Update proxy_download_susp_tlds_blacklist.yml

2020-10-15 23:22:17 -03:00
parent 5615173540
commit be5360b8be
1 changed files with 63 additions and 63 deletions
@@ -33,73 +33,73 @@ detection:
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
-        r-dns:
+        r-dns|endswith:
            # Symantec / Chris Larsen analysis
-            - '*.country'
-            - '*.stream'
-            - '*.gdn'
-            - '*.mom'
-            - '*.xin'
-            - '*.kim'
-            - '*.men'
-            - '*.loan'
-            - '*.download'
-            - '*.racing'
-            - '*.online'
-            - '*.science'
-            - '*.ren'
-            - '*.gb'
-            - '*.win'
-            - '*.top'
-            - '*.review'
-            - '*.vip'
-            - '*.party'
-            - '*.tech'
-            - '*.xyz'
-            - '*.date'
-            - '*.faith'
-            - '*.zip'
-            - '*.cricket'
-            - '*.space'
+            - '.country'
+            - '.stream'
+            - '.gdn'
+            - '.mom'
+            - '.xin'
+            - '.kim'
+            - '.men'
+            - '.loan'
+            - '.download'
+            - '.racing'
+            - '.online'
+            - '.science'
+            - '.ren'
+            - '.gb'
+            - '.win'
+            - '.top'
+            - '.review'
+            - '.vip'
+            - '.party'
+            - '.tech'
+            - '.xyz'
+            - '.date'
+            - '.faith'
+            - '.zip'
+            - '.cricket'
+            - '.space'
            # McAfee report
-            - '*.info'
-            - '*.vn'
-            - '*.cm'
-            - '*.am'
-            - '*.cc'
-            - '*.asia'
-            - '*.ws'
-            - '*.tk'
-            - '*.biz'
-            - '*.su'
-            - '*.st'
-            - '*.ro'
-            - '*.ge'
-            - '*.ms'
-            - '*.pk'
-            - '*.nu'
-            - '*.me'
-            - '*.ph'
-            - '*.to'
-            - '*.tt'
-            - '*.name'
-            - '*.tv'
-            - '*.kz'
-            - '*.tc'
-            - '*.mobi'
+            - '.info'
+            - '.vn'
+            - '.cm'
+            - '.am'
+            - '.cc'
+            - '.asia'
+            - '.ws'
+            - '.tk'
+            - '.biz'
+            - '.su'
+            - '.st'
+            - '.ro'
+            - '.ge'
+            - '.ms'
+            - '.pk'
+            - '.nu'
+            - '.me'
+            - '.ph'
+            - '.to'
+            - '.tt'
+            - '.name'
+            - '.tv'
+            - '.kz'
+            - '.tc'
+            - '.mobi'
            # Spamhaus
-            - '*.study'
-            - '*.click'
-            - '*.link'
-            - '*.trade'
-            - '*.accountant'
+            - '.study'
+            - '.click'
+            - '.link'
+            - '.trade'
+            - '.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-            - '*.cf'
-            - '*.gq'
-            - '*.ml'
-            - '*.ga'
+            - '.cf'
+            - '.gq'
+            - '.ml'
+            - '.ga'
            # Custom
-            - '*.pw'
+            - '.pw'
    condition: selection
 fields:
    - ClientIP
@@ -113,4 +113,4 @@ tags:
    - attack.execution
    - attack.t1203
    - attack.t1204.002
-    - attack.t1204  # an old one
+    - attack.t1204  # an old one