PAW-PATRULES_PHISHING.rules

#                          KXK00OOkxxkO00KX0            
#                   ,NXKxo:,'...        ...';cdOXN:     
#                   l;. ..,:ldxkOOOOOOkkxol:,..  .o     
#                  dk  lOOOOOOkkkkkkkkkkkOOOOOOx  dk    
#              KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
#              x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
#              d. o0Okkkkkkkkkkkkk.   okkkkkkkkkkOO0k  x
#              l. c0kkkkkkko. .ckk    .kd..'xkkkkkk0x .o
#              ;, ;0kkkkkkkc    ;ko. .dk.   :kkkkkk0l ':
#              .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
#               l  o0kkkk:..'dkkk.    .;okkkkkkkkk0x  l 
#               .: .OOkkk;    xk,         .:kkkkkO0; ;. 
#                ;. :0kkkko;,cko            :kkkk0d .:  
#                 :  oOkkkkkkkk            .dkkk0k. :   
#                  :  dOkkkkkkk      .:odxkkkkkOk. ;    
#                   ;  oOkkkkkkx:,,ckkkkkkkkkkOx. ,     
#                    '. ;OOkkkkkkkkkkkkkkkkkOOc  '      
#                      ' .lOOkkkkkkkkkkkkkOOd. .        
#                        . .lOOkkkkkkkkkOOo' ..         
#                          ' .;dOOOkOOOx:. .            
#                            .. .,lxo;. ..              
#                                .. ..                  
#                                         
# ____   ___        __  ____       _              _           
#|  _ \ / \ \      / / |  _ \ __ _| |_ _ __ _   _| | ___  ___ 
#| |_) / _ \ \ /\ / /  | |_) / _` | __| '__| | | | |/ _ \/ __|
#|  __/ ___ \ V  V /   |  __/ (_| | |_| |  | |_| | |  __/\__ \
#|_| /_/   \_\_/\_/    |_|   \__,_|\__|_|   \__,_|_|\___||___/
#                                                             
# IDS Rules for Suricata
# 📜 Charles BLANC-ROLIN ⠵ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# Campagnes de phishing 🎣

###DNS###

alert dns any any -> any any (msg:"🐾 - ☠ DNS Request 🌐 to 🎣 phishing domain"; flow: to_server, stateless; dns_query; content:"kundeunivers.dk"; nocase; endswith; metadata:created_at 2021_10_30, updated_at 2022_08_03; sid:3312665; rev:2; classtype:trojan-activity;)
alert dns any any -> any any (msg:"🐾 - ☠ DNS Request 🌐 to suspicious domain - possible Facebook phishing 🎣"; flow: to_server, stateless; dns_query; content:"facebook"; nocase; content:!"facebook.com"; endswith; nocase; content:!"facebook.net"; endswith; nocase; content:!"facebookmail.com"; endswith; nocase; metadata:created_at 2021_11_03, updated_at 2024_05_20; sid:3312666; rev:5; classtype:trojan-activity;)
alert dns any any -> any any (msg:"🐾 - ☠ DNS Request 🌐 to suspicious domain - possible DHL phishing 🎣"; flow: to_server, stateless; dns_query; content:"dhl"; nocase; content:!"dhl.com"; endswith; nocase; content:!".dhl"; endswith; nocase; metadata:created_at 2021_11_03, updated_at 2022_08_03; sid:3312667; rev:3; classtype:trojan-activity;)
alert dns any any -> any any (msg:"🐾 - ☠ DNS Request 🌐 to suspicious domain - possible Linkedin phishing 🎣"; flow: to_server, stateless; dns_query; content:"linkedin"; nocase; content:!"LINKEDIN.BLOG"; endswith; nocase; content:!"linkedin.blue"; endswith; nocase; content:!"linkedin.cloud"; endswith; nocase; content:!"linkedin.co"; endswith; nocase; content:!"LINKEDIN.COM"; endswith; nocase; content:!"linkedin.do"; endswith; nocase; content:!"linkedin.fr"; endswith; nocase; content:!"linkedin.global"; endswith; nocase; content:!"linkedin.in"; endswith; nocase; content:!"linkedin.info"; endswith; nocase; content:!"linkedin.link"; endswith; nocase; content:!"LINKEDIN.NET"; endswith; nocase; content:!"linkedin.one"; endswith; nocase; content:!"LINKEDIN.ONL"; endswith; nocase; content:!"LINKEDIN.ONLINE"; endswith; nocase; content:!"LINKEDIN.ORG"; endswith; nocase; content:!"linkedin.photo"; endswith; nocase; content:!"linkedin.sex"; endswith; nocase; content:!"LINKEDIN.SITE"; endswith; nocase; content:!"linkedin.ski"; endswith; nocase; content:!"LINKEDIN.SPACE"; endswith; nocase; content:!"LINKEDIN.STORE"; endswith; nocase; content:!"LINKEDIN.TECH"; endswith; nocase; content:!"linkedin.top"; endswith; nocase; content:!"linkedin.voyage"; endswith; nocase; content:!"LINKEDIN.WEBSITE"; endswith; nocase; content:!"linkedin.work"; endswith; nocase; content:!"LINKEDIN.XYZ"; endswith; nocase; content:!"linkedin.audio"; endswith; nocase; content:!"LINKEDIN.BEST"; endswith; nocase; content:!"linkedin.biz"; endswith; nocase; content:!"linkedin.club"; endswith; nocase; content:!"linkedin.gay"; endswith; nocase; content:!"linkedin.alsace"; endswith; nocase; content:!"linkedin.app"; endswith; nocase; content:!"LINKEDIN.ASIA"; endswith; nocase; content:!"linkedin.dev"; endswith; nocase; content:!"linkedin.page"; endswith; nocase; content:!"linkedin.us"; endswith; nocase; content:!"linkedin.ca"; endswith; nocase; content:!"licdn.com"; endswith; nocase; content:!"linkedin-ei.com"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2022_04_23, updated_at 2022_08_03; sid:3312668; rev:3;)

