Networkforensic

Threat hunting

List of created SNORT and Suricata rules

Password protection on all Zip files
If you want to run and test all SNORT IDS Rules you now have to use a password to unzip any files.
You can request the password by sending a request mail. You can find it on my contact page.

NF IDS rules
Latest change data:

24-09-08-2024

File name:
NF-local.zip
SHA1:3b4927296220aa789480979c0152c9a11c5dc035

SCADA IDS Rules
Latest change data:
02-07-2023

File name: NF-SCADA.zip
SHA1:
bca0fa064cdddf9bb60b8ba95edd9b286aa3e02e

Known scanners IDS Rules
Latest change data:
30-12-2023

File name:
NF-Scanners.zip

SHA1:bd0579f3feff4711cdb0ad4383a90e4f9ee25668

NF-Suricata rules
Latest change data:

13-12-2023


File name: NF-Suricata.zip

SHA1:
59cc8c39e2b8ab63b84bca1ff0a12df1c4e24af9

Note: If IDS rules fails in Suricata, then please send me note with the error code and rule ID number.


Changes from 2024
Test rules updated - 09-08-2024
Radius Server - 20-07-2024
Kerio crash FTP - 05-06-2024
Kerio crash domain - 05-06-2024
Zendesk Crypto mining - 14-05-2024
Russian RMS Agent - 01-04-2024

Kali  - 29-03-2024
Synology Quickconnect - 29-02-2024
ThightVNC  - Failed Auth - 29-02-2024

Trojan Downloader:Linux/Morila!MTB - 01-01-2024

Changes from 2023
RDP Connection from outside - 21-12-2023
BIMP-BotNet - updates - 13-12-2023
DNS Tunneling - 06-12-2023
BitCoin Miner c3pool - 03-12-2023
BitCoin Miner xmrig - 03-12-2023

Win32/Znyonm - 28-11-2023
Remcos-RAT - 26-09-203
BIMP-BotNet - 26-09-2023

MQTT bruteforce - 08-09-2023
MQTT Clear txt use - 08-09-2023
MQTT Mustang panda - 08-09-2023

Trojan Formbook - 28-06-2023
Zyxel ZyWALL RCE - 29-05-2023
PikaBot Trojan payload download - 27-05-2023
Reverse Shell Without TTY - 27-05-2023
ELF executable download - 27-05-2023
MIPS extn file - 27-05-2023
MooBOT / Mirai - 27-05-2023

CCleaner - Anti-Forensic - 24-04-2023
WPAD.DK - 24-04-2023

Firefox IE 11 Policy rule - 07-04-2023
ISL Remote tool - 11-03-2023
RedLine Stealer - 05-03-2023
net.tcp port sharing - 03-03-2023
NetSupport RAT - 26-02-2023
Webdav getting BAT, Config ore Manifest files - 25-02-2023
Trojan Rhadamanthys Stealer - 07-01-2023
HTTP Traffic on Websocket - 07-01-2023

TOR Browser - 01-01-2023

Changes from 2022

Cloud Shovel - Linux Rootkit - Worm capabilities - 05-12-2022
Malware IcedID BackConnect (Update to new REV) - 04-12-2022
RemCos-RAT - 03-12-2022
Malware IcedID BackConnect - Start VNC command - 22-11-2022
Kali linux updating - 12-11-2022
Malware IcedID BackConnect - Start VNC command - 03-11-2022
Malware IcedID BackConnect - Start file manager command  - 03-11-2022
Malware IcedID BackConnect - ReverseShell active  - 03-11-2022

Malware IcedID BackConnect - Wait command -  02-11-2022
AeroAdmin remote tool - 28-10-2022
AnyViewer remote tool - 28-10-2022
GetScreen remote tool - 28-10-2022
IperiusRemote remote tool - 28-10-2022
RustDesk remote tool - 28-10-2022

PDFConverter - PUA/ADWARE - 11-10-2022
Flux distributed bitcoin mining - 27-09-2022
DarkVNC (Encrypted) - 21-08-2022
IceID / BumbleBee - 21-08-2022

Realtek - CVE-2022-27255 - 16-08-2022
Blocked by Danish Law - 10-08-2022

TCP Window 0 attack or Network Congestion - 06-08-2022
Heimdal blocking page - 22-07-2022
CoboltStrike - 30-06-2022
DarkVNC - 30-06-2022

