From b92c032c2d9c61bbccf77b248f96df0f23f3e866 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 8 Nov 2018 23:21:21 +0100
Subject: [PATCH] Linux JexBoss back connect shell

---
 rules/linux/lnx_susp_jexboss.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 rules/linux/lnx_susp_jexboss.yml

diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml
new file mode 100644
index 000000000..9b7a91e7a
--- /dev/null
+++ b/rules/linux/lnx_susp_jexboss.yml
@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high