Snort mailing list archives
8 Norda bank phishing rules.
From: Lenny Hansson <security () netcowboy dk>
Date: Mon, 2 Nov 2015 08:43:13 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi All These rules are mostly for the Scandinavian region. They will trigger when a user visit a Nordea Bank phishing URL's ore a validated known phishing site. If $HOME_NET and $EXTERNAL_NET are reversed the rules can be used by web-hosting providers. Feel free to use them. Rule 1: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Possible Nordea Bank Phishing - URL-Struct"; flow:to_server,established; detection_filter:track by_dst, count 2, seconds 5; content:"GET"; depth:3; nocase; http_method; content:"nordea"; nocase; http_uri; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:04102015; priority:3; sid:5000000; rev:1;) Rule 2: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Log paa netbank"; flow:to_client,established; file_data; content:"<title>Log p|c3 a5| Netbank"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000001; rev:1;) Rule3: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-site - Title - Nordean verkkopankki"; flow:to_client,established; file_data; content:"<title>Nordean verkkopankki"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000002; rev:1;) Rule 4: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Nordeas Internetbank Privat"; flow:to_client,established; file_data; content:"<title>Nordeas Internetbank Privat"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000003; rev:1;) Rule 5: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Nordea MobilBank"; flow:to_client,established; file_data; content:"<title>Nordea MobilBank"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000004; rev:1;) Rule 6: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Responsible Investments Nordea"; flow:to_client,established; file_data; content:"<title>Responsible Investments Nordea"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000005; rev:1;) Rule 7: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Log paa netbank"; flow:to_client,established; file_data; content:"|3c 74 69 74 6c 65 3e 4c 6f 67 20 70 e5 20 4e 65 74 62 61 6e 6b|"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000006; rev:1;) Rule 8: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Beliggenhed verifikation"; flow:to_client,established; file_data; content:"<title>Beliggenhed verifikation"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,02112015; priority:2; sid:50000007; rev:1;) If any false positives are observed please let me know. - -- Venlig hilsen / Best Regards Lenny Hansson *********************************** Mobile: +45 42 71 49 01 Web: networkforensic.dk *********************************** E-mail: security () netcowboy dk Key-ID: 1527E63D *********************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWNxQRAAoJEAUh+LgVJ+Y9wtkIANBiPeJg/UUH20cKO34Kz3lA x5X4wXNS4/bMcEmUMgBXYKXlTw+kcVD0sadt5gZTJp2KFZHBfoQ/aN4WZ4xcA3eg VxGSa1+6ts9iEUOj1FooBJa/1jln4zpNJBiB0tz0MIzSK4bBLggMI4STTTSYY5q5 CFfpqOpiF3kpxwKOenilffMft1YN9cvrvn8E7ykoo2hm5aRUhXf44dTIofEWdRlR Xt451FMUQsoa898QLtMcEFIniJH74QL7zzPqyGMM7ZDrinKRAri4sHUPeQRCliI+ g114NRSaQl0gt6OMj/CwqcZE2Fkgd2F4PItyC6xZQQXKeLNiAZNFcjd/LKY3Xdc= =STCt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 8 Norda bank phishing rules. Lenny Hansson (Nov 02)
- Re: 8 Norda bank phishing rules. Matt Mickel (Nov 02)