Vidar Trojan - 27-06-2022
Matanbuchus - 19-06-2022
Matanbuchus - 18-06-2022
Bumblebee malware downloader - 14-06-2022

SCADA rule - Industroyer2 - On state 21-02-2022
SCADA rule - Industroyer2 - Off state - 21-02-2022
AsyncRAT - 02-05-2022
Metastealer - 14-04-2022
Generic RTLO detection - 19-03-2022
Generic web-site defacement - 16-03-2022
Stretchoid scanning - 13-03-2022
Binaryedge.ninja scanning - 13-03-2022
DNSCat2 - 06-03-2022
Hola Proxy VPN - 05-03-2022
radmin remote - 03-03-2022

SYN packet with payload - 03-03-2022
FIN packet with payload - 03-03-2022

Atera - 01-03-2022
Splashtop - 01-03-2022

TOR 11.x - 28-02-2022
BVP47 - 24-02-2022
NetWired-RCRAT - 19-02-2022
NetSuppo-rtRAT - 19-02-2022
QuasarRAT - 19-02-2022
CrimsonRAT - 19-02-2022
AsyncRAT - 19-02-2022
AgentTeslaRAT - 19-02-2022
CyberGateRAT - 19-02-2022
NanocoreRAT - 19-02-2022
NjRatRAT - 19-02-2022

Emotet SPAM - 23-01-2022
Emotet Trojan - 19-01-2022
ylmf-pc password attacks - 17-01-2022

Changes from 2021
Astaroth/Guildma Banking Trojan - 30-12-2021
Netsystemsresearch - 28-12-2021
Apache Log4J - 27-12-2021
IE 9 -10 -11 detection - 26-12-201

Censys scanning - 22-12-2021
IOT BotNet password attacks - 21-12-2021
Apache Log4J obfuscation used - 20-12-2021
Apache Log4J - 18-12-2021 - R2
HTTP GET Request on SMTP mail port - 20-12-2021
tnscmd10g PJL Command on mail port - 20-12-2021

IOT BotNet password guessing attack - 16-12-2021
Open IDS rules - CrowdStrike log4J - 12-12-2021
Apache Log4J - 11-12-2021
MS sinkhole - Nickel - 11-12-2021
Internet Census Scanning - 11-12-2021

IOT BotNet password guessing attack - 10-12-2021
Internet Census Scanning - 27-10-2021

F-Secure Scanning - 27-10-2021
Censys Scanning - 27-10-2021

Danish CPR numbers - 21-10-2021
HPE-iLO 4 - 19-10-2021

QUIC test rules - 01-10-2021

Remcos-RAT - 26-09-2021
Shodan scanning - 25-09-2021
Trojan SQUIRRELWAFFLE LOADER - 25-09-2021
Filezilla Server - 15-07-2021

stretchoid - 14-06-2021
netsystemsresearch - 14-06-2021
criminalip - 14-06-2021
intrinsec - 14-06-2021

SHODAN - 01-06-2021
Recyber net scanning - 01-06-2021
SHODAN - 31-05-2021
Recon security ipip - 14-05-2021
Binaryedge Recon - 20-03-2021
Brave Browser - 22-02-2021
TOR-Browser 10.x - 13-03-2021
Rule house keeping for Suricata - 11-02-2021
Shodan Scanning Rules - 10-02-2021
Smokeloader - 08-02-2021
Suspicious User agent - 08-02-2021

Nugget Phantom - 10-01-2021
PurpleFOX EK - 10-01-2021
Genric WP downloads - 10-01-2021
Policy VPN Rule - 10-01-2021

Changes from 2020
Sunburst Countermeasures - 17-12-2020
Circles attack platform - 12-12-2020
MS Test beacon on ICMP traffic - 11-12-2020
Fireeye Red team tool countermeasures - 09-12-2020
Mindspark browser add-on malware - 08-12-2020
ReportIP-hostslick-de Recon - 30-11-2020
Steam Data Theft - 29-11-2020
Valak / TA551 (Shathak) - 24-11-2020
Generic detection for HTTPS to known BAD TLD - 23-11-2020

