-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathmost_abused_tld.rules
86 lines (84 loc) · 16.2 KB
/
most_abused_tld.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
## abused TLD rules
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .tk in DNS"; flow:established; dns_query; content:".tk"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610006; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .ml in DNS"; flow:established; dns_query; content:".ml"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610008; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .ga in DNS"; flow:established; dns_query; content:".ga"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610010; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .cf in DNS"; flow:established; dns_query; content:".cf"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610012; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .gq in DNS"; flow:established; dns_query; content:".gq"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610014; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .work in DNS"; flow:established; dns_query; content:".work"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610016; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .date in DNS"; flow:established; dns_query; content:".date"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610018; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .top in DNS"; flow:established; dns_query; content:".top"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610020; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .review in DNS"; flow:established; dns_query; content:".review"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610022; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .stream in DNS"; flow:established; dns_query; content:".stream"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610024; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .trade in DNS"; flow:established; dns_query; content:".trade"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610026; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .loan in DNS"; flow:established; dns_query; content:".loan"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610028; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .science in DNS"; flow:established; dns_query; content:".science"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610030; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .gdn in DNS"; flow:established; dns_query; content:".gdn"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610032; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .click in DNS"; flow:established; dns_query; content:".click"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610034; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .date in DNS"; flow:established; dns_query; content:".date"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610036; rev:1;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .racing in DNS"; flow:established; dns_query; content:".racing"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610038; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .tk in HTTP Host"; flow:established; content:".tk"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610040; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .ml in HTTP Host"; flow:established; content:".ml"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610042; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .ga in HTTP Host"; flow:established; content:".ga"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610044; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .cf in HTTP Host"; flow:established; content:".cf"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610046; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .gq in HTTP Host"; flow:established; content:".gq"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610048; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .work in HTTP Host"; flow:established; content:".work"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610050; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .date in HTTP Host"; flow:established; content:".date"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610052; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .top in HTTP Host"; flow:established; content:".top"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610054; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .review in HTTP Host"; flow:established; content:".review"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610056; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .stream in HTTP Host"; flow:established; content:".stream"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610058; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .trade in HTTP Host"; flow:established; content:".trade"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610060; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .loan in HTTP Host"; flow:established; content:".loan"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610062; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .science in HTTP Host"; flow:established; content:".science"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610064; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .gdn in HTTP Host"; flow:established; content:".gdn"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610066; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .click in HTTP Host"; flow:established; content:".click"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610068; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .date in HTTP Host"; flow:established; content:".date"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610070; rev:1;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .racing in HTTP Host"; flow:established; content:".racing"; http_host; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610072; rev:1;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .tk in SNI"; flow:established,to_server; tls_sni; content:".tk"; endswith; classtype:bad-unknown; sid:2610074;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .ml in SNI"; flow:established,to_server; tls_sni; content:".ml"; endswith; classtype:bad-unknown; sid:2610076;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .ga in SNI"; flow:established,to_server; tls_sni; content:".ga"; endswith; classtype:bad-unknown; sid:2610078;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .cf in SNI"; flow:established,to_server; tls_sni; content:".cf"; endswith; classtype:bad-unknown; sid:2610080;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .gq in SNI"; flow:established,to_server; tls_sni; content:".gq"; endswith; classtype:bad-unknown; sid:2610082;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .work in SNI"; flow:established,to_server; tls_sni; content:".work"; endswith; classtype:bad-unknown; sid:2610084;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .date in SNI"; flow:established,to_server; tls_sni; content:".date"; endswith; classtype:bad-unknown; sid:2610086;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .top in