[Snort-sigs] Offer a new sig for detecting possible Typo Squatting on .om TLD

rmkml rmkml at ...4129...
Sun Apr 3 09:29:57 EDT 2016


Hi,

First, Thx EndGame and Splunk for sharing,

The http://etplc.org project offer a new sig for detecting possible DNS Typo Squatting on few domain in .om TLD:

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Suspicious Typo Squatting Query to .om (TLD) access"; content:"|01 00 00 01 00 00 00 00 00 00|"; 
depth:10; offset:2; content:"|02|om|00|"; fast_pattern; distance:0; nocase;
pcre:"/(?:netflix|yahoo|htc|huffingtonpost|nbc|bankofamerica|youtube|reddit|linkedin|facebook|live|google|baidu|gmail|xbox|adidas|hilton|ctrip|dangdang|directv|douban|drugstore|dubizzle|eastmoney|enterprise|etao|fiverr|one|qq|qv|si|sogou|tuniu|usaa|weather|weibo|y8|yatra)c?\x02om\x00/si"; 
classtype:policy-violation; 
reference:url,www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting;
reference:url,blogs.splunk.com/2016/04/01/hunting-that-evil-typosquatter/; 
sid:1; rev:1;)

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list