Networkforensic
Threat hunting
List of created SNORT and Suricata rules
NF IDS rules
Latest change data:
29-03-2024
File name:
NF-local.zip
SHA1:388ef81f4fd9e33da9fefb3278d34c13d9225b0d
SCADA IDS Rules
Latest change data:
02-07-2023
File name: NF-SCADA.zip
SHA1:f0edd58a62e4e7be35272f6779b1192ca0188b4a
Known scanners IDS Rules
Latest change data:
30-12-2023
File name:
NF-Scanners.zip
SHA1:15e481150be6e14d280fcd5e871ff87589c3ef2b
NF-Suricata rules
Latest change data:
13-12-2023
File name:
NF-Suricata.zip
SHA1:490cec6bb7878b8b4e1166bd08fd372f1411f149
Note: If IDS rules fails in Suricata, then please send me note with the error code and rule ID number.
Changes from 2024
Kali - 29-03-2024
Synology Quickconnect - 29-02-2024
ThightVNC - Failed Auth - 29-02-2024
Trojan Downloader:Linux/Morila!MTB - 01-01-2024
Changes from 2023
RDP Connection from outside - 21-12-2023
BIMP-BotNet - updates - 13-12-2023
DNS Tunneling - 06-12-2023
BitCoin Miner c3pool - 03-12-2023
BitCoin Miner xmrig - 03-12-2023
Win32/Znyonm - 28-11-2023
Remcos-RAT - 26-09-203
BIMP-BotNet - 26-09-2023
MQTT bruteforce - 08-09-2023
MQTT Clear txt use - 08-09-2023
MQTT Mustang panda - 08-09-2023
Trojan Formbook - 28-06-2023
Zyxel ZyWALL RCE - 29-05-2023
PikaBot Trojan payload download - 27-05-2023
Reverse Shell Without TTY - 27-05-2023
ELF executable download - 27-05-2023
MIPS extn file - 27-05-2023
MooBOT / Mirai - 27-05-2023
CCleaner - Anti-Forensic - 24-04-2023
WPAD.DK - 24-04-2023
Firefox IE 11 Policy rule - 07-04-2023
ISL Remote tool - 11-03-2023
RedLine Stealer - 05-03-2023
net.tcp port sharing - 03-03-2023
NetSupport RAT - 26-02-2023
Webdav getting BAT, Config ore Manifest files - 25-02-2023
Trojan Rhadamanthys Stealer - 07-01-2023
HTTP Traffic on Websocket - 07-01-2023
TOR Browser - 01-01-2023
Changes
from 2022
Cloud Shovel - Linux Rootkit - Worm capabilities - 05-12-2022
Malware IcedID BackConnect (Update to new REV) - 04-12-2022
RemCos-RAT - 03-12-2022
Malware IcedID BackConnect - Start VNC command - 22-11-2022
Kali linux updating - 12-11-2022
Malware IcedID BackConnect - Start VNC command - 03-11-2022
Malware IcedID BackConnect - Start file manager command -
03-11-2022
Malware IcedID BackConnect - ReverseShell active - 03-11-2022
Malware IcedID BackConnect - Wait command - 02-11-2022
AeroAdmin remote tool - 28-10-2022
AnyViewer remote tool - 28-10-2022
GetScreen remote tool - 28-10-2022
IperiusRemote remote tool - 28-10-2022
RustDesk remote tool - 28-10-2022
PDFConverter - PUA/ADWARE - 11-10-2022
Flux distributed bitcoin mining - 27-09-2022
DarkVNC (Encrypted) - 21-08-2022
IceID / BumbleBee - 21-08-2022
Realtek - CVE-2022-27255 - 16-08-2022
Blocked by Danish Law - 10-08-2022
TCP Window 0 attack or Network Congestion - 06-08-2022
Heimdal blocking page - 22-07-2022
CoboltStrike - 30-06-2022
DarkVNC - 30-06-2022
Vidar Trojan - 27-06-2022
Matanbuchus - 19-06-2022
Matanbuchus - 18-06-2022
