Florian Roth
34 lines
797 B
YAML
34 lines
797 B
YAML
title: Executable Download from Suspicious Host
|
|
status: experimental
|
|
description: Detects executable downloads from suspicious remote systems. The whitelist should be extended as needed.
|
|
author: Florian Roth
|
|
logsource:
|
|
type: proxy
|
|
detection:
|
|
selection:
|
|
c-uri-extension: 'exe'
|
|
filter:
|
|
r-dns:
|
|
- '*.com'
|
|
- '*.org'
|
|
- '*.net'
|
|
- '*.edu'
|
|
- '*.gov'
|
|
- '*.uk'
|
|
- '*.ca'
|
|
- '*.de'
|
|
- '*.jp'
|
|
- '*.fr'
|
|
- '*.au'
|
|
- '*.us'
|
|
- '*.ch'
|
|
- '*.it'
|
|
- '*.nl'
|
|
- '*.se'
|
|
- '*.no'
|
|
- '*.es'
|
|
condition: selection
|
|
falsepositives:
|
|
- All kind of software downloads
|
|
level: low
|