Korea University - AI Spera - Recon - 14-10-2020
Binaryedge recon - 29-09-2020
Censys recon - 29-09-2020
Trojan LokiBot - 12-09-2020
Microsoft BITS 10.1 - 12-09-2020

MATA Proxy - Lazarus APT - 23-08-2020
Unsupported Win7 and 8 - 17-08-2020
Signal invalid cert - 27-07-2020
Signal Footprinting - 27-07-2020

SIGRed DOS Exploit - 24-07-2020
Modbus IDS rules in NF-SCADA ruleset - 28-06-2020
SMBleed - 16-06-2020
Trojan Raccoon Stealer - 26-05-2020
Crimson RAT - 22-03-2020
Calyx TOR anonymiser device - 19-03-2020

Generic IcedID - 17-03-2020
TTL below 30 - 14-03-2020
Generic IcedID (BokBot) update - 14-03-2020

TLD Domais - 14-03-2020
Generic IcedID (BokBot) - 11-03-2020
Generic Qbot - 20-02-2020
Malware sinkhole - 11-02-2020

PlugX - 09-02-2020
Microsoft CryptoAPI - 01-02-2020
NordVPN IP detection - 31-01-2020
LLMNR - Protocol detection - 26-01-2020
Citrix ADC exploit - 12-01-2020

Changes from 2019
Outbound Mail Commands - 31-10-2019
CSIS policy rules - information leaks - 27-10-2019

Seized by The Danish State - 15-10-2019
Hancitor - 15-10-2019
IPSec from outside to inside - 05-10-2019
Eternal Blue - 28-09-2019
Quasar-RAT - 25-09-2019
PowerShell over HTTP - 22-09-2019
Remcos-RAT - 11-09-2019
Team-Cymru-Malware-Hash-Lookup - 04-09-2019

Netsupport RAT - 01-09-2019
Netwire-RAT - 26-08-2019
Possible DNS Tunneling on TCP - 18-08-2019
Trojan MedusaHTTP - 15-08-2019
njRAT - 13-08-2019
Lord EK - Eris Ransomware - 12-08-2019
Supertuneup spyware / virus - 16-07-2019

Censys Scanninger - 17-06-2019
WPAD Policy Rule - 11-06-2019
Windows USB metadata - 08-06-2019

AnyDesk - 25-05-2019
BlueKeep RDP attack - 24-05-2019
ShadowServer Scanning - 18-05-2019
Qbot FTP data xfil - 19-04-2019
IP-Adress lookup - 19-04-2019
Outbound mail not from mailservers - 19-04-2019

ICMP Tunnel - 26-03-2019
DNS Tunnel - 26-03-2019

Spelevo EK - 24-03-2019
Domain TLDRules - 19-03-2019
Community rules - 19-03-2019
Cobolt Strike Pentest Tool - 03-03-2019
Trojan Vidar - 28-02-2019
Policy WinRar - 28-02-2019
F-Response - 24-02-2019

Community rules - 18-02-2019

PDFescape - 13-02-2019

Monerohash pirate coinminer - 05-02-2019
Community rules - 02-02-2019

Known Recon - 02-02-2019
RDP Handshake - 24-01-2019

Community rules - 17-01-2019

Policy Rules - 17-01-2019
NanoCore Trojan - 09-01-2019
China Hopper - 05-01-2019
Community rules - 05-01-2019

Changes from 2018
ISCSI device login - 14-12-2018
Honypot top rules - 14-12-2018

Trojan Socks5systemz - 10-12-2018
Flawed Ammyy RAT - 02-12-2018
ISAKMP VPN Connection setup - 29-11-2018
3ve sinkhole - 29-11-2018

XmlRPC C2 Channel - 10-11-2018
Major rule change from 1346 to 847 - 03-11-2018
Outbound SMB connections and attempts - 26-10-2018

Empire Powershell - 17-10-2018
icanhazip IP lookups - 17-10-2018

WinHTTP Web Proxy Auto-Discovery Service - 02-10-2018
TOR V8 starting UP - 22-09-2018
11 generic rules based on a compromised infrastructur - 22-09-2019
Generic DNS Response - 25-08-2018

Apache Struts CVE-2018-11776 - 25-08-2018
Image file trick - 08-07-2018
Trickbot data-xfil - 01-07-2018