Bumblebee malware downloader - 14-06-2022
SCADA rule -
Industroyer2 - On state 21-02-2022
SCADA rule -
Industroyer2 - Off state - 21-02-2022
AsyncRAT - 02-05-2022
Metastealer - 14-04-2022
Generic RTLO detection - 19-03-2022
Generic web-site defacement - 16-03-2022
Stretchoid scanning - 13-03-2022
Binaryedge.ninja scanning - 13-03-2022
DNSCat2 - 06-03-2022
Hola Proxy VPN - 05-03-2022
radmin remote - 03-03-2022
SYN packet with payload - 03-03-2022
FIN packet with payload - 03-03-2022
Atera - 01-03-2022
Splashtop - 01-03-2022
TOR 11.x - 28-02-2022
BVP47 - 24-02-2022
NetWired-RCRAT - 19-02-2022
NetSuppo-rtRAT - 19-02-2022
QuasarRAT - 19-02-2022
CrimsonRAT - 19-02-2022
AsyncRAT - 19-02-2022
AgentTeslaRAT - 19-02-2022
CyberGateRAT - 19-02-2022
NanocoreRAT - 19-02-2022
NjRatRAT - 19-02-2022
Emotet SPAM - 23-01-2022
Emotet Trojan - 19-01-2022
ylmf-pc password attacks - 17-01-2022
Changes
from 2021
Astaroth/Guildma Banking Trojan - 30-12-2021
Netsystemsresearch - 28-12-2021
Apache
Log4J - 27-12-2021
IE 9 -10 -11 detection - 26-12-201
Censys scanning - 22-12-2021
IOT BotNet password attacks - 21-12-2021
Apache
Log4J obfuscation used - 20-12-2021
Apache
Log4J - 18-12-2021 - R2
HTTP GET Request on SMTP mail port - 20-12-2021
tnscmd10g PJL Command on mail port - 20-12-2021
IOT BotNet password guessing attack - 16-12-2021
Open IDS rules - CrowdStrike log4J - 12-12-2021
Apache
Log4J - 11-12-2021
MS sinkhole - Nickel - 11-12-2021
Internet Census Scanning - 11-12-2021
IOT BotNet password guessing attack - 10-12-2021
Internet Census Scanning - 27-10-2021
F-Secure Scanning - 27-10-2021
Censys Scanning - 27-10-2021
Danish CPR numbers - 21-10-2021
HPE-iLO 4 - 19-10-2021
QUIC test rules - 01-10-2021
Remcos-RAT - 26-09-2021
Shodan scanning - 25-09-2021
Trojan SQUIRRELWAFFLE LOADER - 25-09-2021
Filezilla Server - 15-07-2021
stretchoid - 14-06-2021
netsystemsresearch - 14-06-2021
criminalip - 14-06-2021
intrinsec - 14-06-2021
SHODAN - 01-06-2021
Recyber net scanning - 01-06-2021
SHODAN - 31-05-2021
Recon security ipip - 14-05-2021
Binaryedge Recon - 20-03-2021
Brave Browser - 22-02-2021
TOR-Browser 10.x - 13-03-2021
Rule house keeping for Suricata - 11-02-2021
Shodan Scanning Rules - 10-02-2021
Smokeloader - 08-02-2021
Suspicious User agent - 08-02-2021
Nugget Phantom - 10-01-2021
PurpleFOX EK - 10-01-2021
Genric WP downloads - 10-01-2021
Policy VPN Rule - 10-01-2021
Changes
from 2020
Sunburst Countermeasures -
17-12-2020
Circles attack platform -
12-12-2020
MS Test beacon on ICMP traffic -
11-12-2020
Fireeye Red team tool
countermeasures - 09-12-2020
Mindspark browser add-on malware -
08-12-2020
ReportIP-hostslick-de Recon -
30-11-2020
Steam Data Theft - 29-11-2020
Valak / TA551 (Shathak) - 24-11-2020
Generic detection for HTTPS to known BAD TLD - 23-11-2020
Korea University - AI Spera -
Recon - 14-10-2020
Binaryedge recon - 29-09-2020
Censys recon - 29-09-2020
