2017-11-08 10:32:30 +00:00
|
|
|
title: Download from Suspicious Dyndns Hosts
|
|
|
|
status: experimental
|
|
|
|
description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
|
2018-01-27 23:24:16 +00:00
|
|
|
references:
|
|
|
|
- https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
|
2017-11-08 10:32:30 +00:00
|
|
|
author: Florian Roth
|
|
|
|
date: 2017/11/08
|
|
|
|
logsource:
|
|
|
|
category: proxy
|
|
|
|
detection:
|
|
|
|
selection:
|
|
|
|
c-uri-extension:
|
|
|
|
- 'exe'
|
|
|
|
- 'vbs'
|
|
|
|
- 'bat'
|
|
|
|
- 'rar'
|
|
|
|
- 'ps1'
|
|
|
|
- 'doc'
|
|
|
|
- 'docm'
|
|
|
|
- 'xls'
|
|
|
|
- 'xlsm'
|
|
|
|
- 'pptm'
|
|
|
|
- 'rtf'
|
|
|
|
- 'hta'
|
|
|
|
- 'dll'
|
|
|
|
- 'ws'
|
|
|
|
- 'wsf'
|
|
|
|
- 'sct'
|
|
|
|
- 'zip'
|
|
|
|
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
|
|
|
|
r-dns:
|
|
|
|
- '*.hopto.org'
|
|
|
|
- '*.no-ip.org'
|
|
|
|
- '*.no-ip.info'
|
|
|
|
- '*.no-ip.biz'
|
|
|
|
- '*.no-ip.com'
|
|
|
|
- '*.noip.com'
|
|
|
|
- '*.ddns.name'
|
|
|
|
- '*.myftp.org'
|
|
|
|
- '*.myftp.biz'
|
|
|
|
- '*.serveblog.net'
|
|
|
|
- '*.servebeer.com'
|
|
|
|
- '*.servemp3.com'
|
|
|
|
- '*.serveftp.com'
|
|
|
|
- '*.servequake.com'
|
|
|
|
- '*.servehalflife.com'
|
|
|
|
- '*.servehttp.com'
|
|
|
|
- '*.servegame.com'
|
|
|
|
- '*.servepics.com'
|
|
|
|
- '*.myvnc.com'
|
|
|
|
- '*.ignorelist.com'
|
|
|
|
- '*.jkub.com'
|
|
|
|
- '*.dlinkddns.com'
|
|
|
|
- '*.jumpingcrab.com'
|
|
|
|
- '*.ddns.info'
|
|
|
|
- '*.mooo.com'
|
|
|
|
- '*.dns-dns.com'
|
|
|
|
- '*.strangled.net'
|
|
|
|
- '*.adultdns.net'
|
|
|
|
- '*.craftx.biz'
|
|
|
|
- '*.ddns01.com'
|
|
|
|
- '*.dns53.biz'
|
|
|
|
- '*.dnsapi.info'
|
|
|
|
- '*.dnsd.info'
|
|
|
|
- '*.dnsdynamic.com'
|
|
|
|
- '*.dnsdynamic.net'
|
|
|
|
- '*.dnsget.org'
|
|
|
|
- '*.fe100.net'
|
|
|
|
- '*.flashserv.net'
|
|
|
|
- '*.ftp21.net'
|
|
|
|
- '*.http01.com'
|
|
|
|
- '*.http80.info'
|
|
|
|
- '*.https443.com'
|
|
|
|
- '*.imap01.com'
|
|
|
|
- '*.kadm5.com'
|
|
|
|
- '*.mysq1.net'
|
|
|
|
- '*.ns360.info'
|
|
|
|
- '*.ntdll.net'
|
|
|
|
- '*.ole32.com'
|
|
|
|
- '*.proxy8080.com'
|
|
|
|
- '*.sql01.com'
|
|
|
|
- '*.ssh01.com'
|
|
|
|
- '*.ssh22.net'
|
|
|
|
- '*.tempors.com'
|
|
|
|
- '*.tftpd.net'
|
|
|
|
- '*.ttl60.com'
|
|
|
|
- '*.ttl60.org'
|
|
|
|
- '*.user32.com'
|
|
|
|
- '*.voip01.com'
|
|
|
|
- '*.wow64.net'
|
|
|
|
- '*.x64.me'
|
|
|
|
- '*.xns01.com'
|
|
|
|
- '*.dyndns.org'
|
|
|
|
- '*.dyndns.info'
|
|
|
|
- '*.dyndns.tv'
|
|
|
|
- '*.dyndns-at-home.com'
|
|
|
|
- '*.dnsomatic.com'
|
|
|
|
- '*.zapto.org'
|
|
|
|
- '*.webhop.net'
|
|
|
|
- '*.25u.com'
|
|
|
|
- '*.slyip.net'
|
|
|
|
condition: selection
|
|
|
|
fields:
|
|
|
|
- cs-ip
|
|
|
|
- c-uri
|
|
|
|
falsepositives:
|
|
|
|
- Software downloads
|
|
|
|
level: medium
|