Interfaces disabled after custom.rules.



  • UPDATE:
    Restarting the box has solved the problem  :o

    Hello.
    After the new campaign of radsonware I have received few custom.rules to add to snort (from intel security, see bellow)

    I write down the rules (they looks nice) and restart snort.
    Everytime snort is restarted the interface is disabled (red cross) and I need to enable it clicking in this red cross.

    Can somebody direct me with some tips to solve this issue?

    Thank you.

    Rules:

    
    alert ip $HOME_NET any -> 23.53.181.163 any (msg: "MISP e4036 Outgoing To IP: 23.53.181.163";   classtype:trojan-activity; sid:9552867; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Hostname: ejup.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||04|ejup|08|karoling|03|org|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552877; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: ejup.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||04|ejup|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552878; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: ejup.karoling.org"; flow:to_server,established; content: "Host|3a| ejup.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])ejup\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552879; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Hostname: avotfdb.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||07|avotfdb|08|karoling|03|org|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552887; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: avotfdb.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||07|avotfdb|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552888; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: avotfdb.karoling.org"; flow:to_server,established; content: "Host|3a| avotfdb.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])avotfdb\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552889; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Hostname: obhci.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||05|obhci|08|karoling|03|org|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552897; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: obhci.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||05|obhci|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552898; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: obhci.karoling.org"; flow:to_server,established; content: "Host|3a| obhci.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])obhci\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552899; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Hostname: amozetav.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||08|amozetav|08|karoling|03|org|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552907; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: amozetav.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||08|amozetav|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552908; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: amozetav.karoling.org"; flow:to_server,established; content: "Host|3a| amozetav.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])amozetav\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552909; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Domain: ipecho.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ipecho|03|net|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552917; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Domain: ipecho.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ipecho|03|net|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552918; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Domain: ipecho.net"; flow:to_server,established; content: "Host|3a|"; nocase; http_header; content:"ipecho.net"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-])ipecho\.net[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552919; rev:1; priority:1; reference:url,hidden/4036;) 
    alert udp any any -> any 53 (msg: "MISP e4036 Domain: myexternalip.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|myexternalip|03|com|00|"; fast_pattern; nocase;  classtype:trojan-activity; sid:9552927; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp any any -> any 53 (msg: "MISP e4036 Domain: myexternalip.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|myexternalip|03|com|00|"; fast_pattern; nocase; flow:established;  classtype:trojan-activity; sid:9552928; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Domain: myexternalip.com"; flow:to_server,established; content: "Host|3a|"; nocase; http_header; content:"myexternalip.com"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-])myexternalip\.com[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552929; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 208.83.223.34 any (msg: "MISP e4036 Outgoing To IP: 208.83.223.34";   classtype:trojan-activity; sid:9552937; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 146.255.36.1 any (msg: "MISP e4036 Outgoing To IP: 146.255.36.1";   classtype:trojan-activity; sid:9552947; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 78.47.139.102 any (msg: "MISP e4036 Outgoing To IP: 78.47.139.102";   classtype:trojan-activity; sid:9552957; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 67.92.173.228 any (msg: "MISP e4036 Outgoing To IP: 