Explicando o que é o PulledPork, em resumo é uma ferramenta de atualização e gerenciamento de regras para Suricata / Snort IDS. Seu código pode ser analisado e estudado em https://github.com/shirkdog/pulledpork.
New Rules
APP-DETECT HTTPTunnel proxy outbound connection detected (1:43565)
BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt (1:43706)
BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (1:43643)
BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (1:43644)
BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt (1:43651)
BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt (1:43652)
BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (1:43642)
BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (1:43672)
BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (1:43673)
BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43656)
BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43657)
BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43658)
BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43659)
BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (1:43664)
BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (1:43665)
BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt (1:43648)
BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (1:43635)
BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (1:43636)
BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (1:43622)
BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (1:43598)
BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (1:43599)
BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (1:43550)
BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (1:43551)
BROWSER-IE Microsoft Internet Explorer type confusion attempt (1:43579)
BROWSER-IE Microsoft Internet Explorer type confusion attempt (1:43580)
BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (1:43607)
BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (1:43537)
BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (1:43538)
BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43701)
BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43702)
BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43703)
BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43704)
BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (1:43605)
BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (1:43606)
BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt (1:43649)
BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt (1:43650)
ET CNC Ransomware Tracker Reported CnC Server TCP group 159 (1:2404716)
ET CNC Ransomware Tracker Reported CnC Server UDP group 159 (1:2404717)
ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (1:2405067)
ET CNC Shadowserver Reported CnC Server Port 40669 Group 1 (1:2405068)
ET CNC Shadowserver Reported CnC Server TCP group 49 (1:2404096)
ET CNC Shadowserver Reported CnC Server UDP group 49 (1:2404097)
ET CURRENT_EVENTS Disdain EK Flash Exploit M1 Aug 23 2017 (1:2024609)
ET CURRENT_EVENTS Disdain EK Flash Exploit M2 Aug 23 2017 (1:2024610)
ET CURRENT_EVENTS Disdain EK Flash Exploit M3 Aug 23 2017 (1:2024611)
ET CURRENT_EVENTS Disdain EK Landing Aug 23 2017 (1:2024612)
ET CURRENT_EVENTS Disdain EK Payload Aug 23 2017 (1:2024608)
ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M1 (1:2024606)
ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M2 (1:2024607)
ET CURRENT_EVENTS Hancitor/Tordal Document Inbound (1:2024605)
ET CURRENT_EVENTS Hancitor/Tordal Document Request (1:2024604)
ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX (1:2024553)
ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX M2 (1:2024602)
ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M1 (1:2024550)
ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M2 (1:2024551)
ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M3 (1:2024552)
ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt (1:2024537)
ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641 (1:2024534)
ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642 (1:2024535)
ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643 (1:2024536)
ET CURRENT_EVENTS Possible Maldoc Downloader Aug 18 2017 (1:2024600)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016 (1:2024560)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016 (1:2024568)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016 (1:2024569)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016 (1:2024570)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016 (1:2024571)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024554)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024555)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024556)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017 (1:2024572)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017 (1:2024573)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017 (1:2024574)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017 (1:2024575)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 06 2017 (1:2024580)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 10 2017 (1:2024581)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 11 2017 (1:2024582)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 13 (1:2024558)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 08 2017 (1:2024579)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 8 (1:2024557)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 24 2017 (1:2024576)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017 (1:2024577)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 31 2017 (1:2024578)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016 (1:2024565)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016 (1:2024566)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016 (1:2024567)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 13 (1:2024562)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 25 (1:2024563)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 (1:2024564)
ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sept 2 (1:2024561)
ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017 (1:2024541)
ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017 (1:2024542)
ET CURRENT_EVENTS Possible Veil Powershell Encoder B641 (1:2024538)
ET CURRENT_EVENTS Possible Veil Powershell Encoder B642 (1:2024539)
ET CURRENT_EVENTS Possible Veil Powershell Encoder B643 (1:2024540)
ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phish - Landing Page - Title over non SSL (1:2024583)
ET CURRENT_EVENTS Successful Adobe Online Phish Aug 16 2016 (1:2024559)
ET CURRENT_EVENTS Successful Interac Phish Aug 18 2017 (1:2024599)
ET CURRENT_EVENTS Successful Mail.ru Phish Aug 10 2017 (1:2024532)
ET CURRENT_EVENTS Successful Paypal Phish M1 Aug 14 2017 (1:2024544)
ET CURRENT_EVENTS Successful Paypal Phish M2 Aug 14 2017 (1:2024545)
ET CURRENT_EVENTS Successful Paypal Phish M3 Aug 14 2017 (1:2024546)
ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Aug 17 2017 (1:2024586)
ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Aug 17 2017 (1:2024587)
ET CURRENT_EVENTS Successful Square Phish Nov 16 2015 (1:2024547)
ET CURRENT_EVENTS Windows Scriptlet Invoking Powershell Likely Malicious (1:2024549)
ET DOS CLDAP Amplification Reflection (PoC based) (1:2024584)
ET DOS Potential CLDAP Amplification Reflection (1:2024585)
ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (1:2024548)
ET TROJAN DNS Query for known ShadowPad CnC 1 (1:2024588)
ET TROJAN DNS Query for known ShadowPad CnC 10 (1:2024597)
ET TROJAN DNS Query for known ShadowPad CnC 11 (1:2024598)
ET TROJAN DNS Query for known ShadowPad CnC 2 (1:2024589)
ET TROJAN DNS Query for known ShadowPad CnC 3 (1:2024590)
ET TROJAN DNS Query for known ShadowPad CnC 4 (1:2024591)
ET TROJAN DNS Query for known ShadowPad CnC 5 (1:2024592)
ET TROJAN DNS Query for known ShadowPad CnC 6 (1:2024593)
ET TROJAN DNS Query for known ShadowPad CnC 7 (1:2024594)
ET TROJAN DNS Query for known ShadowPad CnC 8 (1:2024595)
ET TROJAN DNS Query for known ShadowPad CnC 9 (1:2024596)
ET TROJAN MSIL/CoalaBot CnC Activity (1:2024531)
ET TROJAN OSX.Pwnet.A Certificate Observed (1:2024613)
ET TROJAN Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain (1:2024543)
ET TROJAN Spora Ransomware DNS Query (1:2024603)
ET TROJAN Win32/Datper CnC Activity (1:2024601)
ET TROJAN [PTsecurity] Gozi/Ursnif Payload v12 (1:2024533)
FILE-EXECUTABLE SandboxEscaper WER download attempt (1:43632)
FILE-EXECUTABLE SandboxEscaper WER download attempt (1:43633)
FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43638)
FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43639)
FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43640)
FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43641)
FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (1:43698)
FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (1:43699)
FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt (1:43678)
FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt (1:43679)
FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt (1:43674)
FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt (1:43675)
FILE-OTHER Aktiv Player wma file buffer overflow attempt (1:43540)
FILE-OTHER Aktiv Player wma file buffer overflow attempt (1:43541)
FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (1:43623)
FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (1:43624)
FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (1:43608)
FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (1:43609)
FILE-OTHER Node.js JS-YAML js function tag code execution attempt (1:43669)
FILE-OTHER Node.js JS-YAML js function tag code execution attempt (1:43670)
FILE-OTHER Oracle Outside-In JPEG2000 QCD segment processing heap buffer overflow attempt (1:43560)
FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (1:43615)
FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (1:43603)
FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (1:43604)
FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (1:43626)
FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (1:43627)
FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43600)
FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43601)
FILE-OTHER Xion Media Player AIFF denial of service attempt (1:43682)
FILE-OTHER Xion Media Player AIFF denial of service attempt (1:43683)
FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (1:43543)
FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (1:43582)
FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (1:43676)
FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (1:43677)
INDICATOR-COMPROMISE Juniper vSRX Application Firewall IPv6 REJECT buffer overflow attempt (1:43546)
INDICATOR-COMPROMISE Suspicious .top dns query (1:43687)
INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (1:43576)
INDICATOR-OBFUSCATION obfuscated vbscript detected (1:43707)
INDICATOR-OBFUSCATION obfuscated vbscript detected (1:43708)
MALWARE-CNC Andr.Trojan.Femas variant outbound connection (1:43981)
MALWARE-CNC Andr.Trojan.Femas variant outbound connection (1:43982)
MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (1:43578)
MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (1:43597)
MALWARE-CNC Win.Trojan.Fareit variant outbound connection (1:43972)
MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (1:43575)
MALWARE-OTHER Win.Trojan.Nemucod variant file download (1:43684)
MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection (1:43685)
MALWARE-OTHER Win.Trojan.NemucodAES variant outbound connection (1:43686)
OS-LINUX Linux kernel SCTP invalid chunk length denial of service attempt (1:43692)
POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (1:44004)
SERVER-APACHE httpd ap_find_token buffer overread attempt (1:43587)
SERVER-APACHE httpd mod_mime content-type buffer overflow attempt (1:43547)
SERVER-ORACLE Oracle Reports Server information disclosure attempt (1:43660)
SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (1:43661)
SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (1:43662)
SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt (1:43561)
SERVER-OTHER CCProxy telnet ping buffer overflow attempt (1:43542)
SERVER-OTHER Cisco IOS DHCP denial of service attempt (1:43573)
SERVER-OTHER HPE LoadRunner buffer overflow exploitation attempt (1:43705)
SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (1:43566)
SERVER-OTHER Monkey HTTPD null request denial of service attempt (1:43700)
SERVER-OTHER Oracle Database Server authentication bypass attempt (1:43581)
SERVER-OTHER Oracle Demantra information disclosure attempt (1:43596)
SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (1:43610)
SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (1:43611)
SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (1:43620)
SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (1:43621)
SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43602)
SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43534)
SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43535)
SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43536)
SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (1:43549)
SERVER-WEBAPP Axis M3004 remote code execution attempt (1:43625)
SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43588)
SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43589)
SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43590)
SERVER-WEBAPP Brocade Network Advisor remote code execution attempt (1:43548)
SERVER-WEBAPP CA ArcServe information disclosure attempt (1:43544)
SERVER-WEBAPP CA eHealth command injection attempt (1:43583)
SERVER-WEBAPP CA eHealth command injection attempt (1:43584)
SERVER-WEBAPP CA eHealth command injection attempt (1:43585)
SERVER-WEBAPP CA eHealth command injection attempt (1:43586)
SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44005)
SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44006)
SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44007)
SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44008)
SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43616)
SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43617)
SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43618)
SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43619)
SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (1:43545)
SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43591)
SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43592)
SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43593)
SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43594)
SERVER-WEBAPP Koha directory traversal attempt (1:43539)
SERVER-WEBAPP Mantis Bug Tracker password reset attempt (1:43693)
SERVER-WEBAPP Mantis Bug Tracker password reset attempt (1:43694)
SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (1:43595)
SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (1:43567)
SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (1:43568)
SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (1:43577)
SERVER-WEBAPP PHP core unserialize use after free attempt (1:43668)
SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43653)
SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43654)
SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43655)
SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43552)
SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43553)
SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43554)
SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (1:43637)
SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43645)
SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43646)
SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43647)
SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43688)
SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43689)
SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43690)
SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43695)
SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43696)
SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43697)
SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt SERVER-WEBAPP VirtualSystem VS-News-System remote file include attempt (1:43667)
SERVER-WEBAPP Wing FTP Server command injection attempt (1:43574)
SERVER-WEBAPP Zavio Cam command injection attempt (1:43569)
SERVER-WEBAPP Zavio Cam command injection attempt (1:43570)
SERVER-WEBAPP Zavio Cam command injection attempt (1:43571)
SERVER-WEBAPP Zavio Cam command injection attempt (1:43572)
SERVER-WEBAPP Zenoss call home remote code execution attempt (1:43634)
SERVER-WEBAPP phpSecurePages secure.php remote file include attempt (1:43680)
SERVER-WEBAPP phpSecurePages secure.php remote file include attempt (1:43681)
SQL Oracle MySQL Pluggable Auth denial of service attempt (1:43671)
Deleted Rules
BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (1:32032)
BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish (1:32200)
ET TOR Known Tor Exit Node TCP Traffic group 73 (1:2520144)
ET TOR Known Tor Exit Node UDP Traffic group 73 (1:2520145)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 661 (1:2523320)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 662 (1:2523322)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 663 (1:2523324)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 664 (1:2523326)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 665 (1:2523328)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 666 (1:2523330)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 667 (1:2523332)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 668 (1:2523334)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 669 (1:2523336)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 670 (1:2523338)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 671 (1:2523340)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 672 (1:2523342)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 673 (1:2523344)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 674 (1:2523346)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 675 (1:2523348)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 676 (1:2523350)
ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 677 (1:2523352)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 661 (1:2523321)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 662 (1:2523323)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 663 (1:2523325)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 664 (1:2523327)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 665 (1:2523329)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 666 (1:2523331)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 667 (1:2523333)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 668 (1:2523335)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 669 (1:2523337)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 670 (1:2523339)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 671 (1:2523341)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 672 (1:2523343)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 673 (1:2523345)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 674 (1:2523347)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 675 (1:2523349)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 676 (1:2523351)
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 677 (1:2523353)
SERVER-WEBAPP Invalid HTTP Version String (1:43762)
Rule Totals
New:-------257
Deleted:---39
Enabled:---29379
Dropped:---0
Disabled:--26706
Total:-----56085
IP Blacklist Stats
Total IPs:-----8908
Gerando uma estatística manual das categorias adicionadas temos:
Adicionadas:
63 ET CURRENT_EVENTS
63 SERVER-WEBAPP
20 FILE-OTHER
17 ET TROJAN
16 BROWSER-IE
13 SERVER-OTHER
11 BROWSER-PLUGINS
10 FILE-OFFICE
8 BROWSER-FIREFOX
6 MALWARE-CNC
6 ET CNC
3 SERVER-ORACLE
3 MALWARE-OTHER
3 INDICATOR-COMPROMISE
2 SERVER-APACHE
2 INDICATOR-OBFUSCATION
2 FILE-PDF
2 FILE-EXECUTABLE
2 ET DOS
1 SQL
1 POLICY-OTHER
1 OS-LINUX
1 ET EXPLOIT
1 APP-DETECT HTTPTunnel
O arquivo basicamente vem demonstrando todas as regras adicionadas, o que é bem interessante quando monitoramento para ver tendências como baseado nas categorias mais atualizadas ou deletadas. Além disso é de suma importância sempre deixar o IDS atualizado, pois como podem ver regras são deletadas, por não fazerem mais sentido ou até por detecção ruim, que certamente floodará seu SOC com falsos positivos.
Lembrando que também é feito a update da lista de IP's utilizados pelo preprocessador de IP Reputation que deve ser configurado em seu snort.conf para ter o benefício dessa listagem, que até mais que as regras são bem dinâmicas.
Como citado anteriormente, esperamos nas próximas edições do SRW termos mais conteúdos derivado de análises e honeypots.
Happy Detection!
Threat Hunter Brasil Team
Nenhum comentário:
Postar um comentário