travisbgreen / hunting-rules Goto Github PK

I use this ruleset successfully within my IPfire installation, but it prevents access to the duckdns.org domain.
I tried to identify the rule that is activated to exclude it but I can't find a match.

disabling this rule doesn't change anything
I don't understand which rule to disable, there is only one rule with "dynamic DNS"
Obviously, by deactivating the ruleset completely, duckdns starts working again.

Thank you

Hi,

I would like to modify some rules to improve them (because of the amount of FP).
Is it possible to get the rights to create new branch and pull requests please?

Thank you in advance,
Regards,
Juquod

May I know if this is false positive triggered by your rule (IP: 139.162.11.5):

\|TIME: 11/13/2020-11:53:46.852405 \|ALERT_LEVEL: High Risk (2/5) \|RBL_BLACKLISTED_COUNT: 0 \|SUSP_LOG_COUNT: 2 \|ABUSE_CATEGORY: 18 \|CRITICAL_REPORT: y \|IN(0) + OUT(13)=13 times \|CURRENT_STREAM_RECORD: LOCAL_IP:35666 => 139.162.11.5:53 [class]: Potentially Bad Traffic [activity]: TGI HUNT Abused TLD .info in DNS
--

I can confirm that IP belongs to linode DNS resolver.

Here is the other example of linode resolver IP that is triggered by TGI HUNT rule:

https://www.abuseipdb.com/check/139.162.11.5

The report was triggered because of PRIORITY in this rule is set to 2.

This SID seems quite outside your regular range.

It looks like the facebook rule may need to be updated, as the fingerprint doesn't match the current production FB cert, though they have a 3 month window for certs according to the 'notbefore' and 'notafter' to perhaps there's a better item to key off of?

alert tls any any -> any any (msg:"TGI HUNT TLS Suspicious facebook.com"; tls_cert_subject; content:"facebook.com"; tls_cert_fingerprint; content:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8"; classtype:bad-unknown; sid:2600117; rev:1;)

Fingerprint:98:e4:dd:9d:21:83:d5:29:9e:80:43:73:ff:f2:a7:e1:c4:87:9f:5e
Issuerdn:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Ja3.Hash:a69708a64f853c3bcc214c2c5faf84f3
Ja3.String:771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0
Notafter:2019-06-06T12:00:00
Notbefore:2019-03-08T00:00:00
Serial:0B:96:DD:18:0A:0A:F4:67:0D:21:13:62:23:94:A4:32
Sni:graph.facebook.com
Subject:C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com
Version:TLS 1.2

23/4/2019 -- 10:33:19 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http.header'.
23/4/2019 -- 10:33:19 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"TGI HUNT directory traversal chars in HTTP Request Header"; flow:established,to_server; http.header; content:"|2e 2e 5c|"; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2600141; rev:1;)"

Should replace http.header --> http_header

I think the latest row update has a . instead of an _

I think it should be http_stat_code

https://suricata.readthedocs.io/en/suricata-4.1.4/rules/http-keywords.html

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TGI HUNT Possible Cobalt Strike Malleable C2 Null Response"; flow:established,to_client; http.stat_code; content:"200"; bsize:3; pkt_data; content:"Content-Length:|20|0|0d 0a|"; fast_pattern; flowbits:isset,hunt.cs_null_response; threshold:type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2610203; rev:1;)

Line

Hi Travis,

I got really confused as to where some "SURICATA TLS on unusual port" alerts were coming from and traced them back to this rule set. Any chance you could prefix these with "TGI HUNT" as well?

Thanks.