Networkforensic

Cyber threat hunting

List of created SNORT rules

Latest change data 08-07-2018
Number of rules1325

Changes from 2018
Image file trick - 08-07-2018
Trickbot data-xfil - 01-07-2018
Emotet - 27-06-2018
Trickbot - 27-06-2018
IcedID - 27-06-2018
NetCut APR attack tool - 23-06-2018
ZeroFont Attack - 21-06-2018
TLD domains - 18-06-2018
Sofacy - 10-06-2018
Microsoft Excell UserAgent - 26-05-2018
DNS TXT standard query - 22-05-2018
PowerShell rules - 05-05-2018
ngrok tunnel - 30-04-2018
QUIC Protocol - 27-04-2018
Cisco Smart Install - 19-04-2018
EITest sinkhole - 15-04-2018
Policy - 27-03-2018
WannaCry.A killswitch domain - 16-03-2018
APT - Finfisher - 11-03-2018
SHODAN - 05-03-2018
Memcached DDoS Amplification - 03-03-2018
GoPhish - 25-02-2018
TOR-Browser v7.5 detection - 19-02-2018
Bitmessage - 17-02-2018
Trojan Quant - 12-02-2018
TEST-Rules - 08-02-2018
X509 Covert channel - 07-02-2018
SSH not normal ports - 05-02-2018
NMAP scanning - 05-02-2018
SSLv3 - 05-02-2018
XMRig CPU Miner Trojan - 05-02-2018
Mail Spoofing med XSS - 03-02-2018
Certutil - 21-01-2018
vPro Intel - 15-01-2018


Changes from 2017
92 SCADA Rules - 30-12-2017
cpuMiNer Trojan - 17-12-2017
XmRig Trojan - 16-12-2017
Popcorntime rules
Deleted - 13-12-2017
Seized by The Danish State - 13-12-2017
TOR-Detection Rev 3 - 10-12-2017
SHODAN Rev 3 - 09-12-2017
Andromeda sinkhole - 05-12-2017
APT 3 - Buckeye - 29-11-2017
Scarab Ransomware - 27-11-2017
APT-OilRIG - 27-11-2017
7sign - 26-11-2017
Netflix Phishing - 23-11-2017
RDP on non-standard ports - 12-11-2017
Necurs Botnet - 22-10-2017
Office 365 phishing - 13-10-2017
CCleaner-APT - 23-09-2017
KHRAT DragonOK - 03-09-2017
APT 17 - 29-08-2017
APT 28 C2 - 20-08-2017
University Of Michigan - 09-08-2017
Stretchoid - 02-08-2017
Project25499 - 24-07-2017
Fancy Bear APT 28 - Sinkhole - 24-07-2017
SHODAN - 24-07-2017
DNSMessenger - 16-06-2017
DNS TXT Request - 16-06-2017
Hancitor URL Struct - 14-06-2017
Unencrypted traffic on port 443 - 03-06-2017
EternalBlue attacks - 03-06-2017
Fireball malware - 02-06-2017
TDC Phishing - 17-05-2017
Ping of Death - 11-05-2017
Lan-Turtle - 08-05-2017
Unsupported remote web-server - 22-04-2017
Unsupported local web-server - 22-04-2017
e-boks.dk and COM as punycode 20-04-2017
Punycode DNS lookup-COM-DK-Domanis 19-04-2017
Turla’s second stage backdoor - 03-04-2017
Outcome of an Apache Struts 2 attack - 23-03-2017
Ransomware Cryptolocker - 08-03-2017
Gamaredon Group - 05-03-2017
Cerber Ransomware - 24-02-2017
Spora Ransomware - 23-02-2017
Spora Ransomware - 21-02-2017
APT - Magic Hound - 19-02-2017
Adposhel.A 21-01-2017
Ransomware 21-01-2017
Policy Rule added- 01-07-2017

