Snort mailing list archives
Offer a new sig for detecting possible Typo Squatting on .om TLD
From: rmkml <rmkml () ligfy org>
Date: Sun, 3 Apr 2016 15:29:57 +0200 (CEST)
Hi, First, Thx EndGame and Splunk for sharing, The http://etplc.org project offer a new sig for detecting possible DNS Typo Squatting on few domain in .om TLD: alert udp $HOME_NET any -> any 53 (msg:"ET DNS Suspicious Typo Squatting Query to .om (TLD) access"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|om|00|"; fast_pattern; distance:0; nocase; pcre:"/(?:netflix|yahoo|htc|huffingtonpost|nbc|bankofamerica|youtube|reddit|linkedin|facebook|live|google|baidu|gmail|xbox|adidas|hilton|ctrip|dangdang|directv|douban|drugstore|dubizzle|eastmoney|enterprise|etao|fiverr|one|qq|qv|si|sogou|tuniu|usaa|weather|weibo|y8|yatra)c?\x02om\x00/si"; classtype:policy-violation; reference:url,www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting; reference:url,blogs.splunk.com/2016/04/01/hunting-that-evil-typosquatter/; sid:1; rev:1;) Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting possible Typo Squatting on .om TLD rmkml (Apr 03)