Let me know if you need anything of me from this. Most of my thoughts are in the link.
Hello @cosmicgumbo!
Thanks for this signature submission, I’m a fan of this format.
I’ll get your telegram rule in with today’s release. I have tweaked the name a bit to indicate it’s a Telegram Checkin and modified the fast_pattern to one of the content matches.
I’ll provide a sid once the rule has been published!
This is in the ruleset now!
2043288 - ET MALWARE DCRAT Checkin via Telegram
This triage run for DCRat fired an older rule of 2034194.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content: "&"; pcre: "/^(?:[a-f0-9]{2}){16}=(?:[a-f0-9]{2}){16}&(?:[a-f0-9]{2}){16}=(?=[a-z0-9A-Z]{0,32}[A-Z][a-z][A-Z][a-z][A-Z])/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:56; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1448751827046985746; reference:md5,60cf8c1093d596a44dc997d00caae463; classtype:trojan-activity; sid:2034194; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_15;)
This newer triage instance I found and re-ran did not trip anything but some informational alerts.
Do you have an idea why 2034194 FNs on the newer Triage run?
Got this tweaked up and a fix going to for today’s release! Thanks for pointing out this FN!