Snort mailing list archives

8 Norda bank phishing rules.

From: Lenny Hansson <security () netcowboy dk>
Date: Mon, 2 Nov 2015 08:43:13 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi All
These rules are mostly for the Scandinavian region.

They will trigger when a user visit a Nordea Bank phishing URL's ore a
validated known phishing site.

If $HOME_NET and $EXTERNAL_NET are reversed the rules can be used by
web-hosting providers.

Feel free to use them.

Rule 1:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Possible Nordea
Bank Phishing - URL-Struct"; flow:to_server,established;
detection_filter:track by_dst, count 2, seconds 5; content:"GET";
depth:3; nocase; http_method; content:"nordea"; nocase; http_uri;
content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk";
nocase; http_header; content:!"www.nordea.com"; nocase; http_header;
content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase;
http_header; reference:url,http://networkforensic.dk; metadata:04102015;
priority:3; sid:5000000; rev:1;)

Rule 2:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Log paa netbank";
flow:to_client,established; file_data; content:"<title>Log p|c3 a5|
Netbank"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000001; rev:1;)

Rule3:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-site - Title - Nordean verkkopankki";
flow:to_client,established; file_data; content:"<title>Nordean
verkkopankki"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000002; rev:1;)

Rule 4:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Nordeas Internetbank Privat";
flow:to_client,established; file_data; content:"<title>Nordeas
Internetbank Privat"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000003; rev:1;)

Rule 5:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Nordea MobilBank";
flow:to_client,established; file_data; content:"<title>Nordea
MobilBank"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000004; rev:1;)

Rule 6:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Responsible Investments Nordea";
flow:to_client,established; file_data; content:"<title>Responsible
Investments Nordea"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000005; rev:1;)

Rule 7:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Log paa netbank";
flow:to_client,established; file_data; content:"|3c 74 69 74 6c 65 3e 4c
6f 67 20 70 e5 20 4e 65 74 62 61 6e 6b|"; content:!"www.nordea.fi";
nocase; http_header; content:!"nordea.dk"; nocase; http_header;
content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se";
nocase; http_header; content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000006; rev:1;)

Rule 8:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Beliggenhed verifikation";
flow:to_client,established; file_data; content:"<title>Beliggenhed
verifikation"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,02112015;
priority:2; sid:50000007; rev:1;)

If any false positives are observed please let me know.
- -- 
Venlig hilsen / Best Regards
Lenny Hansson
***********************************
Mobile: +45 42 71 49 01
Web: networkforensic.dk
***********************************
E-mail: security () netcowboy dk
Key-ID: 1527E63D
***********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWNxQRAAoJEAUh+LgVJ+Y9wtkIANBiPeJg/UUH20cKO34Kz3lA
x5X4wXNS4/bMcEmUMgBXYKXlTw+kcVD0sadt5gZTJp2KFZHBfoQ/aN4WZ4xcA3eg
VxGSa1+6ts9iEUOj1FooBJa/1jln4zpNJBiB0tz0MIzSK4bBLggMI4STTTSYY5q5
CFfpqOpiF3kpxwKOenilffMft1YN9cvrvn8E7ykoo2hm5aRUhXf44dTIofEWdRlR
Xt451FMUQsoa898QLtMcEFIniJH74QL7zzPqyGMM7ZDrinKRAri4sHUPeQRCliI+
g114NRSaQl0gt6OMj/CwqcZE2Fkgd2F4PItyC6xZQQXKeLNiAZNFcjd/LKY3Xdc=
=STCt
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Current thread:

8 Norda bank phishing rules. Lenny Hansson (Nov 02)
- Re: 8 Norda bank phishing rules. Matt Mickel (Nov 02)