Security Research Team fox-srt
fox-srt
/ skorianial.com.pem
Created
June 7, 2016 12:15
x509 cert of skorianial.com:443 / 107.181.187.182:443
View skorianial.com.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| b3:41:c8:fd:5c:fa:8f:a5 | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com | |
| Validity | |
| Not Before: Jun 4 10:15:01 2016 GMT | |
| Not After : Jun 4 10:15:01 2017 GMT |
fox-srt
/ juniper-cve-2015-7755.rules
Last active
August 23, 2016 15:52
Snort coverage for Juniper ScreenOS backdoor
View juniper-cve-2015-7755.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Signatures to detect successful abuse of the Juniper backdoor password over telnet. | |
| # Additionally a signature for detecting world reachable ScreenOS devices over SSH. | |
| alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;) | |
| alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;) | |
| alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper Scr |
View fox-ticketbleed.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDS Signatures to detect Ticketbleed (CVE-2016-9244) | |
| # https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/ | |
| alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"|1603|"; depth:2; content:"|01|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"|03|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;) | |
| alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"|1603|"; dep |
fox-srt
/ fox-srt-mwi.rules
Last active
April 11, 2017 10:12
Snort coverage for Microsoft Word Intruder
View fox-srt-mwi.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Signatures for detecting Microsoft Word Intruder | |
| # https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload request"; content:"GET"; depth:3; flowbits:set,mwi; content:!"Referer|3a| "; content:!"Cookie|3a| "; uricontent:"&act=1"; fast_pattern: only; pcre:"/\/webstat\/image\.php\?id=[0-9]{8}/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; sid:21001609; rev:1;) | |
| alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload response"; flowbits:isset,mwi; content:"Content-Type|3a| application/octet-stream"; content:"Content-Description|3a| File Transfer"; pcre:"/filename=[0-9]{8}\.exe/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fir |
fox-srt
/ CVE-2018-0101.rules
Last active
April 10, 2018 09:42
Cisco ASA RCE / CVE-2018-0101 IDS Signatures
View CVE-2018-0101.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1: | |
| alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;) | |
| alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;) |
View tr-069-soap-rce.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;) | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;) |
fox-srt
/ decode_shadowpad_dns.py
Last active
April 30, 2018 18:48
Netsarang backdoor DNS payload decrypter
View decode_shadowpad_dns.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Netsarang backdoor DNS payload decrypter | |
| file: decode_shadowpad_dns.py | |
| author: Fox-IT Security Research Team <srt@fox-it.com> | |
| Usage: | |
| $ cat dns.txt | |
| sajajlyoogrmkllmuoqiyaxlymwlvajdkouhkdyiyolamdjivho.cjpybuhwnjgkhllm.nylalobghyhirgh.com |
fox-srt
/ cobaltstrike-extraspace.rules
Created
February 26, 2019 12:26
IDS Signature to detect the extraneous space in Cobalt Strike < 3.13
View cobaltstrike-extraspace.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \ | |
| flow:to_client; \ | |
| content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \ | |
| content:"Date: "; \ | |
| pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \ | |
| threshold:type limit, track by_dst, count 1, seconds 600; \ | |
| classtype:trojan-activity; priority:2; \ | |
| sid:21002217; rev:3;) |
fox-srt
/ log4shell-exploitation-attempts.rules
Last active
December 12, 2021 19:19
Suricata Coverage for Log4Shell Exploitation Attempts (CVE-2021-44228)
View log4shell-exploitation-attempts.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detects Log4j exploitation attempts | |
| alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;) | |
| alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata: |
fox-srt
/ log4shell-hunting.rules
Last active
December 12, 2021 19:19
Suricata Coverage for Log4Shell Hunting (CVE-2021-44228)
View log4shell-hunting.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;) | |
| # Detects inbound Java class | |
| alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "|CA FE BA BE 00 00 00|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;) |
OlderNewer