Trojan LokiBot - 12-09-2020
Microsoft BITS 10.1 - 12-09-2020
MATA Proxy - Lazarus APT -
23-08-2020
Unsupported Win7 and 8 -
17-08-2020
Signal invalid cert - 27-07-2020
Signal Footprinting - 27-07-2020
SIGRed DOS Exploit - 24-07-2020
Modbus IDS rules in NF-SCADA ruleset -
28-06-2020
SMBleed - 16-06-2020
Trojan Raccoon Stealer - 26-05-2020
Crimson RAT - 22-03-2020
Calyx TOR anonymiser device -
19-03-2020
Generic IcedID - 17-03-2020
TTL below 30 - 14-03-2020
Generic IcedID (BokBot) update - 14-03-2020
TLD
Domais - 14-03-2020
Generic IcedID (BokBot) -
11-03-2020
Generic Qbot - 20-02-2020
Malware sinkhole - 11-02-2020
PlugX - 09-02-2020
Microsoft CryptoAPI - 01-02-2020
NordVPN IP detection -
31-01-2020
LLMNR - Protocol detection -
26-01-2020
Citrix ADC exploit - 12-01-2020
Changes
from 2019
Outbound Mail Commands -
31-10-2019
CSIS policy rules - information leaks -
27-10-2019
Seized by The Danish State - 15-10-2019
Hancitor - 15-10-2019
IPSec from outside to inside - 05-10-2019
Eternal Blue - 28-09-2019
Quasar-RAT - 25-09-2019
PowerShell over HTTP - 22-09-2019
Remcos-RAT - 11-09-2019
Team-Cymru-Malware-Hash-Lookup -
04-09-2019
Netsupport RAT - 01-09-2019
Netwire-RAT - 26-08-2019
Possible DNS Tunneling on TCP -
18-08-2019
Trojan MedusaHTTP - 15-08-2019
njRAT - 13-08-2019
Lord EK - Eris Ransomware - 12-08-2019
Supertuneup spyware / virus - 16-07-2019
Censys Scanninger - 17-06-2019
WPAD Policy Rule - 11-06-2019
Windows USB metadata - 08-06-2019
AnyDesk - 25-05-2019
BlueKeep RDP attack - 24-05-2019
ShadowServer Scanning - 18-05-2019
Qbot FTP data xfil - 19-04-2019
IP-Adress lookup - 19-04-2019
Outbound mail not from mailservers - 19-04-2019
ICMP Tunnel - 26-03-2019
DNS Tunnel - 26-03-2019
Spelevo EK - 24-03-2019
Domain TLDRules - 19-03-2019
Community rules -
19-03-2019
Cobolt Strike Pentest Tool -
03-03-2019
Trojan Vidar - 28-02-2019
Policy WinRar - 28-02-2019
F-Response - 24-02-2019
Community rules - 18-02-2019
PDFescape - 13-02-2019
Monerohash pirate coinminer -
05-02-2019
Community rules - 02-02-2019
Known Recon -
02-02-2019
RDP Handshake -
24-01-2019
Community rules
- 17-01-2019
Policy Rules -
17-01-2019
NanoCore Trojan - 09-01-2019
China Hopper - 05-01-2019
Community rules
- 05-01-2019
Changes
from 2018
ISCSI device login - 14-12-2018
Honypot top rules - 14-12-2018
Trojan Socks5systemz - 10-12-2018
Flawed Ammyy RAT - 02-12-2018
ISAKMP VPN Connection setup -
29-11-2018
3ve sinkhole - 29-11-2018
XmlRPC C2 Channel - 10-11-2018
Major rule change from 1346 to
847 - 03-11-2018
Outbound SMB connections and attempts - 26-10-2018
Empire Powershell - 17-10-2018
icanhazip IP lookups - 17-10-2018
WinHTTP Web Proxy Auto-Discovery Service - 02-10-2018
TOR V8 starting UP - 22-09-2018
11 generic rules based on a
compromised infrastructur - 22-09-2019
Generic DNS Response - 25-08-2018
Apache Struts CVE-2018-11776 - 25-08-2018
Image file trick - 08-07-2018
