From be5360b8be1a2a7b481c68f8b3a4efea65737f0a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:22:17 -0300 Subject: [PATCH] Update proxy_download_susp_tlds_blacklist.yml --- .../proxy_download_susp_tlds_blacklist.yml | 126 +++++++++--------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 26fb1c0eb..76081c8d8 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -33,73 +33,73 @@ detection: - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns: + r-dns|endswith: # Symantec / Chris Larsen analysis - - '*.country' - - '*.stream' - - '*.gdn' - - '*.mom' - - '*.xin' - - '*.kim' - - '*.men' - - '*.loan' - - '*.download' - - '*.racing' - - '*.online' - - '*.science' - - '*.ren' - - '*.gb' - - '*.win' - - '*.top' - - '*.review' - - '*.vip' - - '*.party' - - '*.tech' - - '*.xyz' - - '*.date' - - '*.faith' - - '*.zip' - - '*.cricket' - - '*.space' + - '.country' + - '.stream' + - '.gdn' + - '.mom' + - '.xin' + - '.kim' + - '.men' + - '.loan' + - '.download' + - '.racing' + - '.online' + - '.science' + - '.ren' + - '.gb' + - '.win' + - '.top' + - '.review' + - '.vip' + - '.party' + - '.tech' + - '.xyz' + - '.date' + - '.faith' + - '.zip' + - '.cricket' + - '.space' # McAfee report - - '*.info' - - '*.vn' - - '*.cm' - - '*.am' - - '*.cc' - - '*.asia' - - '*.ws' - - '*.tk' - - '*.biz' - - '*.su' - - '*.st' - - '*.ro' - - '*.ge' - - '*.ms' - - '*.pk' - - '*.nu' - - '*.me' - - '*.ph' - - '*.to' - - '*.tt' - - '*.name' - - '*.tv' - - '*.kz' - - '*.tc' - - '*.mobi' + - '.info' + - '.vn' + - '.cm' + - '.am' + - '.cc' + - '.asia' + - '.ws' + - '.tk' + - '.biz' + - '.su' + - '.st' + - '.ro' + - '.ge' + - '.ms' + - '.pk' + - '.nu' + - '.me' + - '.ph' + - '.to' + - '.tt' + - '.name' + - '.tv' + - '.kz' + - '.tc' + - '.mobi' # Spamhaus - - '*.study' - - '*.click' - - '*.link' - - '*.trade' - - '*.accountant' + - '.study' + - '.click' + - '.link' + - '.trade' + - '.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - - '*.cf' - - '*.gq' - - '*.ml' - - '*.ga' + - '.cf' + - '.gq' + - '.ml' + - '.ga' # Custom - - '*.pw' + - '.pw' condition: selection fields: - ClientIP @@ -113,4 +113,4 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one \ No newline at end of file + - attack.t1204 # an old one