Changes from 2016

GRIZZLY STEPPE - 31-12-2016
Trojan WisdomEyes - 21-12-2016
File Type Downloads - 21-12-2016
Ask toolbar - 27-11-2016
BLU R1 HD Android Spyware - 22-11-2016
Ragentek Android OTA update - 20-11-2016
Blacknurse attack - 20-11-2016
Blacknurse attack - 10-11-2016
CLDAP DDOS Attacks - 23-10-2016
Web search engine - 09-10-2016
APT - OilRig - 05-10-2016
Suspicious Behavi
or - 03-10-2016
Suspicious Behavi
or - 01-10-2016
Popcorn Time - 01-10-2016
MILE TEA Cyber Espionage C2 IPs - 19-09-2016
Backdoor.OSX.Mokes.a - 09-09-2016
Ransomware - 04-09-2016
Operation Ghoul - 21-08-2016
Error code 522 - 18-08-2016
Policy CSIS - 16-08-2016
Ransomware LockyCrypt - 13-08-2016
ProjectSauron APT - 13-08-2016
Kerio-Mailserver - 28-07-2016
POLICY - HMA VPN Service - 18-07-2016
Kerio mailserver password attack Rev 2 - 15-07-2016
APT - NFG - Furtims Derivative - 13-07-2016
TOR SSL NAT Check - 11-07-2016
KeyBase Keylogger - 07-07-2016
CCTV-Botnet using HULK DDOS attacks - 07-07-2016
APT - The Four Element Sword Engagement 07-07-2016
C
erber Ransomware - 28-06-2016
Locky Ransomware - 28-06-2016
THE XDEDIC MARKETPLACE - APT-as-a-service - 21-06-2016
NF - APT 28 - 14-06-2016
Unauthorized scanning - Internet Research Project - 10-06-2016
NF - POLICY - Teamviewer - 05-06-2016
The OilRig Campaign - 31-05-2016
Wekby and HttpBrowser RAT 2 - 30-05-2016
TidePOOL - Generic - 29-05-2016
Ransomware CryptXXX - 29-05-2016
Errata Security scanning - 25-05-2016
APT - Operation Groundbait - 21-05-2016
PUA - BITSadmin - Policy - malware domains - 21-05-2016
Ransomware CryptXXX - 14-05-2016
Bitsadmin Download Rev 2 - 09-05-2016
Bitsadmin Download - 08-05-2016
Cerber Ransomware - 05-05-2016
APT - PLATINUM - 29-04-2016
POLICY Rules - SHODAN - 24-04-2016
Ransomware C2 - 19-04-2016
Housekeeping in rules 12-04-2016
DDOS on RUST Gaming servers - 09-04-2016
Ransomware - Lucky 08-04-2016
Treasurhunt POS malware 03-04-2016
Ransomware Lucky - 31-03-2016
Ransomware Lucky - 30-03-2016
Ransomware Lucky - 29-03-2016
Ransomware Lucky - 28-03-2016
APT - ProjectM - sid:5019701 - 26-03-2016
APT - C-Major - sid:5019801 - 26-03-2016
APT - Transparent Tribe -  26-03-2016
Trojan.Downloader js script executed - Teslacrypt - 23-03-2016
Trojan.Downloader js script 15-03-2016
Trojan.Downloader js script 14-03-2016
Unsupported browser for server 2008 - 12-03-2016
NTPD Kiss-o'-Death  - 05-03-2016
Linux-Mint Backdoor 27-02-2016
Lucky Ransomware 21-02-2016
Hydracrypt ransomware 06-02-2016
Nanolocker Ransomware 01-02-2016
SKAT Phishing 23-01-2016
Post-Danmark-Attacks - 21-01-2016
APT-PlugX - 17-01-2016
RDP Keyboard layouts - 16-01-2016
Ring Video Doorbell 14-01-2016
Nordea Phishing 12-01-2016
GovRAT signed malware - 10-01-2016

Changes from 2015

Mail related - CSIS - Ransomware - POLICY - Covert Channels - 31-12-2015

POLICY Rules - CSIS - 23-12-2015
POLICY Rules - CSIS - 21-12-2015
Juniper ScreenOS Authentication Backdoor - 21-12-2015
OLD RULES REMOVED - 08-12-2015
SHODAN - 08-12-2015
Nordea Phishing Rules 08-12-2015
DSDTestProvider - 05-12-2015
Nordea Phishing Rules - 05-12-2015

eDellRoot - 29-11-2015
APT - W32/Wonknu.A - 26-11-2015
Nordea Phishing - 16-11-2015
HTtrack - 16-11-2015

China SPAM ATTACKS - 15-11-2015
Cryptowall 4.0 - 07-11-2015
 Nordea Phishing Rules update - 02-11-2015