*********************** suricata-2.0-enhanced etpro *********************** [***] Results from Oinkmaster started Mon Jan 14 15:29:16 2019 [***] [+++] Added rules: [+++] 2026799 - ET TROJAN Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI) (trojan.rules) 2026800 - ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) (trojan.rules) 2026801 - ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) (trojan.rules) 2026802 - ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) (trojan.rules) 2026803 - ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) (trojan.rules) 2026804 - ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) (trojan.rules) 2834351 - ETPRO TROJAN Win32/Jilani Bot CnC Checkin (trojan.rules) 2834352 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2019-01-14 Domain (officeboxwork .blogspot .com in TLS SNI) (current_events.rules) 2834353 - ETPRO TROJAN Win32/Scarsi Variant CnC Activity (trojan.rules) 2834354 - ETPRO TROJAN Unknown Knopcode CnC Activity (trojan.rules) 2834355 - ETPRO CURRENT_EVENTS Successful Fedex Phish 2019-01-14 (current_events.rules) 2834356 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-01-14 (current_events.rules) 2834357 - ETPRO CURRENT_EVENTS Successful Gmail Phish 2019-01-14 (current_events.rules) 2834358 - ETPRO CURRENT_EVENTS Successful Whatsapp Group Phish 2019-01-14 (current_events.rules) 2834359 - ETPRO CURRENT_EVENTS Successful Onedrive Phish 2019-01-14 (current_events.rules) 2834360 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-01-14 (current_events.rules) 2834361 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2019-01-14 (current_events.rules) 2834362 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2019-01-14 (current_events.rules) 2834363 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-01-14 (current_events.rules) 2834364 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-01-14 (current_events.rules) 2834365 - ETPRO CURRENT_EVENTS Successful Onedrive Phish 2019-01-14 (current_events.rules) 2834366 - ETPRO CURRENT_EVENTS SocEng Redirect Chain - Evil Keitaro Set-Cookie Inbound (da556) (current_events.rules) 2834367 - ETPRO TROJAN Win32/PhpMyAdminBrute CnC Checkin (trojan.rules) 2834368 - ETPRO TROJAN Win32/PhpMyAdminBrute Requesting Brute Force List (flowbit set) (trojan.rules) 2834369 - ETPRO TROJAN Win32/PhpMyAdminBrute Brute Force List Inbound (trojan.rules) 2834370 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834371 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834372 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834373 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834374 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834375 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834376 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules) 2834377 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC) (trojan.rules) [///] Modified active rules: [///] 2026616 - ET CURRENT_EVENTS Observed Malicious SSL Cert (ServHelper CnC) (current_events.rules) 2026767 - ET TROJAN Observed Malicious SSL Cert (ServHelper RAT CnC) (trojan.rules) 2026768 - ET TROJAN ServHelper RAT CnC Domain Observed in SNI (trojan.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound group 1 (drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound group 2 (drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound group 3 (drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound group 4 (drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound group 5 (drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound group 6 (drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound group 7 (drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound group 8 (drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound group 9 (drop.rules) 2400009 - ET DROP Spamhaus DROP Listed Traffic Inbound group 10 (drop.rules) 2400010 - ET DROP Spamhaus DROP Listed Traffic Inbound group 11 (drop.rules) 2400011 - ET DROP Spamhaus DROP Listed Traffic Inbound group 12 (drop.rules) 2400012 - ET DROP Spamhaus DROP Listed Traffic Inbound group 13 (drop.rules) 2400013 - ET DROP Spamhaus DROP Listed Traffic Inbound group 14 (drop.rules) 2400014 - ET DROP Spamhaus DROP Listed Traffic Inbound group 15 (drop.rules) 