Rule: Suspicious executable downloads

rules/proxy/proxy_exe_download_susp_tlds.yml

@@ -0,0 +1,33 @@
+title: Executable Download from Suspicious Host
+status: experimental
+description: Detects executable downloads from suspicious remote systems. The whitelist should be extended as needed. 
+author: Florian Roth
+logsource:
+    type: proxy
+detection:
+    selection:
+        c-uri-extension: 'exe'
+    filter:
+        r-dns: 
+            - '*.com'
+            - '*.org'
+            - '*.net'
+            - '*.edu'
+            - '*.gov'
+            - '*.uk'
+            - '*.ca'
+            - '*.de'
+            - '*.jp'
+            - '*.fr'
+            - '*.au'
+            - '*.us'
+            - '*.ch'
+            - '*.it'
+            - '*.nl'
+            - '*.se'
+            - '*.no'
+            - '*.es'    
+    condition: selection
+falsepositives:
+    - All kind of software downloads
+level: low