CORESec Poor Reputation IP group 17 (3coresec.rules) 2812100 - ETPRO TROJAN Win32/TrojanDownloader.Banload.TXV Receiving compressed PE set (ZIP) (trojan.rules) 2822136 - ETPRO TROJAN Win32/Philadelphia Ransomware CnC Checkin (trojan.rules) 2822596 - ETPRO TROJAN Win32/Philadelphia Ransomware Encryption Activity (trojan.rules) 2824150 - ETPRO CURRENT_EVENTS Successful Generic Hamza Banking Phish Dec 30 2016 (current_events.rules) 2824864 - ETPRO TROJAN Ratankba Recon Backdoor/Module CnC Beacon 1 (trojan.rules) 2824865 - ETPRO TROJAN Ratankba Recon Backdoor/Module CnC Beacon 2 (trojan.rules) 2827049 - ETPRO CURRENT_EVENTS Successful Generic Hamza Banking Phish M2 Jul 07 2017 (current_events.rules) 2827893 - ETPRO TROJAN Win32/Vagger!rfn CnC Checkin (trojan.rules) 2828058 - ETPRO TROJAN Win32/Delf.BVP Win32/BioData CnC Keep-Alive Beacon (trojan.rules) 2828536 - ETPRO TROJAN Lena/BKDR_ANEL HTTP GET CnC Beacon 1 (trojan.rules) 2828537 - ETPRO TROJAN Lena/BKDR_ANEL HTTP GET CnC Beacon 2 (trojan.rules) 2828541 - ETPRO TROJAN Win32/Leviwa CnC Checkin (trojan.rules) 2828542 - ETPRO CURRENT_EVENTS Successful Apple Phish Nov 06 2017 (current_events.rules) 2828545 - ETPRO CURRENT_EVENTS Successful Netflix Phish Nov 06 2017 (current_events.rules) 2828547 - ETPRO CURRENT_EVENTS Successful Blockchain Phish Nov 06 2017 (current_events.rules) 2828549 - ETPRO CURRENT_EVENTS Successful Generic Chalbhai Phish M1 Nov 06 2017 (current_events.rules) 2828550 - ETPRO CURRENT_EVENTS Successful Generic Chalbhai Phish M2 Nov 06 2017 (current_events.rules) 2828554 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 242 (mobile_malware.rules) 2828556 - ETPRO TROJAN Win32/Scar CnC Checkin (trojan.rules) 2828558 - ETPRO CURRENT_EVENTS Successful Paypal Phish Nov 07 2017 (current_events.rules) 2828560 - ETPRO CURRENT_EVENTS Successful Hello Bank (FR) Phish Nov 07 2017 (current_events.rules) 2828561 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish Nov 07 2017 (current_events.rules) 2828566 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 243 (mobile_malware.rules) 2828579 - ETPRO CURRENT_EVENTS Successful WhatsApp Phish M1 Nov 08 2017 (current_events.rules) 2828580 - ETPRO CURRENT_EVENTS Successful WhatsApp Phish M2 Nov 08 2017 (current_events.rules) 2828581 - ETPRO CURRENT_EVENTS Successful Santander Phish Nov 08 2017 (current_events.rules) 2843908 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish to XYZ TLD 2020-08-07 (current_events.rules) [---] Removed rules: [---] 2405000 - ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules) 2405001 - ET CNC Shadowserver Reported CnC Server Port 81 Group 1 (botcc.portgrouped.rules) 2405002 - ET CNC Shadowserver Reported CnC Server Port 443 Group 1 (botcc.portgrouped.rules) 2405003 - ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 (botcc.portgrouped.rules) 2405004 - ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 (botcc.portgrouped.rules) 2405005 - ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 (botcc.portgrouped.rules) 2405006 - ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 (botcc.portgrouped.rules) 2405007 - ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 (botcc.portgrouped.rules) 2405008 - ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 (botcc.portgrouped.rules) 2405009 - ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 (botcc.portgrouped.rules) 2405010 - ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 (botcc.portgrouped.rules) 2405011 - ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 (botcc.portgrouped.rules) 2405012 - ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 (botcc.portgrouped.rules) 2405013 - ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 (botcc.portgrouped.rules) 2405014 - ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 (botcc.portgrouped.rules) 2405015 - ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 (botcc.portgrouped.rules) 2405016 - ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 (botcc.portgrouped.rules) 2405017 - ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (botcc.portgrouped.rules) [+++] Added non-rule lines: [+++] -> Added to 3coresec.rules (1): # Version 22 -> Added to drop.rules (2): # VERSION 2772 # Generated 2020-08-16 00:05:01 EDT -> Added to sid-msg.map (56): 2030688 || ET TROJAN Echelon/DarkStealer Variant CnC Exfil || md5,fed2a8736c84eda9dcc8533b5019f7d8 2030689 || ET TROJAN Suspected REDCURL CnC Activity M2 || md5,12ec7e6876dc86f158f448ebfba9e0eb || url,www.group-ib.com/resources/threat-research/red-curl.html 2030690 || ET TROJAN Possible KONNI URI Path Observed || url,us-cert.cisa.gov/ncas/alerts/aa20-227a 2030691 || ET TROJAN Possible KONNI CnC Activity || url,us-cert.cisa.gov/ncas/alerts/aa20-227a 2030692 || ET SCAN ELF/Mirai Variant User-Agent (Inbound) 2030693 || ET TROJAN ELF/Mirai Variant User-Agent (Outbound) 2030694 || ET INFO BitNinja IO Security Check 2030695 || ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish 2020-08-17 2030697 || ET TROJAN Suspected REDCURL CnC Activity M1 || md5,9691daebab79c6ab48adac73bda0a84a || url,www.group-ib.com/resources/threat-research/red-curl.html 2520118 || ET TOR Known Tor Exit Node Traffic group 119 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520119 || ET TOR Known Tor Exit Node Traffic group 120 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520120 || ET TOR Known Tor Exit Node Traffic group 121 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520121 || ET TOR Known Tor Exit Node Traffic group 122 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520122 || ET TOR Known Tor Exit Node Traffic group 123 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520123 || ET TOR Known Tor Exit Node Traffic group 124 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520124 || ET TOR Known Tor Exit Node Traffic group 125 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520125 || ET TOR Known Tor Exit Node Traffic group 126 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522791 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 792 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522792 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 793 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522793 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 794 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522794 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 795 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522795 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 796 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522796 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 797 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522797 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 798 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522798 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 799 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2827893 || ETPRO TROJAN Win32/Vagger!rfn CnC Checkin || md5,dbb5bd334555c8528ff1816df9f597cd 2844008 || ETPRO POLICY Observed Java Web Client/JNLP Requesting jar/jnlp 2844009 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 1) || md5,372185b460d702d889ea3b8909c119d9 || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2844010 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 2) || md5,06599d57a700d273ec005e7475a77621 || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2844011 