Weekly Community Review - February 17, 2023

Hey again, it’s been another great week of Suricata and IDS community collaboration. We’ve had 68 rules contributed to ET Open this week. Here’s the story on just a few of them, and the people and orgs that’ve helped us get there!

Following the Gamaredon SID from last week,@StopMalvertisin aids again with another tip on same - SID 2044197, “ET MALWARE Gamaredon APT Related Activity (GET)”.

Two from our friend @jaydinbas, both DonotGroup domain SIDs around the DNS query (2044198) and the TLS handshake (2044199).

Here on our Discourse site, productive collaboration between ET’s own @bingohotdog and our friend @cosmicgumbo for CVE-2021-22205 coverage - take a look and see how Cyberchef and other analysis helped identify the meat for SID 2044201!

From @Cyber0verload, a tip up on Gamaredon APT lending to an alert on a DNS lookup against an involved domain: SID 2044209.

A reminder from our FAQ : Each of our rules is created with a Time-To-Review value. Our rule writers have the ability to set a rule to be reviewed in 30/60/90 day increments. At those points a rule can be set to be permanent, be deferred for review, or be disabled.

Next up,@cyberwar_15 tweet keying us up to render SID 2033908 an outbound GET with a content pattern matching a malicious OneDrive download.

SID 2044206, alerting on a macOS updater

Public postings by the industry help us out as well, here’s a few we sig’d on this week…

from @ahnlab, SIDs 2044236-2044241, various inbound APT37 M2RAT C2 commands.

from @symantec, SIDs 2044231 and 2044232, both Win32/frebniis IIS Backdoor Trigger Attempts. Identified detection logic from byte patterns and POST content from this posted blog.

CVE-2021-22205 coverage from SID 2044201 thanks to http://hackerone.com/reports/1154542 and ExifTool CVE-2021-22204 - Arbitrary Code Execution | devcraft.io

Another CVE, CVE-2022-48323 (identified directory traversal attempt) coverage within SID 2044205 thanks to @tenable’s reporting of the crafted HTTP request here: CVE-2022-48323 | Tenable®

Lastly, big thanks to @James_inthe_box for his aid in helping us make changes to our existing laplas clipper rules (SIDs 2039775-2039777). After threat actors started moving around parameters in their C2 traffic a sample he provided allowed us to properly tune. Great collab!

1 Like