Emotet - 27-06-2018
Trickbot - 27-06-2018
IcedID - 27-06-2018

NetCut APR attack tool - 23-06-2018
ZeroFont Attack - 21-06-2018
TLD domains - 18-06-2018

Sofacy - 10-06-2018
Microsoft Excell UserAgent - 26-05-2018
DNS TXT standard query - 22-05-2018
PowerShell rules - 05-05-2018
ngrok tunnel - 30-04-2018
QUIC Protocol - 27-04-2018

Cisco Smart Install - 19-04-2018
EITest sinkhole - 15-04-2018
Policy - 27-03-2018
WannaCry.A killswitch domain - 16-03-2018
APT - Finfisher - 11-03-2018
SHODAN - 05-03-2018

Memcached DDoS Amplification - 03-03-2018
GoPhish - 25-02-2018
TOR-Browser v7.5 detection - 19-02-2018
Bitmessage - 17-02-2018

Trojan Quant - 12-02-2018
TEST-Rules - 08-02-2018
X509 Covert channel - 07-02-2018
SSH not normal ports - 05-02-2018
NMAP scanning - 05-02-2018
SSLv3 - 05-02-2018

XMRig CPU Miner Trojan - 05-02-2018
Mail Spoofing med XSS - 03-02-2018
Certutil - 21-01-2018

vPro Intel - 15-01-2018


Changes from 2017
92 SCADA Rules - 30-12-2017
cpuMiNer Trojan - 17-12-2017
XmRig Trojan - 16-12-2017
Popcorntime rules
Deleted - 13-12-2017
Seized by The Danish State - 13-12-2017
TOR-Detection Rev 3 - 10-12-2017
SHODAN Rev 3 - 09-12-2017
Andromeda sinkhole - 05-12-2017
APT 3 - Buckeye - 29-11-2017
Scarab Ransomware - 27-11-2017
APT-OilRIG - 27-11-2017
7sign - 26-11-2017
Netflix Phishing - 23-11-2017
RDP on non-standard ports - 12-11-2017
Necurs Botnet - 22-10-2017
Office 365 phishing - 13-10-2017
CCleaner-APT - 23-09-2017
KHRAT DragonOK - 03-09-2017
APT 17 - 29-08-2017
APT 28 C2 - 20-08-2017
University Of Michigan - 09-08-2017
Stretchoid - 02-08-2017
Project25499 - 24-07-2017
Fancy Bear APT 28 - Sinkhole - 24-07-2017
SHODAN - 24-07-2017
DNSMessenger - 16-06-2017
DNS TXT Request - 16-06-2017
Hancitor URL Struct - 14-06-2017
Unencrypted traffic on port 443 - 03-06-2017
EternalBlue attacks - 03-06-2017
Fireball malware - 02-06-2017
TDC Phishing - 17-05-2017
Ping of Death - 11-05-2017
Lan-Turtle - 08-05-2017
Unsupported remote web-server - 22-04-2017
Unsupported local web-server - 22-04-2017
e-boks.dk and COM as punycode 20-04-2017
Punycode DNS lookup-COM-DK-Domanis 19-04-2017
Turla’s second stage backdoor - 03-04-2017
Outcome of an Apache Struts 2 attack - 23-03-2017
Ransomware Cryptolocker - 08-03-2017
Gamaredon Group - 05-03-2017
Cerber Ransomware - 24-02-2017
Spora Ransomware - 23-02-2017
Spora Ransomware - 21-02-2017
APT - Magic Hound - 19-02-2017
Adposhel.A 21-01-2017
Ransomware 21-01-2017
Policy Rule added- 01-07-2017

