Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@signalblur
signalblur committed Feb 27, 2025
1 parent 5e94c34 commit f1c8f6a
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion rules/network/zeek/zeek_http_sus_file_ext_from_sus_tld.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,21 @@ detection:
- '.dylib'
- '.lnk'
- '.wsf'
condition: suspicious_tld and malicious_ext
malicious_mime:
resp_mime_types:
- 'application/x-dosexec'
- 'application/x-msdownload'
- 'application/x-msdos-program'
- 'application/vnd.microsoft.portable-executable'
- 'application/x-sh'
- 'application/x-python-code'
- 'application/x-bat'
- 'application/x-ms-shortcut'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-elf'

condition: suspicious_tld and (malicious_ext or malicious_mime)
fields:
- ts
- uid
Expand All @@ -78,6 +92,7 @@ fields:
- method
- status_code
- user_agent
- resp_mime_types
falsepositives:
- Rare legitimate software downloads or newly registered domains under .xyz/.top/.ru etc
level: medium

0 comments on commit f1c8f6a

Please sign in to comment.