2400015 - ET DROP Spamhaus DROP Listed Traffic Inbound group 16 (drop.rules) 2400016 - ET DROP Spamhaus DROP Listed Traffic Inbound group 17 (drop.rules) 2400017 - ET DROP Spamhaus DROP Listed Traffic Inbound group 18 (drop.rules) 2400018 - ET DROP Spamhaus DROP Listed Traffic Inbound group 19 (drop.rules) 2400019 - ET DROP Spamhaus DROP Listed Traffic Inbound group 20 (drop.rules) 2400020 - ET DROP Spamhaus DROP Listed Traffic Inbound group 21 (drop.rules) 2400021 - ET DROP Spamhaus DROP Listed Traffic Inbound group 22 (drop.rules) 2400022 - ET DROP Spamhaus DROP Listed Traffic Inbound group 23 (drop.rules) 2400023 - ET DROP Spamhaus DROP Listed Traffic Inbound group 24 (drop.rules) 2400024 - ET DROP Spamhaus DROP Listed Traffic Inbound group 25 (drop.rules) 2400025 - ET DROP Spamhaus DROP Listed Traffic Inbound group 26 (drop.rules) 2400026 - ET DROP Spamhaus DROP Listed Traffic Inbound group 27 (drop.rules) 2400027 - ET DROP Spamhaus DROP Listed Traffic Inbound group 28 (drop.rules) 2400028 - ET DROP Spamhaus DROP Listed Traffic Inbound group 29 (drop.rules) 2400029 - ET DROP Spamhaus DROP Listed Traffic Inbound group 30 (drop.rules) 2400030 - ET DROP Spamhaus DROP Listed Traffic Inbound group 31 (drop.rules) 2402000 - ET DROP Dshield Block Listed Source group 1 (dshield.rules) 2403300 - ET CINS Active Threat Intelligence Poor Reputation IP group 1 (ciarmy.rules) 2403301 - ET CINS Active Threat Intelligence Poor Reputation IP group 2 (ciarmy.rules) 2403302 - ET CINS Active Threat Intelligence Poor Reputation IP group 3 (ciarmy.rules) 2403303 - ET CINS Active Threat Intelligence Poor Reputation IP group 4 (ciarmy.rules) 2403304 - ET CINS Active Threat Intelligence Poor Reputation IP group 5 (ciarmy.rules) 2403305 - ET CINS Active Threat Intelligence Poor Reputation IP group 6 (ciarmy.rules) 2403306 - ET CINS Active Threat Intelligence Poor Reputation IP group 7 (ciarmy.rules) 2403307 - ET CINS Active Threat Intelligence Poor Reputation IP group 8 (ciarmy.rules) 2403308 - ET CINS Active Threat Intelligence Poor Reputation IP group 9 (ciarmy.rules) 2403309 - ET CINS Active Threat Intelligence Poor Reputation IP group 10 (ciarmy.rules) 2403310 - ET CINS Active Threat Intelligence Poor Reputation IP group 11 (ciarmy.rules) 2403311 - ET CINS Active Threat Intelligence Poor Reputation IP group 12 (ciarmy.rules) 2403312 - ET CINS Active Threat Intelligence Poor Reputation IP group 13 (ciarmy.rules) 2403313 - ET CINS Active Threat Intelligence Poor Reputation IP group 14 (ciarmy.rules) 2403314 - ET CINS Active Threat Intelligence Poor Reputation IP group 15 (ciarmy.rules) 2403315 - ET CINS Active Threat Intelligence Poor Reputation IP group 16 (ciarmy.rules) 2403316 - ET CINS Active Threat Intelligence Poor Reputation IP group 17 (ciarmy.rules) 2403317 - ET CINS Active Threat Intelligence Poor Reputation IP group 18 (ciarmy.rules) 2403318 - ET CINS Active Threat Intelligence Poor Reputation IP group 19 (ciarmy.rules) 2403319 - ET CINS Active Threat Intelligence Poor Reputation IP group 20 (ciarmy.rules) 2403320 - ET CINS Active Threat Intelligence Poor Reputation IP group 21 (ciarmy.rules) 2403321 - ET CINS Active Threat Intelligence Poor Reputation IP group 22 (ciarmy.rules) 2403322 - ET CINS Active Threat Intelligence Poor Reputation IP group 23 (ciarmy.rules) 2403323 - ET CINS Active Threat Intelligence Poor Reputation IP group 24 (ciarmy.rules) 2403324 - ET CINS Active Threat Intelligence Poor Reputation IP group 25 (ciarmy.rules) 2403325 - ET CINS Active Threat Intelligence Poor Reputation IP group 26 (ciarmy.rules) 2403326 - ET CINS Active Threat Intelligence Poor Reputation IP group 27 (ciarmy.rules) 2403327 - ET CINS Active Threat Intelligence Poor Reputation IP group 28 (ciarmy.rules) 2403328 - ET CINS Active Threat Intelligence Poor Reputation IP group 29 (ciarmy.rules) 2403329 - ET CINS Active Threat Intelligence Poor Reputation IP group 30 (ciarmy.rules) 2403330 - ET CINS Active Threat Intelligence Poor Reputation IP group 31 (ciarmy.rules) 2403331 - ET CINS Active Threat Intelligence Poor Reputation IP group 32 (ciarmy.rules) 2403332 - ET CINS Active Threat Intelligence Poor Reputation IP group 33 (ciarmy.rules) 2403333 - ET CINS Active Threat Intelligence Poor Reputation IP group 34 (ciarmy.rules) 