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-08-14 3) || md5,61a180fecee940ffda99b19f427655ed || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2844012 || ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 2844013 || ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-17 2844014 || ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-17 2844015 || ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-08-17 2844016 || ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 2844017 || ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 2844018 || ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-17 2844019 || ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-08-17 2844020 || ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-08-17 2844021 || ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2020-08-17 2844022 || ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-08-17 2844023 || ETPRO TROJAN Banload Variant CnC Host Checkin || md5,2bcac8db6b456d25843dbd2518d2ff5a 2844024 || ETPRO INFO VBS extension in DNS TXT Response 2844025 || ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (8d7a4) 2844026 || ETPRO TROJAN MalDoc Retrieving powershell Commands via DNS TXT || md5,c60da9e17cc1b956d2a0a0ee8b24538c 2844027 || ETPRO INFO Nslookup in DNS TXT Response 2844028 || ETPRO TROJAN Wscript Object Creation in DNS TXT Response 2844029 || ETPRO TROJAN Powershell Run Command Structure in DNS TXT Response 2844030 || ETPRO TROJAN Schedule Tasks Create Command Structure in DNS TXT Response 2844031 || ETPRO TROJAN Suspected OILRIG CnC Domain in DNS Lookup || md5,52b6e1ef0d079f4c2572705156365c06 2844032 || ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI 2844033 || ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI 2844034 || ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI 2844035 || ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI 2844036 || ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI 2844037 || ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC) [---] Removed non-rule lines: [---] -> Removed from 3coresec.rules (1): # Version 20 -> Removed from drop.rules (2): # VERSION 2771 # Generated 2020-08-09 00:05:01 EDT -> Removed from sid-msg.map (59): 2404000 || ET CNC Shadowserver Reported CnC Server IP group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404001 || ET CNC Shadowserver Reported CnC Server IP group 2 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404002 || ET CNC Shadowserver Reported CnC Server IP group 3 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404003 || ET CNC Shadowserver Reported CnC Server IP group 4 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404004 || ET CNC Shadowserver Reported CnC Server IP group 5 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404005 || ET CNC Shadowserver Reported CnC Server IP group 6 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404006 || ET CNC Shadowserver Reported CnC Server IP group 7 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404007 || ET CNC Shadowserver Reported CnC Server IP group 8 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404008 || ET CNC Shadowserver Reported CnC Server IP group 9 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404009 || ET CNC Shadowserver Reported CnC Server IP group 10 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404010 || ET CNC Shadowserver Reported CnC Server IP group 11 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404011 || ET CNC Shadowserver Reported CnC Server IP group 12 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404012 || ET CNC Shadowserver Reported CnC Server IP group 13 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404013 || ET CNC Shadowserver Reported CnC Server IP group 14 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404014 || ET CNC Shadowserver Reported CnC Server IP group 15 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404015 || ET CNC Shadowserver Reported CnC Server IP group 16 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404016 || ET CNC Shadowserver Reported CnC Server IP group 17 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404017 || ET CNC Shadowserver Reported CnC Server IP group 18 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404018 || ET CNC Shadowserver Reported CnC Server IP group 19 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404019 || ET CNC Shadowserver Reported CnC Server IP group 20 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404020 || ET CNC Shadowserver Reported CnC Server IP group 21 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404021 || ET CNC Shadowserver Reported CnC Server IP group 22 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404022 || ET CNC Shadowserver Reported CnC Server IP group 23 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404023 || ET CNC Shadowserver Reported CnC Server IP group 24 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404024 || ET CNC Shadowserver Reported CnC Server IP group 25 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404025 || ET CNC Shadowserver Reported CnC Server IP group 26 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404026 || ET CNC Shadowserver Reported CnC Server group 27 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405000 || ET CNC Shadowserver Reported CnC Server Port 80 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405001 || ET CNC Shadowserver Reported CnC Server Port 81 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405002 || ET CNC Shadowserver Reported CnC Server Port 443 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405003 || ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405004 || ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405005 || ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405006 || ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405007 || ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405008 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405009 || ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405010 || ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405011 || ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405012 || ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405013 || ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405014 || ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405015 || ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405016 || ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2405017 || ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/BotCC 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 28 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 29 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 30 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 31 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 32 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 33 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 34 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 35 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 36 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 37 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 38 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 39 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 40 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2827893 || ETPRO TROJAN Win32/Unknown.2 CnC Checkin || md5,dbb5bd334555c8528ff1816df9f597cd