Hey again, it’s been another great week of Suricata and IDS community collaboration. We’ve had 68 rules contributed to ET Open this week. Here’s the story on just a few of them, and the people and orgs that’ve helped us get there!
Following the Gamaredon SID from last week,@StopMalvertisin aids again with another tip on same - SID 2044197, “ET MALWARE Gamaredon APT Related Activity (GET)”.
Two from our friend @jaydinbas, both DonotGroup domain SIDs around the DNS query (2044198) and the TLS handshake (2044199).
Here on our Discourse site, productive collaboration between ET’s own @bingohotdog and our friend @cosmicgumbo for CVE-2021-22205 coverage - take a look and see how Cyberchef and other analysis helped identify the meat for SID 2044201!
From @Cyber0verload, a tip up on Gamaredon APT lending to an alert on a DNS lookup against an involved domain: SID 2044209.
A reminder from our FAQ : Each of our rules is created with a Time-To-Review value. Our rule writers have the ability to set a rule to be reviewed in 30/60/90 day increments. At those points a rule can be set to be permanent, be deferred for review, or be disabled.
Next up,@cyberwar_15 tweet keying us up to render SID 2033908 an outbound GET with a content pattern matching a malicious OneDrive download.
SID 2044206, alerting on a macOS updater…
Public postings by the industry help us out as well, here’s a few we sig’d on this week…
from @ahnlab, SIDs 2044236-2044241, various inbound APT37 M2RAT C2 commands.
from @symantec, SIDs 2044231 and 2044232, both Win32/frebniis IIS Backdoor Trigger Attempts. Identified detection logic from byte patterns and POST content from this posted blog.
CVE-2021-22205 coverage from SID 2044201 thanks to http://hackerone.com/reports/1154542 and ExifTool CVE-2021-22204 - Arbitrary Code Execution | devcraft.io
Another CVE, CVE-2022-48323 (identified directory traversal attempt) coverage within SID 2044205 thanks to @tenable’s reporting of the crafted HTTP request here: CVE-2022-48323 | Tenable®
Lastly, big thanks to @James_inthe_box for his aid in helping us make changes to our existing laplas clipper rules (SIDs 2039775-2039777). After threat actors started moving around parameters in their C2 traffic a sample he provided allowed us to properly tune. Great collab!