Interfaces disabled after custom.rules.
-
UPDATE:
Restarting the box has solved the problem :oHello.
After the new campaign of radsonware I have received few custom.rules to add to snort (from intel security, see bellow)I write down the rules (they looks nice) and restart snort.
Everytime snort is restarted the interface is disabled (red cross) and I need to enable it clicking in this red cross.Can somebody direct me with some tips to solve this issue?
Thank you.
Rules:
alert ip $HOME_NET any -> 23.53.181.163 any (msg: "MISP e4036 Outgoing To IP: 23.53.181.163"; classtype:trojan-activity; sid:9552867; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Hostname: ejup.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||04|ejup|08|karoling|03|org|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552877; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: ejup.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||04|ejup|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552878; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: ejup.karoling.org"; flow:to_server,established; content: "Host|3a| ejup.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])ejup\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552879; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Hostname: avotfdb.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||07|avotfdb|08|karoling|03|org|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552887; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: avotfdb.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||07|avotfdb|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552888; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: avotfdb.karoling.org"; flow:to_server,established; content: "Host|3a| avotfdb.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])avotfdb\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552889; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Hostname: obhci.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||05|obhci|08|karoling|03|org|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552897; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: obhci.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||05|obhci|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552898; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: obhci.karoling.org"; flow:to_server,established; content: "Host|3a| obhci.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])obhci\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552899; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Hostname: amozetav.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||08|amozetav|08|karoling|03|org|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552907; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Hostname: amozetav.karoling.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00||08|amozetav|08|karoling|03|org|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552908; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Hostname: amozetav.karoling.org"; flow:to_server,established; content: "Host|3a| amozetav.karoling.org"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])amozetav\.karoling\.org[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552909; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Domain: ipecho.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ipecho|03|net|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552917; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Domain: ipecho.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ipecho|03|net|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552918; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Domain: ipecho.net"; flow:to_server,established; content: "Host|3a|"; nocase; http_header; content:"ipecho.net"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-])ipecho\.net[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552919; rev:1; priority:1; reference:url,hidden/4036;) alert udp any any -> any 53 (msg: "MISP e4036 Domain: myexternalip.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|myexternalip|03|com|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:9552927; rev:1; priority:1; reference:url,hidden/4036;) alert tcp any any -> any 53 (msg: "MISP e4036 Domain: myexternalip.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|myexternalip|03|com|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:9552928; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP Domain: myexternalip.com"; flow:to_server,established; content: "Host|3a|"; nocase; http_header; content:"myexternalip.com"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-])myexternalip\.com[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:9552929; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 208.83.223.34 any (msg: "MISP e4036 Outgoing To IP: 208.83.223.34"; classtype:trojan-activity; sid:9552937; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 146.255.36.1 any (msg: "MISP e4036 Outgoing To IP: 146.255.36.1"; classtype:trojan-activity; sid:9552947; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 78.47.139.102 any (msg: "MISP e4036 Outgoing To IP: 78.47.139.102"; classtype:trojan-activity; sid:9552957; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 67.92.173.228 any (msg: "MISP e4036 Outgoing To IP: 