pt-logo

Rulesarrow-rightrulesarrow-rightptopen-info.rules

1alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_0"; flow: established, to_server; content: "|1703 01 0020|"; depth: 5; fast_pattern; stream_size: server, >,954; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB447357_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002430; rev: 6;)
2
3alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_1"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2414; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_0; flowbits: unset, FB447357_0; flowbits: set, FB447357_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002431; rev: 6;)
4
5alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_2"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3044; stream_size: server, <,3863; stream_size: client, >,715; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_1; flowbits: unset, FB447357_1; flowbits: set, FB447357_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002432; rev: 6;)
6
7alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_3"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3630; stream_size: server, <,3963; stream_size: client, >,1264; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_2; flowbits: unset, FB447357_2; flowbits: set, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002433; rev: 6;)
8
9alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] SSL TOR unusual activity"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3630; stream_size: server, <,4407; stream_size: client, >,1813; stream_size: client, <,3102; flowbits: isset, FB447357_3; flowbits: unset, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002434; rev: 5;)
10
11alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_0"; flow: established, to_server; content: "|1703 0100 20|"; fast_pattern; depth: 5; content: "|1703 0100 20|"; distance: 32; within: 5; stream_size: server, >,1063; stream_size: client, >,429; stream_size: server, <,3156; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB167479_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001533; rev: 10;)
12
13alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_1"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2523; stream_size: client, >,429; stream_size: server, <,4000; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_0; flowbits: unset, FB167479_0; flowbits: set, FB167479_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001540; rev: 9;)
14
15alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_2"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3153; stream_size: client, >,1015; stream_size: server, <,4100; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_1; flowbits: unset, FB167479_1; flowbits: set, FB167479_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001541; rev: 10;)
16
17alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_3"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,1601; stream_size: server, <,4856; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_2; flowbits: unset, FB167479_2; flowbits: set, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001542; rev: 9;)
18
19alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,2187; stream_size: server, <,5000; stream_size: client, <,5000; flowbits: isset, FB167479_3; flowbits: unset, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001543; rev: 7;)
20
21alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "POLICY [PTsecurity] TOR cert set FB set FB0_01"; flow: established, to_client; content: "|3082|"; depth: 300; content: "|308201|"; distance: 2; within: 3; content: "|a00302010202|"; distance: 1; within: 6; content: "|7777|"; distance: 38; within: 2; fast_pattern; flowbits: set, FB0_01; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10001844; rev: 6;)
22
23alert http any any -> any any (msg: "SUSPICIOUS [PTsecurity] Suspicious HTTP header Trinper (APT TaxOff)"; flow: established, to_server; http.header; content: "X-Whatever-Else|3a 20|"; threshold: type limit, track by_src, count 1, seconds 300; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10012124; rev: 1;)
24
25alert http any any -> any any (msg: "SUSPICIOUS [PTsecurity] Suspicious HTTP header Trinper (APT TaxOff)"; flow: established, to_server; http.header; content: "X-Logo|3a 20|"; threshold: type limit, track by_src, count 1, seconds 300; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10012125; rev: 1;)
26
27alert dns any any -> any 53 (msg: "SUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling"; flow: to_server; dsize: >80; content: "|00 01 00 00 00 00 00 00 08|"; offset: 4; depth: 9; content: "|20|"; distance: 8; within: 1; content: "|18|"; distance: 32; within: 1; pcre: "/^.{10}\x08[a-z0-9]{8}\x20[a-z0-9]{32}\x18[a-z0-9]{24}/"; threshold: type threshold, track by_dst, count 2, seconds 125; reference: url, https://insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10010052; rev: 1;)
28
29alert dns any any -> any 53 (msg: "SUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling"; flow: to_server; dsize: >80; content: "|00 01 00 00 00 00 00 00|"; offset: 4; depth: 8; content: "|20|"; distance: 0; pcre: "/\x20[a-z0-9]{32}(\x18[a-z0-9]{24}|\x10[a-z0-9]{16}|\x28[a-z0-9]{40})[\x03-\x3f][a-z0-9]/"; threshold: type threshold, track by_dst, count 2, seconds 125; reference: url, https://insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10010053; rev: 3;)
30
31alert http any any -> any any (msg: "SUSPICIOUS [PTsecurity] Suspicious communication using UA go-external-ip"; flow: established, to_server; http.user_agent; content: "go-external-ip (github.com/glendc/go-external-ip)"; threshold: type limit, track by_src, count 1, seconds 600; reference: url, https://app.any.run/tasks/3a15dd52-5bb9-4e35-9b80-dcd29099b157; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10011380; rev: 2;)
32
33alert http any any -> any any (msg: "SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation"; flow: established, to_server; http.uri; urilen: >100; content: ".doc"; nocase; endswith; content: "_"; content: "/"; pcre: "/^[a-z]{40,}[_]{2,}[a-z]{10,}([_]{2,}[a-z]{10,})?\.[dD][oO][cC]$/RU"; http.method; content: "HEAD"; http.header; content: "Connection: Keep-Alive"; content: "User-Agent: Microsoft Office Existence Discovery"; reference: url, https://tria.ge/240517-b29pwsbd2w/behavioral1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10011372; rev: 2;)
34
35alert http any any -> any any (msg: "SUSPICIOUS [PTsecurity] Possible SteganoAmor Operation"; flow: established, to_server; http.uri; urilen: >100; content: ".doc"; nocase; endswith; content: "_"; content: "/"; pcre: "/^[a-z]{40,}[_]{2,}[a-z]{10,}([_]{2,}[a-z]{10,})?\.[dD][oO][cC]$/RU"; http.method; content: "GET"; http.header; content: "Accept: */*"; content: "Accept-Encoding: gzip, deflate"; content: "Connection: Keep-Alive"; content: !"Referer"; reference: url, https://app.any.run/tasks/aa5684e6-a51b-4667-9202-c128478db7a4; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10011449; rev: 2;)