SNI"; flow:established,to_server; tls_sni; content:".top"; endswith; classtype:bad-unknown; sid:2610088;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .review in SNI"; flow:established,to_server; tls_sni; content:".review"; endswith; classtype:bad-unknown; sid:2610090;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .stream in SNI"; flow:established,to_server; tls_sni; content:".stream"; endswith; classtype:bad-unknown; sid:2610092;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .trade in SNI"; flow:established,to_server; tls_sni; content:".trade"; endswith; classtype:bad-unknown; sid:2610094;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .loan in SNI"; flow:established,to_server; tls_sni; content:".loan"; endswith; classtype:bad-unknown; sid:2610096;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .science in SNI"; flow:established,to_server; tls_sni; content:".science"; endswith; classtype:bad-unknown; sid:2610098;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .gdn in SNI"; flow:established,to_server; tls_sni; content:".gdn"; endswith; classtype:bad-unknown; sid:2610100;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .click in SNI"; flow:established,to_server; tls_sni; content:".click"; endswith; classtype:bad-unknown; sid:2610102;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .date in SNI"; flow:established,to_server; tls_sni; content:".date"; endswith; classtype:bad-unknown; sid:2610104;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .racing in SNI"; flow:established,to_server; tls_sni; content:".racing"; endswith; classtype:bad-unknown; sid:2610106;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .ug in DNS"; flow:established; dns_query; content:".ug"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610108; rev:1;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .ug in SNI"; flow:established,to_server; tls_sni; content:".ug"; endswith; classtype:bad-unknown; sid:2610110;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .ug in HTTP Host"; flow:established,to_server; content:".ug"; http_host; endswith; classtype:bad-unknown; sid:2610112;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .pw in DNS"; flow:established; dns_query; content:".pw"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610114; rev:1;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .pw in SNI"; flow:established,to_server; tls_sni; content:".pw"; endswith; classtype:bad-unknown; sid:2610116;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .pw in HTTP Host"; flow:established,to_server; content:".pw"; http_host; endswith; classtype:bad-unknown; sid:2610118;)
#alert dns any any -> any any (msg:"TGI HUNT Abused TLD .info in DNS"; flow:established; dns_query; content:".info"; endswith; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610120; rev:1;)
#alert tls any any -> any any (msg:"TGI HUNT Abused TLD .info in SNI"; flow:established,to_server; tls_sni; content:".info"; endswith; classtype:bad-unknown; sid:2610122;)
#alert http any any -> any any (msg:"TGI HUNT Abused TLD .info in HTTP Host"; flow:established,to_server; content:".info"; http_host; endswith; classtype:bad-unknown; sid:2610124;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .ooo in SNI"; flow:established,to_server; tls_sni; content:".ooo"; endswith; classtype:bad-unknown; sid:2610126;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .ooo in HTTP Host"; flow:established,to_server; content:".ooo"; http_host; endswith; classtype:bad-unknown; sid:2610128;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .ooo in DNS Request"; flow:established,to_server; dns_query; content:".ooo"; endswith; classtype:bad-unknown; sid:2610130;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .world in SNI"; flow:established,to_server; tls_sni; content:".world"; endswith; classtype:bad-unknown; sid:2610132;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .world in HTTP Host"; flow:established,to_server; content:".world"; http_host; endswith; classtype:bad-unknown; sid:2610134;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .world in DNS Request"; flow:established,to_server; dns_query; content:".world"; endswith; classtype:bad-unknown; sid:2610136;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .desi in SNI"; flow:established,to_server; tls_sni; content:".desi"; endswith; classtype:bad-unknown; sid:2610138;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .desi in HTTP Host"; flow:established,to_server; content:".desi"; http_host; endswith; classtype:bad-unknown; sid:2610140;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .desi in DNS Request"; flow:established,to_server; dns_query; content:".desi"; endswith; classtype:bad-unknown; sid:2610142;)
#alert tls any any -> any any (msg:"TGI HUNT Abused TLD .life in SNI"; flow:established,to_server; tls_sni; content:".life"; endswith; classtype:bad-unknown; sid:2610144;)
#alert http any any -> any any (msg:"TGI HUNT Abused TLD .life in HTTP Host"; flow:established,to_server; content:".life"; http_host; endswith; classtype:bad-unknown; sid:2610146;)
#alert dns any any -> any any (msg:"TGI HUNT Abused TLD .life in DNS Request"; flow:established,to_server; dns_query; content:".life"; endswith; classtype:bad-unknown; sid:2610148;)
alert tls any any -> any any (msg:"TGI HUNT Abused TLD .ryukyu in SNI"; flow:established,to_server; tls_sni; content:".ryukyu"; endswith; classtype:bad-unknown; sid:2610150;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .ryukyu in HTTP Host"; flow:established,to_server; content:".ryukyu"; http_host; endswith; classtype:bad-unknown; sid:2610152;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .ryukyu in DNS Request"; flow:established,to_server; dns_query; content:".ryukyu"; endswith; classtype:bad-unknown; sid:2610154;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .surf in HTTP Host"; flow:established,to_server; content:".surf"; http_host; endswith; classtype:bad-unknown; sid:2610156;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .surf in DNS Request"; flow:established,to_server; dns_query; content:".surf"; endswith; classtype:bad-unknown; sid:2610158;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .bid in HTTP Host"; flow:established,to_server; content:".bid"; http_host; endswith; classtype:bad-unknown; sid:2610160;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .bid in DNS Request"; flow:established,to_server; dns_query; content:".bid"; endswith; classtype:bad-unknown; sid:2610162;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .cam in HTTP Host"; flow:established,to_server; content:".cam"; http_host; endswith; classtype:bad-unknown; sid:2610164;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .cam in DNS Request"; flow:established,to_server; dns_query; content:".cam"; endswith; classtype:bad-unknown; sid:2610166;)
alert http any any -> any any (msg:"TGI HUNT Abused TLD .bar in HTTP Host"; flow:established,to_server; content:".bar"; http_host; endswith; classtype:bad-unknown; sid:2610168;)
alert dns any any -> any any (msg:"TGI HUNT Abused TLD .bar in DNS Request"; flow:established,to_server; dns_query; content:".bar"; endswith; classtype:bad-unknown; sid:2610170;)