67.92.173.228";   classtype:trojan-activity; sid:9552967; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 37.221.171.236 any (msg: "MISP e4036 Outgoing To IP: 37.221.171.236";   classtype:trojan-activity; sid:9552977; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 188.165.145.157 any (msg: "MISP e4036 Outgoing To IP: 188.165.145.157";   classtype:trojan-activity; sid:9552987; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 154.35.32.5 any (msg: "MISP e4036 Outgoing To IP: 154.35.32.5";   classtype:trojan-activity; sid:9552997; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 173.254.216.69 any (msg: "MISP e4036 Outgoing To IP: 173.254.216.69";   classtype:trojan-activity; sid:9553007; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 168.235.65.136 any (msg: "MISP e4036 Outgoing To IP: 168.235.65.136";   classtype:trojan-activity; sid:9553017; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 195.154.150.203 any (msg: "MISP e4036 Outgoing To IP: 195.154.150.203";   classtype:trojan-activity; sid:9553027; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 99.231.225.222 any (msg: "MISP e4036 Outgoing To IP: 99.231.225.222";   classtype:trojan-activity; sid:9553037; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 193.23.244.244 any (msg: "MISP e4036 Outgoing To IP: 193.23.244.244";   classtype:trojan-activity; sid:9553047; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 87.106.55.134 any (msg: "MISP e4036 Outgoing To IP: 87.106.55.134";   classtype:trojan-activity; sid:9553057; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 185.31.230.69 any (msg: "MISP e4036 Outgoing To IP: 185.31.230.69";   classtype:trojan-activity; sid:9553067; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 194.109.206.212 any (msg: "MISP e4036 Outgoing To IP: 194.109.206.212";   classtype:trojan-activity; sid:9553077; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 171.25.193.9 any (msg: "MISP e4036 Outgoing To IP: 171.25.193.9";   classtype:trojan-activity; sid:9553087; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 67.183.173.246 any (msg: "MISP e4036 Outgoing To IP: 67.183.173.246";   classtype:trojan-activity; sid:9553097; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//kalinka-klin.ru/"; flow:to_server,established; content:"http|3a|//kalinka-klin.ru/"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553127; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 54.35.32.5 any (msg: "MISP e4036 Outgoing To IP: 54.35.32.5";   classtype:trojan-activity; sid:9553137; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 86.59.21.38 any (msg: "MISP e4036 Outgoing To IP: 86.59.21.38";   classtype:trojan-activity; sid:9553147; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 128.31.0.39 any (msg: "MISP e4036 Outgoing To IP: 128.31.0.39";   classtype:trojan-activity; sid:9553157; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//myexternalip.com/raw"; flow:to_server,established; content:"http|3a|//myexternalip.com/raw"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553167; rev:1; priority:1; reference:url,hidden/4036;) 
    alert ip $HOME_NET any -> 69.30.217.90 any (msg: "MISP e4036 Outgoing To IP: 69.30.217.90";   classtype:trojan-activity; sid:9553177; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wtfismyip.com/text"; flow:to_server,established; content:"http|3a|//wtfismyip.com/text"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553187; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: https|3a|//downloader.disk.yandex.com/disk/f4d7f7a34d6d44315da924c3d5e3d197af3f4834725319d6bbaf9499f58cb750/56e9d551/-4ilAZKdPZ28Q_raaBjIkt_7jDNUBB1KbqdlYBRuDws7TV4U5ubTzxHm6WT4BFe5HUqdoTNs_yuMWEazmx0WUA%3D%3D?uid=0&|3b|filename=CORREOS.zip&|3b|disposition=attachment&|3b|hash=tzXbLYJlZTMzkfRyPNXnPKLdjiG5NSHj03ktyR9C7YA%3D&|3b|limit=0&|3b|content_type=application%2Fx-zip-compressed&|3b|fsize=367345&|3b|hid=9a422e83e2e75011b4a1ea257734118a&|3b|media_type=compressed&|3b|tknv=v2"; flow:to_server,established; content:"https|3a|//downloader.disk.yandex.com/disk/f4d7f7a34d6d44315da924c3d5e3d197af3f4834725319d6bbaf9499f58cb750/56e9d551/-4ilAZKdPZ28Q_raaBjIkt_7jDNUBB1KbqdlYBRuDws7TV4U5ubTzxHm6WT4BFe5HUqdoTNs_yuMWEazmx0WUA%3D%3D?uid=0&|3b|filename=CORREOS.zip&|3b|disposition=attachment&|3b|hash=tzXbLYJlZTMzkfRyPNXnPKLdjiG5NSHj03ktyR9C7YA%3D&|3b|limit=0&|3b|content_type=application%2Fx-zip-compressed&|3b|fsize=367345&|3b|hid=9a422e83e2e75011b4a1ea257734118a&|3b|media_type=compressed&|3b|tknv=v2"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9554117; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//bigeasylifeinsurance.com"; flow:to_server,established; content:"http|3a|//bigeasylifeinsurance.com"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9554127; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//intererokna.ru/8ui40B6/eFD6v4.php?id="; flow:to_server,established; content:"http|3a|//intererokna.ru/8ui40B6/eFD6v4.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565667; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//stjohnspa.com/dEqfv4/ql4y7GCsZ36.php?id="; flow:to_server,established; content:"http|3a|//stjohnspa.com/dEqfv4/ql4y7GCsZ36.