67.92.173.228"; classtype:trojan-activity; sid:9552967; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 37.221.171.236 any (msg: "MISP e4036 Outgoing To IP: 37.221.171.236"; classtype:trojan-activity; sid:9552977; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 188.165.145.157 any (msg: "MISP e4036 Outgoing To IP: 188.165.145.157"; classtype:trojan-activity; sid:9552987; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 154.35.32.5 any (msg: "MISP e4036 Outgoing To IP: 154.35.32.5"; classtype:trojan-activity; sid:9552997; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 173.254.216.69 any (msg: "MISP e4036 Outgoing To IP: 173.254.216.69"; classtype:trojan-activity; sid:9553007; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 168.235.65.136 any (msg: "MISP e4036 Outgoing To IP: 168.235.65.136"; classtype:trojan-activity; sid:9553017; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 195.154.150.203 any (msg: "MISP e4036 Outgoing To IP: 195.154.150.203"; classtype:trojan-activity; sid:9553027; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 99.231.225.222 any (msg: "MISP e4036 Outgoing To IP: 99.231.225.222"; classtype:trojan-activity; sid:9553037; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 193.23.244.244 any (msg: "MISP e4036 Outgoing To IP: 193.23.244.244"; classtype:trojan-activity; sid:9553047; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 87.106.55.134 any (msg: "MISP e4036 Outgoing To IP: 87.106.55.134"; classtype:trojan-activity; sid:9553057; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 185.31.230.69 any (msg: "MISP e4036 Outgoing To IP: 185.31.230.69"; classtype:trojan-activity; sid:9553067; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 194.109.206.212 any (msg: "MISP e4036 Outgoing To IP: 194.109.206.212"; classtype:trojan-activity; sid:9553077; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 171.25.193.9 any (msg: "MISP e4036 Outgoing To IP: 171.25.193.9"; classtype:trojan-activity; sid:9553087; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 67.183.173.246 any (msg: "MISP e4036 Outgoing To IP: 67.183.173.246"; classtype:trojan-activity; sid:9553097; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//kalinka-klin.ru/"; flow:to_server,established; content:"http|3a|//kalinka-klin.ru/"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553127; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 54.35.32.5 any (msg: "MISP e4036 Outgoing To IP: 54.35.32.5"; classtype:trojan-activity; sid:9553137; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 86.59.21.38 any (msg: "MISP e4036 Outgoing To IP: 86.59.21.38"; classtype:trojan-activity; sid:9553147; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 128.31.0.39 any (msg: "MISP e4036 Outgoing To IP: 128.31.0.39"; classtype:trojan-activity; sid:9553157; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//myexternalip.com/raw"; flow:to_server,established; content:"http|3a|//myexternalip.com/raw"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553167; rev:1; priority:1; reference:url,hidden/4036;) alert ip $HOME_NET any -> 69.30.217.90 any (msg: "MISP e4036 Outgoing To IP: 69.30.217.90"; classtype:trojan-activity; sid:9553177; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wtfismyip.com/text"; flow:to_server,established; content:"http|3a|//wtfismyip.com/text"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9553187; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: https|3a|//downloader.disk.yandex.com/disk/f4d7f7a34d6d44315da924c3d5e3d197af3f4834725319d6bbaf9499f58cb750/56e9d551/-4ilAZKdPZ28Q_raaBjIkt_7jDNUBB1KbqdlYBRuDws7TV4U5ubTzxHm6WT4BFe5HUqdoTNs_yuMWEazmx0WUA%3D%3D?uid=0&|3b|filename=CORREOS.zip&|3b|disposition=attachment&|3b|hash=tzXbLYJlZTMzkfRyPNXnPKLdjiG5NSHj03ktyR9C7YA%3D&|3b|limit=0&|3b|content_type=application%2Fx-zip-compressed&|3b|fsize=367345&|3b|hid=9a422e83e2e75011b4a1ea257734118a&|3b|media_type=compressed&|3b|tknv=v2"; flow:to_server,established; content:"https|3a|//downloader.disk.yandex.com/disk/f4d7f7a34d6d44315da924c3d5e3d197af3f4834725319d6bbaf9499f58cb750/56e9d551/-4ilAZKdPZ28Q_raaBjIkt_7jDNUBB1KbqdlYBRuDws7TV4U5ubTzxHm6WT4BFe5HUqdoTNs_yuMWEazmx0WUA%3D%3D?uid=0&|3b|filename=CORREOS.zip&|3b|disposition=attachment&|3b|hash=tzXbLYJlZTMzkfRyPNXnPKLdjiG5NSHj03ktyR9C7YA%3D&|3b|limit=0&|3b|content_type=application%2Fx-zip-compressed&|3b|fsize=367345&|3b|hid=9a422e83e2e75011b4a1ea257734118a&|3b|media_type=compressed&|3b|tknv=v2"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9554117; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//bigeasylifeinsurance.com"; flow:to_server,established; content:"http|3a|//bigeasylifeinsurance.com"; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9554127; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//intererokna.ru/8ui40B6/eFD6v4.php?id="; flow:to_server,established; content:"http|3a|//intererokna.ru/8ui40B6/eFD6v4.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565667; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//stjohnspa.com/dEqfv4/ql4y7GCsZ36.php?id="; flow:to_server,established; content:"http|3a|//stjohnspa.com/dEqfv4/ql4y7GCsZ36.