From a87d513efa20e255a621ea71a09a67b88f0085b4 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 13 Mar 2017 16:11:43 +0100
Subject: [PATCH] Rule: Suspicious executable downloads

---
 rules/proxy/proxy_exe_download_susp_tlds.yml | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 rules/proxy/proxy_exe_download_susp_tlds.yml

diff --git a/rules/proxy/proxy_exe_download_susp_tlds.yml b/rules/proxy/proxy_exe_download_susp_tlds.yml
new file mode 100644
index 000000000..f61b4bf96
--- /dev/null
+++ b/rules/proxy/proxy_exe_download_susp_tlds.yml
@@ -0,0 +1,33 @@
+title: Executable Download from Suspicious Host
+status: experimental
+description: Detects executable downloads from suspicious remote systems. The whitelist should be extended as needed. 
+author: Florian Roth
+logsource:
+    type: proxy
+detection:
+    selection:
+        c-uri-extension: 'exe'
+    filter:
+        r-dns: 
+            - '*.com'
+            - '*.org'
+            - '*.net'
+            - '*.edu'
+            - '*.gov'
+            - '*.uk'
+            - '*.ca'
+            - '*.de'
+            - '*.jp'
+            - '*.fr'
+            - '*.au'
+            - '*.us'
+            - '*.ch'
+            - '*.it'
+            - '*.nl'
+            - '*.se'
+            - '*.no'
+            - '*.es'    
+    condition: selection
+falsepositives:
+    - All kind of software downloads
+level: low