Throwaway@lemm.ee to Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ@lemmy.dbzer0.comEnglish · 1 year agoBetter than Disney+: Jellyfin on my NASwww.youtube.comexternal-linkmessage-square264fedilinkarrow-up1736arrow-down156
arrow-up1680arrow-down1external-linkBetter than Disney+: Jellyfin on my NASwww.youtube.comThrowaway@lemm.ee to Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ@lemmy.dbzer0.comEnglish · 1 year agomessage-square264fedilink
minus-squarepcjones@feddit.delinkfedilinkEnglisharrow-up6·1 year agoMay I ask what I should look for in the log files to detect this (and so I can configure fail2ban correctly)?
minus-squareBaroqueInMind@kbin.sociallinkfedilinkarrow-up5·1 year agoFirst read this Then use the following: alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:“[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:“POST”; http_method; content:“Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:“Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!“------WebKitFormBoundary”; http_client_body; content:!“Cookie|3a|”; pcre:“/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;) And the following: alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-content/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-content/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;) And also this one: alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-admin/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-admin/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<15; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)
May I ask what I should look for in the log files to detect this (and so I can configure fail2ban correctly)?
First read this
Then use the following:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:“[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:“POST”; http_method; content:“Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:“Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!“------WebKitFormBoundary”; http_client_body; content:!“Cookie|3a|”; pcre:“/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)
And the following:
alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-content/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-content/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;)
And also this one:
alert tcp any any -> any $HTTP_PORTS (msg:“EMOTET:HTTP URI GET contains ‘/wp-admin/###/’”; sid:00000000; rev:1; flow:established,to_server; content:“/wp-admin/”; http_uri; content:“/”; http_uri; distance:0; within:4; content:“GET”; nocase; http_method; urilen:<15; content:“Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)