Greetings! It’s Monday and we’re here to talk about all the research, sharing, and collaboration that went into a few of the 44 new Emerging Threats IDS signatures that got added into our ET Open ruleset last week.
This ruleset thrives on collaboration - it’s what allows us to both offer them for download into your #Snort or suricata instances for free and for them to be as comprehensive as they are - since they are powered by what’s being seen on the landscape by people like you.
An old friend of ET gave us feedback on SID 2047155 which allowed us to make the message more accurate last week. You can help too! How? Here on twitter, through our discourse site (http://community.emergingthreats.net), or via email to support[at]http://emergingthreats.net!
Here on #Discourse, this community is living and breathing! Last month @g0njxa provides some #RootTeam coverage intel and overlap data and Isaac with ET responds with new rules and tweaks. Then last week @g0njxa updates with a variant and coverage gap and @Jane0sint adds an anyrun detonation report which ET’s @jtaylor turns into SIDs 2047671 and 2047672!
And more: Here, @Jane0sint updates their post from June with a tweak request and ET’s @jtaylor delivers again! This is great collaboration!
From @James_inthe_box , a kind twitter tag and anyrun sandbox run with a coverage check - multiple SIDs firing - check it out:
https://twitter.com/James_inthe_box/status/1692195882433953991?s=20
A small ruleset metadata tag note - we keep and maintain these fields to help you best manipulate the ruleset to fit your environment:
from industry partners and community shares - @EclecticIQ with this writeup and IoCs which allowed 2047638-2047645 to alerts on DNS lookups as well as TLS SNI connectivity to indicated domains:
And @zscaler’s blog which led SID 2047646 to alert on the described outbound check-in for #JanelaRAT based on the modeled http uri and hard-coded UA string!
From @uptycs, SID 2047647 came from their sharing their research in this blog - Our #QwixxRAT #QwixxStealer sig now alerts on the outbound checkin:
And lastly from @Rapid7, SIDs 2047674 & 2047675 (detects non URL-encoded payloads) alert on exploit attempts against CVE 2022-39986. This vulnerability targets the Debian-based RaspAP application: specifically the ovpncfg.php uri endpoint and the cfg_id POST parameter.
On the homefront, shout-out to our @ThreatInsight #Discarded podcast - in this episode, listen Selena and Crista talk to Pim and Jacob about how their engineering skills help them do the great work they do for the Threat Research team!
Thanks all!