2403334 - ET CINS Active Threat Intelligence Poor Reputation IP group 35 (ciarmy.rules) 2403335 - ET CINS Active Threat Intelligence Poor Reputation IP group 36 (ciarmy.rules) 2403336 - ET CINS Active Threat Intelligence Poor Reputation IP group 37 (ciarmy.rules) 2403337 - ET CINS Active Threat Intelligence Poor Reputation IP group 38 (ciarmy.rules) 2403338 - ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules) 2403339 - ET CINS Active Threat Intelligence Poor Reputation IP group 40 (ciarmy.rules) 2403340 - ET CINS Active Threat Intelligence Poor Reputation IP group 41 (ciarmy.rules) 2403341 - ET CINS Active Threat Intelligence Poor Reputation IP group 42 (ciarmy.rules) 2403342 - ET CINS Active Threat Intelligence Poor Reputation IP group 43 (ciarmy.rules) 2403343 - ET CINS Active Threat Intelligence Poor Reputation IP group 44 (ciarmy.rules) 2403344 - ET CINS Active Threat Intelligence Poor Reputation IP group 45 (ciarmy.rules) 2403345 - ET CINS Active Threat Intelligence Poor Reputation IP group 46 (ciarmy.rules) 2403346 - ET CINS Active Threat Intelligence Poor Reputation IP group 47 (ciarmy.rules) 2403347 - ET CINS Active Threat Intelligence Poor Reputation IP group 48 (ciarmy.rules) 2403348 - ET CINS Active Threat Intelligence Poor Reputation IP group 49 (ciarmy.rules) 2403349 - ET CINS Active Threat Intelligence Poor Reputation IP group 50 (ciarmy.rules) 2403350 - ET CINS Active Threat Intelligence Poor Reputation IP group 51 (ciarmy.rules) 2403351 - ET CINS Active Threat Intelligence Poor Reputation IP group 52 (ciarmy.rules) 2403352 - ET CINS Active Threat Intelligence Poor Reputation IP group 53 (ciarmy.rules) 2403353 - ET CINS Active Threat Intelligence Poor Reputation IP group 54 (ciarmy.rules) 2403354 - ET CINS Active Threat Intelligence Poor Reputation IP group 55 (ciarmy.rules) 2403355 - ET CINS Active Threat Intelligence Poor Reputation IP group 56 (ciarmy.rules) 2403356 - ET CINS Active Threat Intelligence Poor Reputation IP group 57 (ciarmy.rules) 2403357 - ET CINS Active Threat Intelligence Poor Reputation IP group 58 (ciarmy.rules) 2403358 - ET CINS Active Threat Intelligence Poor Reputation IP group 59 (ciarmy.rules) 2403359 - ET CINS Active Threat Intelligence Poor Reputation IP group 60 (ciarmy.rules) 2403360 - ET CINS Active Threat Intelligence Poor Reputation IP group 61 (ciarmy.rules) 2403361 - ET CINS Active Threat Intelligence Poor Reputation IP group 62 (ciarmy.rules) 2403362 - ET CINS Active Threat Intelligence Poor Reputation IP group 63 (ciarmy.rules) 2403363 - ET CINS Active Threat Intelligence Poor Reputation IP group 64 (ciarmy.rules) 2403364 - ET CINS Active Threat Intelligence Poor Reputation IP group 65 (ciarmy.rules) 2403365 - ET CINS Active Threat Intelligence Poor Reputation IP group 66 (ciarmy.rules) 2403366 - ET CINS Active Threat Intelligence Poor Reputation IP group 67 (ciarmy.rules) 2403367 - ET CINS Active Threat Intelligence Poor Reputation IP group 68 (ciarmy.rules) 2403368 - ET CINS Active Threat Intelligence Poor Reputation IP group 69 (ciarmy.rules) 2403369 - ET CINS Active Threat Intelligence Poor Reputation IP group 70 (ciarmy.rules) 2403370 - ET CINS Active Threat Intelligence Poor Reputation IP group 71 (ciarmy.rules) 2403371 - ET CINS Active Threat Intelligence Poor Reputation IP group 72 (ciarmy.rules) 2403372 - ET CINS Active Threat Intelligence Poor Reputation IP group 73 (ciarmy.rules) 2403373 - ET CINS Active Threat Intelligence Poor Reputation IP group 74 (ciarmy.rules) 2403374 - ET CINS Active Threat Intelligence Poor Reputation IP group 75 (ciarmy.rules) 2403375 - ET CINS Active Threat Intelligence Poor Reputation IP group 76 (ciarmy.rules) 2403376 - ET CINS Active Threat Intelligence Poor Reputation IP group 77 (ciarmy.rules) 2403377 - ET CINS Active Threat Intelligence Poor Reputation IP group 78 (ciarmy.rules) 2403378 - ET CINS Active Threat Intelligence Poor Reputation IP group 79 (ciarmy.rules) 2403379 - ET CINS Active Threat Intelligence Poor Reputation IP group 80 (ciarmy.rules) 2403380 - ET CINS Active Threat Intelligence Poor Reputation IP group 81 (ciarmy.rules) 2403381 - ET CINS Active Threat Intelligence Poor Reputation IP group 82 (ciarmy.rules) 2403382 - ET CINS Active Threat Intelligence Poor Reputation IP group 83 (ciarmy.rules) 2403383 - ET CINS Active Threat Intelligence Poor Reputation IP group 84 (ciarmy.rules) 2403384 - ET CINS Active Threat Intelligence Poor Reputation IP group 85 (ciarmy.rules) 2403385 - ET CINS Active Threat Intelligence Poor Reputation IP group 86 (ciarmy.rules) 2403386 - ET CINS Active Threat Intelligence Poor Reputation IP group 87 (ciarmy.rules) 2403387 - ET CINS Active Threat Intelligence Poor Reputation IP group 88 (ciarmy.rules) 2403388 - ET CINS Active Threat Intelligence Poor Reputation IP group 89 (ciarmy.rules) 2403389 - ET CINS Active Threat Intelligence Poor Reputation IP group 90 (ciarmy.rules) 2403390 - ET CINS Active Threat Intelligence Poor Reputation IP group 91 (ciarmy.rules) 2403391 - ET CINS Active Threat Intelligence Poor Reputation IP group 92 (ciarmy.rules) 2403392 - ET CINS Active Threat Intelligence Poor Reputation IP group 93 (ciarmy.rules) 2403393 - ET CINS Active Threat Intelligence Poor Reputation IP group 94 (ciarmy.rules) 2403394 - ET CINS Active Threat Intelligence Poor Reputation IP group 95 (ciarmy.rules) 2403395 - ET CINS Active Threat Intelligence Poor Reputation IP group 96 (ciarmy.rules) 2403396 - ET CINS Active Threat Intelligence Poor Reputation IP group 97 (ciarmy.rules) 2403397 - ET CINS Active Threat Intelligence Poor Reputation IP group 98 (ciarmy.rules) 2403398 - ET CINS Active Threat Intelligence Poor Reputation IP group 99 (ciarmy.rules) 2403399 - ET CINS Active Threat Intelligence Poor Reputation IP group 100 (ciarmy.rules) 2405000 - ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules) 2405001 - ET CNC Shadowserver Reported CnC Server Port 81 Group 1 (botcc.portgrouped.rules) 2405002 - ET CNC Shadowserver Reported CnC Server Port 443 Group 1 (botcc.portgrouped.rules) 2405003 - ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 (botcc.portgrouped.rules) 2405004 - ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 (botcc.portgrouped.rules) 2405005 - ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 (botcc.portgrouped.rules) 2405006 - ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 (botcc.portgrouped.rules) 2405007 - ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 (botcc.portgrouped.rules) 2405008 - ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 (botcc.portgrouped.rules) 2405009 - ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 (botcc.portgrouped.rules) 2405010 - ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 (botcc.portgrouped.rules) 2405011 - ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 (botcc.portgrouped.rules) 2405012 - ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 (botcc.portgrouped.rules) 2405013 - ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 (botcc.portgrouped.rules) 2405014 - ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 (botcc.portgrouped.rules) 2405015 - ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 (botcc.portgrouped.rules) 2405016 - ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 (botcc.portgrouped.rules) 2405017 - ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (botcc.portgrouped.rules) 2832058 - ETPRO CURRENT_EVENTS SocEng Redirect Chain - Evil Keitaro Set-Cookie Inbound (20b13) (current_events.rules) 2833553 - ETPRO TROJAN ServHelper RAT CnC Domain Observed in SNI (trojan.rules) 2834171 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) (trojan.rules) 2834223 - ETPRO TROJAN Trojan.MSIL.Gupsip Checkin 2 (trojan.rules) [+++] Added non-rule lines: [+++] -> Added to drop.rules (2): # VERSION 2689 # Generated 2019-01-13 00:05:01 EDT -> Added to sid-msg.map (76): 2026616 || ET CURRENT_EVENTS Observed Malicious SSL Cert (ServHelper CnC) 2026767 || ET TROJAN Observed Malicious SSL Cert (ServHelper RAT CnC) || md5,43e7274b6d42aef8ceae298b67927aec 2026768 || ET TROJAN ServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2026799 || ET TROJAN Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI) || md5,5872fde3bf4b5a30a64837a35d1ec5fd 2026800 || ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) || url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ 2026801 || ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) || url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ 2026802 || ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) || url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ 2026803 || ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) || url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ 2026804 || ET TROJAN Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM) || url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ 2523396 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 699 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523398 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 700 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523400 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 701 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523402 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 702 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523404 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 703 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523406 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 704 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523408 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 705 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523410 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 706 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523412 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 707 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523414 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 708 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523416 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 709 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523418 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 710 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523420 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 711 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523422 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 712 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523424 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 713 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523426 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 714 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523428 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 715 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523430 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 716 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523432 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 717 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523434 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 718 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523436 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523438 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 720 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523440 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 721 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523442 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 722 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523444 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523446 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 724 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523448 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 725 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523450 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 726 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523452 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 727 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523454 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 728 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523456 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 729 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523458 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 730 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523460 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 731 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523462 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 732 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523464 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 733 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523466 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 734 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2833522 || ETPRO DELETED Observed Malicious SSL Cert (ServHelper RAT CnC) || md5,43e7274b6d42aef8ceae298b67927aec 2833552 || ETPRO DELETED ServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2833553 || ETPRO TROJAN ServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2834171 || ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) || md5,876e555fb509911e310b557015c5509a 2834351 || ETPRO TROJAN Win32/Jilani Bot CnC Checkin || md5,fe3831a85759e2ed4beb6ef2ece46c31 2834352 || ETPRO CURRENT_EVENTS Observed MalDoc DL 2019-01-14 Domain (officeboxwork .blogspot .com in TLS SNI) || md5,eeb74a76e3cba962c6870e15f32a7908 2834353 || ETPRO TROJAN Win32/Scarsi Variant CnC Activity || md5,0b14f44aa4597e233139fe7c2299666f 2834354 || ETPRO TROJAN Unknown Knopcode CnC Activity || md5,2d3926b253711ee99488aaf63d1319e1 2834355 || ETPRO CURRENT_EVENTS Successful Fedex Phish 2019-01-14 2834356 || ETPRO CURRENT_EVENTS Successful Generic Phish 2019-01-14 2834357 || ETPRO CURRENT_EVENTS Successful Gmail Phish 2019-01-14 2834358 || ETPRO CURRENT_EVENTS Successful Whatsapp Group Phish 2019-01-14 2834359 || ETPRO CURRENT_EVENTS Successful Onedrive Phish 2019-01-14 2834360 || ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-01-14 2834361 || ETPRO CURRENT_EVENTS Successful TD Bank Phish 2019-01-14 2834362 || ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2019-01-14 2834363 || ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-01-14 2834364 || ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-01-14 2834365 || ETPRO CURRENT_EVENTS Successful Onedrive Phish 2019-01-14 2834366 || ETPRO CURRENT_EVENTS SocEng Redirect Chain - Evil Keitaro Set-Cookie Inbound (da556) 2834367 || ETPRO TROJAN Win32/PhpMyAdminBrute CnC Checkin || md5,1c315f9487ad20c3ac72747f13968507 2834368 || ETPRO TROJAN Win32/PhpMyAdminBrute Requesting Brute Force List (flowbit set) || md5,1c315f9487ad20c3ac72747f13968507 2834369 || ETPRO TROJAN Win32/PhpMyAdminBrute Brute Force List Inbound || md5,1c315f9487ad20c3ac72747f13968507 2834370 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834371 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834372 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834373 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834374 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834375 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834376 || ETPRO TROJAN Cobalt Strike Domain in SNI 2834377 || ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC) || md5,1f3c2d14c6024f08e5eec8852dce2db0 [---] Removed non-rule lines: [---] -> Removed from drop.rules (2): # VERSION 2688 # Generated 2019-01-06 00:05:01 EDT -> Removed from sid-msg.map (13): 2026616 || ET CURRENT_EVENTS Observed Malicious SSL Cert (HuadhServHelper CnC) 2026767 || ET TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC) || md5,43e7274b6d42aef8ceae298b67927aec 2026768 || ET TROJAN HuadhServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2500206 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 104 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500208 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 105 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500210 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 106 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500212 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 107 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500214 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 108 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500216 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 109 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2833522 || ETPRO DELETED Observed Malicious SSL Cert (HuadhServHelper RAT CnC) || md5,43e7274b6d42aef8ceae298b67927aec 2833552 || ETPRO DELETED HuadhServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2833553 || ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI || md5,43e7274b6d42aef8ceae298b67927aec 2834171 || ETPRO TROJAN Observed Malicious SSL Cert (BrushLoader CnC) || md5,876e555fb509911e310b557015c5509a