Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CORESHELL POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A| MSIE 8.0"; http_header; fast_pattern:only; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:security-ips drop, service http; sid:1000000; rev:1;)
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v1 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/webhp?rel="; nocase; http_uri; content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000001; rev:1;)
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v2 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/search?btnG="; nocase; http_uri; content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000002; rev:1;)
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OLDBAIT POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/index.php"; fast_pattern:only; http_uri; content:"prefs="; nocase; http_client_body; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000003; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS kavkazcentr.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000004; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000005; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS standartnevvs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000006; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS novinitie.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000007; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000008; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000009; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000010; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS baltichost.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000011; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000012; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS natoexhibitionff14.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000013; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS login-osce.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000014; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS smigroup-online.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000015; rev:1;)
- alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000016; rev:1;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