Trickbot data-xfil - 01-07-2018
Emotet - 27-06-2018
Trickbot - 27-06-2018
IcedID - 27-06-2018
NetCut APR attack tool - 23-06-2018
ZeroFont Attack - 21-06-2018
TLD domains - 18-06-2018
Sofacy - 10-06-2018
Microsoft Excell UserAgent - 26-05-2018
DNS TXT standard query - 22-05-2018
PowerShell rules - 05-05-2018
ngrok tunnel - 30-04-2018
QUIC Protocol - 27-04-2018
Cisco Smart Install - 19-04-2018
EITest sinkhole - 15-04-2018
Policy - 27-03-2018
WannaCry.A killswitch domain - 16-03-2018
APT - Finfisher - 11-03-2018
SHODAN - 05-03-2018
Memcached DDoS Amplification - 03-03-2018
GoPhish - 25-02-2018
TOR-Browser v7.5 detection - 19-02-2018
Bitmessage - 17-02-2018
Trojan Quant - 12-02-2018
TEST-Rules - 08-02-2018
X509 Covert channel - 07-02-2018
SSH not normal ports - 05-02-2018
NMAP scanning - 05-02-2018
SSLv3 - 05-02-2018
XMRig CPU Miner Trojan - 05-02-2018
Mail Spoofing med XSS - 03-02-2018
Certutil - 21-01-2018
vPro Intel - 15-01-2018
Changes
from 2017
92 SCADA Rules - 30-12-2017
cpuMiNer Trojan - 17-12-2017
XmRig Trojan - 16-12-2017
Popcorntime rules
Deleted
- 13-12-2017
Seized by The Danish State - 13-12-2017
TOR-Detection Rev 3 - 10-12-2017
SHODAN Rev 3 - 09-12-2017
Andromeda sinkhole - 05-12-2017
APT 3 - Buckeye - 29-11-2017
Scarab Ransomware - 27-11-2017
APT-OilRIG - 27-11-2017
7sign
- 26-11-2017
Netflix Phishing - 23-11-2017
RDP on non-standard ports - 12-11-2017
Necurs Botnet - 22-10-2017
Office 365 phishing - 13-10-2017
CCleaner-APT - 23-09-2017
KHRAT DragonOK - 03-09-2017
APT 17
- 29-08-2017
APT 28 C2 - 20-08-2017
University Of Michigan - 09-08-2017
Stretchoid - 02-08-2017
Project25499 - 24-07-2017
Fancy Bear APT 28 -
Sinkhole - 24-07-2017
SHODAN - 24-07-2017
DNSMessenger - 16-06-2017
DNS TXT Request - 16-06-2017
Hancitor URL Struct - 14-06-2017
Unencrypted traffic on port 443 - 03-06-2017
EternalBlue attacks - 03-06-2017
Fireball malware - 02-06-2017
TDC Phishing - 17-05-2017
Ping of Death - 11-05-2017
Lan-Turtle - 08-05-2017
Unsupported remote web-server - 22-04-2017
Unsupported local web-server - 22-04-2017
e-boks.dk and COM as punycode 20-04-2017
Punycode DNS lookup-COM-DK-Domanis 19-04-2017
Turla’s second stage backdoor - 03-04-2017
Outcome of an Apache Struts 2 attack - 23-03-2017
Ransomware Cryptolocker - 08-03-2017
Gamaredon Group - 05-03-2017
Cerber Ransomware - 24-02-2017
Spora Ransomware - 23-02-2017
Spora Ransomware - 21-02-2017
APT - Magic Hound - 19-02-2017
Adposhel.A 21-01-2017
Ransomware 21-01-2017
Policy Rule added- 01-07-2017
Changes from 2016
GRIZZLY STEPPE - 31-12-2016
Trojan WisdomEyes - 21-12-2016
File Type Downloads - 21-12-2016
Ask toolbar - 27-11-2016
BLU R1 HD Android Spyware - 22-11-2016
Ragentek Android OTA update - 20-11-2016
Blacknurse attack - 20-11-2016
Blacknurse attack - 10-11-2016
CLDAP DDOS Attacks - 23-10-2016
Web search engine - 09-10-2016
APT - OilRig - 05-10-2016
Suspicious Behavior
