Greetings all! We had another great week here at Emerging Threats - the #IDSsuricata and #Snort community gave tips, intel, and straight-up rule submission to power our etopen ruleset to 123 new rules last week. Thank you all for that! We’ll dive in and discuss a few here…
SIDs 2048374-2048376 come from this @naumovax tweet and included hatching_io run - they’ll alert on #Agniane#Stealer outbound #C2 activity.
SIDs 2048484 (DNS query alert), 2048485 (Payload Downloader Inbound), 2048486 (DNS Query), and 2048487 (TLS SNI alert) came from this @reecdeep tweet on #Ursnif - if a host is doing a query against these #Ursnif domains look for 2048485 to fire as well to indicate infection!
Now these are all etopen signatures - meaning they’re BSD licensed and free for your use! But what about ETPRO sigs? Those are created as a result of Proofpoint internal research and are available via paid license. We do move Open sigs to Pro in some situations - but why? And what happens then?
That’s our #Discourse site. And check this out: here, friend @Jane0sint submits a couple new #Gh0stRat sigs - investigate the rule logic and the any.run link!
The site is a great tool not only for the community and our customers to post up support questions and rule queries - but it’s our shared documentation site as well. Here, ET’s JT focuses on how @OISFoundation has updated keywords between suricata 5 → 6 and 6 → 7. Look for our full Suricata 7 release in Q4 this year!
From industry contributors, this @IBMSecurity#NetScaler#CVE_2023_3519 blog included IOCs as reference that fed DNS lookup alerting SIDs 2048471-2048475.
Those are IOC sigs based on disclosed intelligence. As such, they might not be viable for very long - for ET, aach rule is created with a TTR (Time-To-Review) value. In that process a rule writer, when creating their rule, has the ability to set the rule to be up for review in 30/60/90 day increments. We do this to make sure the ruleset is performant and up-to-date!