Weekly Community Review - October 4, 2023

Greetings! Last week our etopen suricata and #Snort ruleset grew by another 149(!) rules - we can’t stress enough how much we appreciate all that help. Every week we like to take the time to discuss a few tip-ups, submissions, and intel pieces we got that aided in that, and here we are.

Starting off here on our community #Discourse, this is a place where we make announcements on the daily rule releases, write how-to and other guidance to aid our users, and take FP reports and rule suggestions. As such, we get a lot of great information out of it!


From user @g0njxa , this post, with @anyrun_app and malware bazaar linked intel, led to the creation of two sigs (2048229-2048230) to cover the identified exfiltration method for #Nstealer v2:

From friend @Jane0sint , a post up of their twitter thread on #Eternity #Clipper - their two submissions alerting on the successful installation (SID 2048260) and address change (SID 2048261) are now part of our Open ruleset!

Here on (longform) twitter, this @lordx64 tweet on their comprehensive #ScamClub report helped us create SIDs 2048329-2048356 for alerts on identified DNS domains as well as TLS SNI presentation of same.

friend @cosmicgumbo tipped us up to this @pratorian blog, giving us alert coverage on payload request (2048365), directory path traversal (2048366) and request tunneling (2048367) for the CVE-2023-41265 #DoubleQlik #Qlik vulnerability!

From intel from industry, shared hashes by @NSFOCUS_Intl helped us to a sample allowing for detection logic to be created targeting the outbound URI patterns for SID 2048319, alerting on the sending of registration information for #AtlasCross

Shared #Lu0bot analysis from @anyrun_app led to DNS alerts on c2 domain lookups (2048320-2048323) as well as modeling for lu0bot-style lookups themselves (2048324-2048328):


That’s it for the weekly wrap-up - be well all!

1 Like