Weekly Community Review - June 30, 2023

Hello all - thanks to sharing and collaboration throughout the suricata and #snort #IDS community we were able to add 79 rules to etopen this week. Great work! We’ll talk about a few of those contributions now and see how some of those rules happened…

A kind tag from @Cyber0verload led to SIDs 2046645-2046651 - these are alerts on #Gamaredon domains showing in the DNS lookup requests from hosts within your network(s). Potentially indicative of compromise, they should be treated in context as an indication that those hosts should be examined for further suspicious traffic or artifacts.

Still more #Gamaredon #APT coverage with @StopMalvertisin allowing us to craft detection logic on C2 outbound activity from their hashes and content shares:

Check out our own @bingohotdog on the @threatinsight #DISCARDED podcast - lots of great information throughout each episode giving you a great view into the threat landscape and the great team we have working hard every day to protect and defend your information assets!


And speaking of, read downthread on this #Discourse post to our sit as @bingohotdog assisted by @trobinson667 responds to user @dspruell and @Jane0sint - there’s detailed thinking within on our own #QA processes and why we make some of the choices we make in putting our initial rule logic through the ringer to ensure the rules are performant for you and the community. Check it out!

Shared community content from @AuCyble led to SIDs 2046643-2046644 - two SIDs covering #SupremeBot C2 checkin methods with the malware initially spread via game installer! Thanks for making your research visible to all!

From friend @Jane0sint , two SIDs today on Repl it and Duino-Pooh Coin Miners - thanks as always!

Kudos to @SANGFOR on this post - SID 2046669 alerts on #SparkRat C2 checkins thanks to their research and linked github code which allowed us to model the associated http header and user-agent information used by the RAT at work!

And to @sekoia_io as well. This #DDoSia blog detailed the toolkit being used against countries critical of #Russia on #Ukraine built SIDs 2046697 (client checkin) and 2046698 (target list retrieval by client) for alerting on affected hosts within your views!

Thanks all for the collaboration and community - take care!