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565677; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//stroy-texnyka.ru/HDU0OtF/ktK8eJIyp70Wn1.php?id="; flow:to_server,established; content:"http|3a|//stroy-texnyka.ru/HDU0OtF/ktK8eJIyp70Wn1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565687; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//xn--hondudiseos-9db.com/FQb9ZNEG3mT/8TXyx2.php?id="; flow:to_server,established; content:"http|3a|//xn--hondudiseos-9db.com/FQb9ZNEG3mT/8TXyx2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565697; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//netway-corp.com/a3Nyp48vlZtT/h2P5FpacSg80.php?id="; flow:to_server,established; content:"http|3a|//netway-corp.com/a3Nyp48vlZtT/h2P5FpacSg80.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565707; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wearme.ru/pFrXw/cwXrt5.php?id="; flow:to_server,established; content:"http|3a|//wearme.ru/pFrXw/cwXrt5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565717; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//narcohelp-orenburg.ru/GDqWb/pKEMqr9.php?id="; flow:to_server,established; content:"http|3a|//narcohelp-orenburg.ru/GDqWb/pKEMqr9.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565727; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//yeninesilmatematikdefteri.com/JupC145fdZ/KBn0e82qPWC5.php?id="; flow:to_server,established; content:"http|3a|//yeninesilmatematikdefteri.com/JupC145fdZ/KBn0e82qPWC5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565737; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//wilsonzurita.com/q84oO9FPycl/nYQNRBH6Oi7.php?id="; flow:to_server,established; content:"http|3a|//wilsonzurita.com/q84oO9FPycl/nYQNRBH6Oi7.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565747; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//ukrbudservice.kiev.ua/pUbACXdnuE/Cg8V7R1y5x9dcr3.php?id="; flow:to_server,established; content:"http|3a|//ukrbudservice.kiev.ua/pUbACXdnuE/Cg8V7R1y5x9dcr3.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565757; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//armnato.ru/iIKxLXjBrFQ/sYe9QpS1.php?id="; flow:to_server,established; content:"http|3a|//armnato.ru/iIKxLXjBrFQ/sYe9QpS1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565767; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//otdelka-ptz.ru/r4FZpwl7oTQM/Ixt4G2gfjp3.php?id="; flow:to_server,established; content:"http|3a|//otdelka-ptz.ru/r4FZpwl7oTQM/Ixt4G2gfjp3.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565777; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//autointernetoglasi.com/iZf7TLFDuKnP/cypRN9sKU4.php?id="; flow:to_server,established; content:"http|3a|//autointernetoglasi.com/iZf7TLFDuKnP/cypRN9sKU4.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565787; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//irisgold.com/PquBmTdgWae/LWjtgaemo9DTdX24.php?id="; flow:to_server,established; content:"http|3a|//irisgold.com/PquBmTdgWae/LWjtgaemo9DTdX24.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565797; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//volgashar.ru/kByK7Vv/x5BgYaE2ozhXbk1.php?id="; flow:to_server,established; content:"http|3a|//volgashar.ru/kByK7Vv/x5BgYaE2ozhXbk1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565807; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//oldbeansolutions.com/GZaC0sv/RH4GaU2.php?id="; flow:to_server,established; content:"http|3a|//oldbeansolutions.com/GZaC0sv/RH4GaU2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565817; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//narcohelp-tolyatti.ru/BgGSIHL0/7KaLTRlWGtoY40.php?id="; flow:to_server,established; content:"http|3a|//narcohelp-tolyatti.ru/BgGSIHL0/7KaLTRlWGtoY40.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565827; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//mascmoto.com/2CkjViTNlOSn/w5jG8ezydH7.php?id="; flow:to_server,established; content:"http|3a|//mascmoto.com/2CkjViTNlOSn/w5jG8ezydH7.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565837; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//gmtcontrol.com/9ibNQLhv/QWAu6e5czymqCJ2.php?id="; flow:to_server,established; content:"http|3a|//gmtcontrol.com/9ibNQLhv/QWAu6e5czymqCJ2.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565847; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//galonomer1.ru/QIlJj/Ledl8xiD5.php?id="; flow:to_server,established; content:"http|3a|//galonomer1.ru/QIlJj/Ledl8xiD5.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565857; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//diliagentes.com/cHgbkuC9Oi/HrADGpleT8.php?id="; flow:to_server,established; content:"http|3a|//diliagentes.com/cHgbkuC9Oi/HrADGpleT8.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565867; rev:1; priority:1; reference:url,hidden/4036;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e4036 Outgoing HTTP URL: http|3a|//my-yorkie.com/e0SCghNry/LQBiTJU1.php?id="; flow:to_server,established; content:"http|3a|//my-yorkie.com/e0SCghNry/LQBiTJU1.php?id="; nocase; http_uri; tag:session,600,seconds; classtype:trojan-activity; sid:9565877; rev:1; priority:1; reference:url,hidden/4036;)
-
You might have had multiple Snort processes running. That can sometimes happen. Restarting would have killed any zombie Snort processes.
Bill
-
Hello.
After the new campaign of radsonware I have received few custom.rules to add to snort (from intel security, see bellow)Also, make sure you check the new track/blocklist from abuse.ch
https://ransomwaretracker.abuse.ch/blocklist/
F.