Snort mailing list archives
Re: 8 Norda bank phishing rules.
From: Matt Mickel <mmickel () sourcefire com>
Date: Mon, 02 Nov 2015 11:57:17 -0500
Hi, Lenny- Thanks for sharing these. I'll run them through our usual testing process and get back to you when they're finished. Do you have any relevant PCAPs that you can share? Thanks in advance. Best, Matt Mickel TALOS On 11/02/2015 02:43 AM, Lenny Hansson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi All These rules are mostly for the Scandinavian region. They will trigger when a user visit a Nordea Bank phishing URL's ore a validated known phishing site. If $HOME_NET and $EXTERNAL_NET are reversed the rules can be used by web-hosting providers. Feel free to use them. Rule 1: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Possible Nordea Bank Phishing - URL-Struct"; flow:to_server,established; detection_filter:track by_dst, count 2, seconds 5; content:"GET"; depth:3; nocase; http_method; content:"nordea"; nocase; http_uri; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:04102015; priority:3; sid:5000000; rev:1;) Rule 2: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Log paa netbank"; flow:to_client,established; file_data; content:"<title>Log p|c3 a5| Netbank"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000001; rev:1;) Rule3: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-site - Title - Nordean verkkopankki"; flow:to_client,established; file_data; content:"<title>Nordean verkkopankki"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000002; rev:1;) Rule 4: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Nordeas Internetbank Privat"; flow:to_client,established; file_data; content:"<title>Nordeas Internetbank Privat"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000003; rev:1;) Rule 5: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Nordea MobilBank"; flow:to_client,established; file_data; content:"<title>Nordea MobilBank"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000004; rev:1;) Rule 6: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing Web-Site - Title - Responsible Investments Nordea"; flow:to_client,established; file_data; content:"<title>Responsible Investments Nordea"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000005; rev:1;) Rule 7: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Log paa netbank"; flow:to_client,established; file_data; content:"|3c 74 69 74 6c 65 3e 4c 6f 67 20 70 e5 20 4e 65 74 62 61 6e 6b|"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,07022015; priority:2; sid:50000006; rev:1;) Rule 8: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Nordea Bank Phishing web-site - Title - Beliggenhed verifikation"; flow:to_client,established; file_data; content:"<title>Beliggenhed verifikation"; content:!"www.nordea.fi"; nocase; http_header; content:!"nordea.dk"; nocase; http_header; content:!"www.nordea.com"; nocase; http_header; content:!"nordea.se"; nocase; http_header; content:!"nordea.no"; nocase; http_header; reference:url,http://networkforensic.dk; metadata:NF,02112015; priority:2; sid:50000007; rev:1;) If any false positives are observed please let me know. - -- Venlig hilsen / Best Regards Lenny Hansson *********************************** Mobile: +45 42 71 49 01 Web: networkforensic.dk *********************************** E-mail: security () netcowboy dk Key-ID: 1527E63D *********************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWNxQRAAoJEAUh+LgVJ+Y9wtkIANBiPeJg/UUH20cKO34Kz3lA x5X4wXNS4/bMcEmUMgBXYKXlTw+kcVD0sadt5gZTJp2KFZHBfoQ/aN4WZ4xcA3eg VxGSa1+6ts9iEUOj1FooBJa/1jln4zpNJBiB0tz0MIzSK4bBLggMI4STTTSYY5q5 CFfpqOpiF3kpxwKOenilffMft1YN9cvrvn8E7ykoo2hm5aRUhXf44dTIofEWdRlR Xt451FMUQsoa898QLtMcEFIniJH74QL7zzPqyGMM7ZDrinKRAri4sHUPeQRCliI+ g114NRSaQl0gt6OMj/CwqcZE2Fkgd2F4PItyC6xZQQXKeLNiAZNFcjd/LKY3Xdc= =STCt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 8 Norda bank phishing rules. Lenny Hansson (Nov 02)
- Re: 8 Norda bank phishing rules. Matt Mickel (Nov 02)