- 03-10-2016
Suspicious Behavior
- 01-10-2016
Popcorn Time - 01-10-2016
MILE TEA Cyber Espionage C2 IPs - 19-09-2016
Backdoor.OSX.Mokes.a - 09-09-2016
Ransomware - 04-09-2016
Operation Ghoul - 21-08-2016
Error code 522 - 18-08-2016
Policy CSIS - 16-08-2016
Ransomware LockyCrypt - 13-08-2016
ProjectSauron APT - 13-08-2016
Kerio-Mailserver - 28-07-2016
POLICY - HMA VPN Service - 18-07-2016
Kerio mailserver password attack Rev 2 - 15-07-2016
APT - NFG - Furtims Derivative - 13-07-2016
TOR SSL NAT Check - 11-07-2016
KeyBase Keylogger - 07-07-2016
CCTV-Botnet using HULK DDOS attacks -
07-07-2016
APT - The Four Element Sword Engagement 07-07-2016
Cerber Ransomware - 28-06-2016
Locky Ransomware - 28-06-2016
THE XDEDIC MARKETPLACE - APT-as-a-service - 21-06-2016
NF - APT 28 - 14-06-2016
Unauthorized scanning - Internet Research Project - 10-06-2016
NF - POLICY - Teamviewer - 05-06-2016
The OilRig Campaign - 31-05-2016
Wekby and HttpBrowser RAT 2 - 30-05-2016
TidePOOL - Generic - 29-05-2016
Ransomware CryptXXX - 29-05-2016
Errata Security scanning - 25-05-2016
APT - Operation Groundbait - 21-05-2016
PUA - BITSadmin - Policy - malware domains
- 21-05-2016
Ransomware CryptXXX - 14-05-2016
Bitsadmin Download Rev 2 - 09-05-2016
Bitsadmin Download - 08-05-2016
Cerber Ransomware - 05-05-2016
APT - PLATINUM - 29-04-2016
POLICY Rules - SHODAN - 24-04-2016
Ransomware C2 - 19-04-2016
Housekeeping in rules 12-04-2016
DDOS on RUST Gaming servers - 09-04-2016
Ransomware - Lucky 08-04-2016
Treasurhunt POS malware
03-04-2016
Ransomware Lucky - 31-03-2016
Ransomware Lucky - 30-03-2016
Ransomware Lucky - 29-03-2016
Ransomware Lucky - 28-03-2016
APT - ProjectM - sid:5019701 - 26-03-2016
APT - C-Major - sid:5019801 - 26-03-2016
APT - Transparent Tribe -
26-03-2016
Trojan.Downloader js script executed - Teslacrypt - 23-03-2016
Trojan.Downloader js script 15-03-2016
Trojan.Downloader js script 14-03-2016
Unsupported browser for server 2008 - 12-03-2016
NTPD Kiss-o'-Death - 05-03-2016
Linux-Mint Backdoor 27-02-2016
Lucky Ransomware 21-02-2016
Hydracrypt ransomware 06-02-2016
Nanolocker Ransomware 01-02-2016
SKAT Phishing 23-01-2016
Post-Danmark-Attacks - 21-01-2016
APT-PlugX - 17-01-2016
RDP Keyboard layouts - 16-01-2016
Ring Video Doorbell 14-01-2016
Nordea Phishing 12-01-2016
GovRAT signed malware - 10-01-2016
Changes from 2015
Mail related - CSIS - Ransomware - POLICY - Covert Channels -
31-12-2015
POLICY Rules - CSIS - 23-12-2015
POLICY Rules - CSIS - 21-12-2015
Juniper ScreenOS Authentication
Backdoor - 21-12-2015
OLD RULES REMOVED - 08-12-2015
SHODAN - 08-12-2015
Nordea Phishing Rules 08-12-2015
DSDTestProvider - 05-12-2015
Nordea Phishing Rules - 05-12-2015
eDellRoot - 29-11-2015
APT - W32/Wonknu.A - 26-11-2015
Nordea Phishing - 16-11-2015
HTtrack - 16-11-2015
China SPAM ATTACKS - 15-11-2015
Cryptowall 4.0 - 07-11-2015
Nordea Phishing Rules update - 02-11-2015
2