Changes from 2016
GRIZZLY STEPPE - 31-12-2016
Trojan WisdomEyes - 21-12-2016
File Type Downloads - 21-12-2016
Ask toolbar - 27-11-2016
BLU R1 HD Android Spyware - 22-11-2016
Ragentek Android OTA update - 20-11-2016
Blacknurse attack - 20-11-2016
Blacknurse attack - 10-11-2016
CLDAP DDOS Attacks - 23-10-2016
Web search engine - 09-10-2016
APT - OilRig - 05-10-2016
Suspicious Behavi
or - 03-10-2016
Suspicious Behavi
or - 01-10-2016
Popcorn Time - 01-10-2016
MILE TEA Cyber Espionage C2 IPs - 19-09-2016
Backdoor.OSX.Mokes.a - 09-09-2016
Ransomware - 04-09-2016
Operation Ghoul - 21-08-2016
Error code 522 - 18-08-2016
Policy CSIS - 16-08-2016
Ransomware LockyCrypt - 13-08-2016
ProjectSauron APT - 13-08-2016
Kerio-Mailserver - 28-07-2016
POLICY - HMA VPN Service - 18-07-2016
Kerio mailserver password attack Rev 2 - 15-07-2016
APT - NFG - Furtims Derivative - 13-07-2016
TOR SSL NAT Check - 11-07-2016
KeyBase Keylogger - 07-07-2016
CCTV-Botnet using HULK DDOS attacks - 07-07-2016
APT - The Four Element Sword Engagement 07-07-2016
C
erber Ransomware - 28-06-2016
Locky Ransomware - 28-06-2016
THE XDEDIC MARKETPLACE - APT-as-a-service - 21-06-2016
NF - APT 28 - 14-06-2016
Unauthorized scanning - Internet Research Project - 10-06-2016
NF - POLICY - Teamviewer - 05-06-2016
The OilRig Campaign - 31-05-2016
Wekby and HttpBrowser RAT 2 - 30-05-2016
TidePOOL - Generic - 29-05-2016
Ransomware CryptXXX - 29-05-2016
Errata Security scanning - 25-05-2016
APT - Operation Groundbait - 21-05-2016
PUA - BITSadmin - Policy - malware domain
s - 21-05-2016
Ransomware CryptXXX - 14-05-2016
Bitsadmin Download Rev 2 - 09-05-2016
Bitsadmin Download - 08-05-2016
Cerber Ransomware - 05-05-2016
APT - PLATINU
M - 29-04-2016
POLICY Rules - SHODAN - 24-04-2016
Ransomware C2 - 19-04-2016
Housekeeping in rules 12-04-2016
DDOS on RUST Gaming servers - 09-04-2016
Ransomware - Luck
y 08-04-2016
Treasurhunt POS malware 03-04-2016
Ransomware Lucky - 31-03-2016
Ransomware Lucky - 30-03-2016
Ransomware Lucky - 29-03-2016
Ransomware Lucky - 28-03-2016
APT - ProjectM - sid:5019701 - 26-03-2016
APT - C-Major - sid:5019801 - 26-03-2016
APT - Transparent Tribe -  26-03-2016
Trojan.Downloader js script executed - Teslacrypt - 23-03-2016
Trojan.Downloader js script 15-03-2016
Trojan.Downloader js script 14-03-2016
Unsupported browser for server 2008 - 12-03-2016
NTPD Kiss-o'-Death  - 05-03-2016
Linux-Mint Backdoor 27-02-2016
Lucky Ransomware 21-02-2016
Hydracrypt ransomware 06-02-2016
Nanolocker Ransomware 01-02-2016
SKAT Phishing 23-01-2016
Post-Danmark-Attacks - 21-01-2016
APT-PlugX - 17-01-2016
RDP Keyboard layouts - 16-01-2016
Ring Video Doorbell 14-01-2016
Nordea Phishing 12-01-2016
GovRAT signed malware - 10-01-2016

Changes from 2015
Mail related - CSIS - Ransomware - POLICY - Covert Channels - 31-12-2015

POLICY Rules - CSIS - 23-12-2015
POLICY Rules - CSIS - 21-12-2015
Juniper ScreenOS Authentication Backdoor - 21-12-2015
OLD RULES REMOVED - 08-12-2015
SHODAN - 08-12-2015
Nordea Phishing Rules 08-12-2015
DSDTestProvider - 05-12-2015
Nordea Phishing Rules - 05-12-2015

eDellRoot - 29-11-2015
APT - W32/Wonknu.A - 26-11-2015
Nordea Phishing - 16-11-2015
HTtrack - 16-11-2015

China SPAM ATTACKS - 15-11-2015
Cryptowall 4.0 - 07-11-2015
Nordea Phishing Rules update - 02-11-2015

NF IDS Rules
Download

NF-SCADA
Download

NF-Scanners
Download



NF-Suricata Rules
Download