Offer a new sig for detecting possible Typo Squatting on .om TLD

[rmkml <rmkml () ligfy org>]

Hi,

First, Thx EndGame and Splunk for sharing,

The http://etplc.org project offer a new sig for detecting possible DNS Typo Squatting on few domain in .om TLD:

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Suspicious Typo Squatting Query to .om (TLD) access"; content:"|01 00 00 
01 00 00 00 00 00 00|"; 
depth:10; offset:2; content:"|02|om|00|"; fast_pattern; distance:0; nocase;
pcre:"/(?:netflix|yahoo|htc|huffingtonpost|nbc|bankofamerica|youtube|reddit|linkedin|facebook|live|google|baidu|gmail|xbox|adidas|hilton|ctrip|dangdang|directv|douban|drugstore|dubizzle|eastmoney|enterprise|etao|fiverr|one|qq|qv|si|sogou|tuniu|usaa|weather|weibo|y8|yatra)c?\x02om\x00/si";
 
classtype:policy-violation; 
reference:url,www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting;
reference:url,blogs.splunk.com/2016/04/01/hunting-that-evil-typosquatter/; 
sid:1; rev:1;)

Don't forget check variables.

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!