Snort mailing list archives

Re: 8 Norda bank phishing rules.

From: Matt Mickel <mmickel () sourcefire com>
Date: Mon, 02 Nov 2015 11:57:17 -0500

Hi, Lenny-

Thanks for sharing these.  I'll run them through our usual testing 
process and get back to you when they're finished.  Do you have any 
relevant PCAPs that you can share?  Thanks in advance.  Best,

Matt Mickel
TALOS

On 11/02/2015 02:43 AM, Lenny Hansson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi All
These rules are mostly for the Scandinavian region.

They will trigger when a user visit a Nordea Bank phishing URL's ore a
validated known phishing site.

If $HOME_NET and $EXTERNAL_NET are reversed the rules can be used by
web-hosting providers.

Feel free to use them.

Rule 1:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Possible Nordea
Bank Phishing - URL-Struct"; flow:to_server,established;
detection_filter:track by_dst, count 2, seconds 5; content:"GET";
depth:3; nocase; http_method; content:"nordea"; nocase; http_uri;
content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk";
nocase; http_header; content:!"www.nordea.com"; nocase; http_header;
content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase;
http_header; reference:url,http://networkforensic.dk; metadata:04102015;
priority:3; sid:5000000; rev:1;)

Rule 2:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Log paa netbank";
flow:to_client,established; file_data; content:"<title>Log p|c3 a5|
Netbank"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000001; rev:1;)

Rule3:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-site - Title - Nordean verkkopankki";
flow:to_client,established; file_data; content:"<title>Nordean
verkkopankki"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000002; rev:1;)

Rule 4:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Nordeas Internetbank Privat";
flow:to_client,established; file_data; content:"<title>Nordeas
Internetbank Privat"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000003; rev:1;)

Rule 5:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Nordea MobilBank";
flow:to_client,established; file_data; content:"<title>Nordea
MobilBank"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000004; rev:1;)

Rule 6:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing Web-Site - Title - Responsible Investments Nordea";
flow:to_client,established; file_data; content:"<title>Responsible
Investments Nordea"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000005; rev:1;)

Rule 7:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Log paa netbank";
flow:to_client,established; file_data; content:"|3c 74 69 74 6c 65 3e 4c
6f 67 20 70 e5 20 4e 65 74 62 61 6e 6b|"; content:!"www.nordea.fi";
nocase; http_header; content:!"nordea.dk"; nocase; http_header;
content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se";
nocase; http_header; content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,07022015;
priority:2; sid:50000006; rev:1;)

Rule 8:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank
Phishing web-site - Title - Beliggenhed verifikation";
flow:to_client,established; file_data; content:"<title>Beliggenhed
verifikation"; content:!"www.nordea.fi"; nocase; http_header;
content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com";
nocase; http_header; content:!"nordea.se"; nocase; http_header;
content:!"nordea.no"; nocase; http_header;
reference:url,http://networkforensic.dk; metadata:NF,02112015;
priority:2; sid:50000007; rev:1;)

If any false positives are observed please let me know.
- -- 
Venlig hilsen / Best Regards
Lenny Hansson
***********************************
Mobile: +45 42 71 49 01
Web: networkforensic.dk
***********************************
E-mail: security () netcowboy dk
Key-ID: 1527E63D
***********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWNxQRAAoJEAUh+LgVJ+Y9wtkIANBiPeJg/UUH20cKO34Kz3lA
x5X4wXNS4/bMcEmUMgBXYKXlTw+kcVD0sadt5gZTJp2KFZHBfoQ/aN4WZ4xcA3eg
VxGSa1+6ts9iEUOj1FooBJa/1jln4zpNJBiB0tz0MIzSK4bBLggMI4STTTSYY5q5
CFfpqOpiF3kpxwKOenilffMft1YN9cvrvn8E7ykoo2hm5aRUhXf44dTIofEWdRlR
Xt451FMUQsoa898QLtMcEFIniJH74QL7zzPqyGMM7ZDrinKRAri4sHUPeQRCliI+
g114NRSaQl0gt6OMj/CwqcZE2Fkgd2F4PItyC6xZQQXKeLNiAZNFcjd/LKY3Xdc=
=STCt
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

8 Norda bank phishing rules. Lenny Hansson (Nov 02)
- Re: 8 Norda bank phishing rules. Matt Mickel (Nov 02)