Weekly Community Review - October 18, 2023

Greetings all! Last week here at ET was a good one - thanks to public sharing, intel disclosures, wonderful research, and rule submissions we all added 75 rules to our ET Open ruleset - including rules covering #CVE-2023-22515, the critical #Confluence zero-day!

The #community aspect of infosec is important to us. In fact, it’s what powers etopen and allows us to offer those rules up for free here: Proofpoint Emerging Threats Rules

So you can find those rules there! You can find them in your marked in your suricata.yaml upon install and you can config your instance to grab what you like. You can use suricata-update keep current. They’re meant to protect your monitored networks. All we ask is you give us some feedback!

Digging into those 75 - from this @akami blog we’ve got a #MageCart detection - SID 2048531 alerts on the identified “COOKIE_ANNOT” text string appearing within the returned HTML!

This @ptsecurity #DarkRiver #Matador writeup helped us (with a lot of @greg genius too!) write SID 2048550 alerting on a consistent byte payload indicating C2 beacon activity!

Here on our #Discourse site, just a ton of great information sharing. In this #Darkgate #Stealer thread, our friend @Jane0sint tees up the research and analysis that ends in proposed detection logic - and this becomes SID 2048558! Read this thread. You Will Learn!

And speaking of learning - check out our Tutorials, Tips, & Tricks section. In this thread, ET’s @jtaylor talks about suricata’s prefilter keyword. You can potentially fast_pattern when you don’t think you can fast_pattern.

I mentioned earlier the #Atlassian #Confluence #CVE-2023-22515. Vulnerable versions of Confludence Data Center can be remotely exploited to allow administrator accounts. This is full unauthenticated “zero to hero” capability exploited in the wild. Privileged access is granted when executed against a publicly available endpoint.


As documented in this #CISA #Cybersecurity advisory, our released signatures are recommended as a detection method of exploitation for #CVE-2023-22515. These are 2048469-2048470 to identify scanning reconaissance against your potentially vulnerable instance, 2048543 and 2048546 firing on the detection of a vulnerable server, and 2048541-2048542 & 2048544-2048545 alerting on explolitation success.

Lastly, we’re very proud of our own @dumiller and his #FakeBrowser update lure blog featuring points on socgholish #TA569 #RogueRaticate #ZPHP #ClearFake - plenty to learn, and referenced etopen signatures as well!

Take care all!