Security Research Team fox-srt

## skorianial.com.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b3:41:c8:fd:5c:fa:8f:a5
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com
        Validity
            Not Before: Jun  4 10:15:01 2016 GMT
            Not After : Jun  4 10:15:01 2017 GMT

## juniper-cve-2015-7755.rules
# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
# Additionally a signature for detecting world reachable ScreenOS devices over SSH.

alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)
alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)
alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper Scr

## fox-ticketbleed.rules
# IDS Signatures to detect Ticketbleed (CVE-2016-9244)
# https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/

alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"|1603|"; depth:2; content:"|01|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"|03|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;)
alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"|1603|"; dep

## fox-srt-mwi.rules
# Signatures for detecting Microsoft Word Intruder
# https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload request"; content:"GET"; depth:3; flowbits:set,mwi; content:!"Referer|3a| "; content:!"Cookie|3a| "; uricontent:"&act=1"; fast_pattern: only; pcre:"/\/webstat\/image\.php\?id=[0-9]{8}/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; sid:21001609; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload response"; flowbits:isset,mwi; content:"Content-Type|3a| application/octet-stream"; content:"Content-Description|3a| File Transfer"; pcre:"/filename=[0-9]{8}\.exe/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fir

## CVE-2018-0101.rules
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

## tr-069-soap-rce.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;)

## cobaltstrike-extraspace.rules
alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
    flow:to_client; \
    content:"HTTP/1.1 200 OK |0d0a|"; fast_pattern; depth:18; \
    content:"Date: "; \
    pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
    threshold:type limit, track by_dst, count 1, seconds 600; \
    classtype:trojan-activity; priority:2; \
    sid:21002217; rev:3;)

## log4shell-exploitation-attempts.rules
# Detects Log4j exploitation attempts
alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;)

alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:

## log4shell-hunting.rules
# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;)

# Detects inbound Java class
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "|CA FE BA BE 00 00 00|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;)

## log4shell-probes.rules
# Possible successful interactsh probe
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;)

# Detecting
	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	b3:41:c8:fd:5c:fa:8f:a5
	Signature Algorithm: sha1WithRSAEncryption
	Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com
	Validity
	Not Before: Jun 4 10:15:01 2016 GMT
	Not After : Jun 4 10:15:01 2017 GMT
	# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
	# Additionally a signature for detecting world reachable ScreenOS devices over SSH.

	alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console\|0d0a\|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)
	alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"\|3c3c3c20257328756e3d2725732729203d202575\|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)
	alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper Scr
	# IDS Signatures to detect Ticketbleed (CVE-2016-9244)
	# https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/

	alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"\|1603\|"; depth:2; content:"\|01\|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"\|03\|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;)
	alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"\|1603\|"; dep
	# Signatures for detecting Microsoft Word Intruder
	# https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

	alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload request"; content:"GET"; depth:3; flowbits:set,mwi; content:!"Referer\|3a\| "; content:!"Cookie\|3a\| "; uricontent:"&act=1"; fast_pattern: only; pcre:"/\/webstat\/image\.php\?id=[0-9]{8}/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; sid:21001609; rev:1;)

	alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload response"; flowbits:isset,mwi; content:"Content-Type\|3a\| application/octet-stream"; content:"Content-Description\|3a\| File Transfer"; pcre:"/filename=[0-9]{8}\.exe/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fir
	# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
	alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"\|84\|"; offset:16; depth:1; content:"\|02\|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
	alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)
	alert tcp any any -> any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \
	flow:to_client; \
	content:"HTTP/1.1 200 OK \|0d0a\|"; fast_pattern; depth:18; \
	content:"Date: "; \
	pcre:"/^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/"; \
	threshold:type limit, track by_dst, count 1, seconds 600; \
	classtype:trojan-activity; priority:2; \
	sid:21002217; rev:3;)
	# Detects Log4j exploitation attempts
	alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;)

	alert http any any -> $HOME_NET any (msg:"FOX-SRT - Exploit - Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi\|ldaps\|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; priority:3; reference:url, www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:
	# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;)

	# Detects inbound Java class
	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "\|CA FE BA BE 00 00 00\|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;)
	# Possible successful interactsh probe
	alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FOX-SRT - Webattack - Possible successful InteractSh probe observed"; flow:established, to_client; content:"200"; http_stat_code; content:"<html><head></head><body>"; http_server_body; fast_pattern; pcre:"/[a-z0-9]{30,36}<\/body><\/html>/QR"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:misc-attack; reference:url, github.com/projectdiscovery/interactsh; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003712; rev:1;)
	alert dns $HOME_NET any -> any 53 (msg:"FOX-SRT - Suspicious - DNS query for interactsh.com server observed"; flow:stateless; dns_query; content:".interactsh.com"; fast_pattern; pcre:"/[a-z0-9]{30,36}\.interactsh\.com/"; threshold:type limit, track by_src, count 1, seconds 3600; reference:url, github.com/projectdiscovery/interactsh; classtype:bad-unknown; metadata:created_at 2021-12-05; metadata:ids suricata; priority:2; sid:21003713; rev:1;)

	# Detecting