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565677; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//stroy-texnyka.ru/HDU0OtF/ktK8eJIyp70Wn1.php?id="; flow:to_server,established; content:"http|3a|//stroy-texnyka.ru/HDU0OtF/ktK8eJIyp70Wn1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565687; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//xn--hondudiseos-9db.com/FQb9ZNEG3mT/8TXyx2.php?id="; flow:to_server,established; content:"http|3a|//xn--hondudiseos-9db.com/FQb9ZNEG3mT/8TXyx2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565697; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//netway-corp.com/a3Nyp48vlZtT/h2P5FpacSg80.php?id="; flow:to_server,established; content:"http|3a|//netway-corp.com/a3Nyp48vlZtT/h2P5FpacSg80.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565707; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wearme.ru/pFrXw/cwXrt5.php?id="; flow:to_server,established; content:"http|3a|//wearme.ru/pFrXw/cwXrt5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565717; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//narcohelp-orenburg.ru/GDqWb/pKEMqr9.php?id="; flow:to_server,established; content:"http|3a|//narcohelp-orenburg.ru/GDqWb/pKEMqr9.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565727; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//yeninesilmatematikdefteri.com/JupC145fdZ/KBn0e82qPWC5.php?id="; flow:to_server,established; content:"http|3a|//yeninesilmatematikdefteri.com/JupC145fdZ/KBn0e82qPWC5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565737; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wilsonzurita.com/q84oO9FPycl/nYQNRBH6Oi7.php?id="; flow:to_server,established; content:"http|3a|//wilsonzurita.com/q84oO9FPycl/nYQNRBH6Oi7.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565747; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//ukrbudservice.kiev.ua/pUbACXdnuE/Cg8V7R1y5x9dcr3.php?id="; flow:to_server,established; content:"http|3a|//ukrbudservice.kiev.ua/pUbACXdnuE/Cg8V7R1y5x9dcr3.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565757; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//armnato.ru/iIKxLXjBrFQ/sYe9QpS1.php?id="; flow:to_server,established; content:"http|3a|//armnato.ru/iIKxLXjBrFQ/sYe9QpS1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565767; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//otdelka-ptz.ru/r4FZpwl7oTQM/Ixt4G2gfjp3.php?id="; flow:to_server,established; content:"http|3a|//otdelka-ptz.ru/r4FZpwl7oTQM/Ixt4G2gfjp3.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565777; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//autointernetoglasi.com/iZf7TLFDuKnP/cypRN9sKU4.php?id="; flow:to_server,established; content:"http|3a|//autointernetoglasi.com/iZf7TLFDuKnP/cypRN9sKU4.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565787; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//irisgold.com/PquBmTdgWae/LWjtgaemo9DTdX24.php?id="; flow:to_server,established; content:"http|3a|//irisgold.com/PquBmTdgWae/LWjtgaemo9DTdX24.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565797; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//volgashar.ru/kByK7Vv/x5BgYaE2ozhXbk1.php?id="; flow:to_server,established; content:"http|3a|//volgashar.ru/kByK7Vv/x5BgYaE2ozhXbk1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565807; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//oldbeansolutions.com/GZaC0sv/RH4GaU2.php?id="; flow:to_server,established; content:"http|3a|//oldbeansolutions.com/GZaC0sv/RH4GaU2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565817; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//narcohelp-tolyatti.ru/BgGSIHL0/7KaLTRlWGtoY40.php?id="; flow:to_server,established; content:"http|3a|//narcohelp-tolyatti.ru/BgGSIHL0/7KaLTRlWGtoY40.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565827; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//mascmoto.com/2CkjViTNlOSn/w5jG8ezydH7.php?id="; flow:to_server,established; content:"http|3a|//mascmoto.com/2CkjViTNlOSn/w5jG8ezydH7.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565837; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//gmtcontrol.com/9ibNQLhv/QWAu6e5czymqCJ2.php?id="; flow:to_server,established; content:"http|3a|//gmtcontrol.com/9ibNQLhv/QWAu6e5czymqCJ2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565847; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//galonomer1.ru/QIlJj/Ledl8xiD5.php?id="; flow:to_server,established; content:"http|3a|//galonomer1.ru/QIlJj/Ledl8xiD5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565857; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//diliagentes.com/cHgbkuC9Oi/HrADGpleT8.php?id="; flow:to_server,established; content:"http|3a|//diliagentes.com/cHgbkuC9Oi/HrADGpleT8.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565867; rev:1; priority:1; reference:url,hidden/4036;) 
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//my-yorkie.com/e0SCghNry/LQBiTJU1.php?id="; flow:to_server,established; content:"http|3a|//my-yorkie.com/e0SCghNry/LQBiTJU1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565877; rev:1; priority:1; reference:url,hidden/4036;) 
    
    


  • You might have had multiple Snort processes running.  That can sometimes happen.  Restarting would have killed any zombie Snort processes.

    Bill



  • @crester:

    Hello.
    After the new campaign of radsonware I have received few custom.rules to add to snort (from intel security, see bellow)

    Also, make sure you check the new track/blocklist from abuse.ch

    https://ransomwaretracker.abuse.ch/blocklist/

    F.


Log in to reply