###HTTP###

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to 🎣 phishing domain observed"; flow: to_server, stateless; http.host.raw; content:"kundeunivers.dk"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2021_11_03, updated_at 2021_11_03; sid:3312669; rev:2;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to supicious domain - possible Facebook phishing 🎣"; flow: to_server, stateless; http.host.raw; content:"facebook"; nocase; content:!"facebook.com"; endswith; nocase; content:!"facebook.net"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2021_11_03, updated_at 2022_08_03; sid:3312670; rev:6;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to supicious domain - possible DHL phishing 🎣"; flow: to_server, stateless; http.host.raw; content:"dhl"; nocase; content:!"dhl.com"; endswith; nocase; content:!".dhl"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2021_11_03, updated_at 2022_08_03; sid:3312671; rev:4;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to supicious domain - possible Linkedin phishing 🎣"; flow: to_server, stateless; http.host.raw; content:"linkedin"; nocase; content:!"LINKEDIN.BLOG"; endswith; nocase; content:!"linkedin.blue"; endswith; nocase; content:!"linkedin.cloud"; endswith; nocase; content:!"linkedin.co"; endswith; nocase; content:!"LINKEDIN.COM"; endswith; nocase; content:!"linkedin.do"; endswith; nocase; content:!"linkedin.fr"; endswith; nocase; content:!"linkedin.global"; endswith; nocase; content:!"linkedin.in"; endswith; nocase; content:!"linkedin.info"; endswith; nocase; content:!"linkedin.link"; endswith; nocase; content:!"LINKEDIN.NET"; endswith; nocase; content:!"linkedin.one"; endswith; nocase; content:!"LINKEDIN.ONL"; endswith; nocase; content:!"LINKEDIN.ONLINE"; endswith; nocase; content:!"LINKEDIN.ORG"; endswith; nocase; content:!"linkedin.photo"; endswith; nocase; content:!"linkedin.sex"; endswith; nocase; content:!"LINKEDIN.SITE"; endswith; nocase; content:!"linkedin.ski"; endswith; nocase; content:!"LINKEDIN.SPACE"; endswith; nocase; content:!"LINKEDIN.STORE"; endswith; nocase; content:!"LINKEDIN.TECH"; endswith; nocase; content:!"linkedin.top"; endswith; nocase; content:!"linkedin.voyage"; endswith; nocase; content:!"LINKEDIN.WEBSITE"; endswith; nocase; content:!"linkedin.work"; endswith; nocase; content:!"LINKEDIN.XYZ"; endswith; nocase; content:!"linkedin.audio"; endswith; nocase; content:!"LINKEDIN.BEST"; endswith; nocase; content:!"linkedin.biz"; endswith; nocase; content:!"linkedin.club"; endswith; nocase; content:!"linkedin.gay"; endswith; nocase; content:!"linkedin.alsace"; endswith; nocase; content:!"linkedin.app"; endswith; nocase; content:!"LINKEDIN.ASIA"; endswith; nocase; content:!"linkedin.dev"; endswith; nocase; content:!"linkedin.page"; endswith; nocase; content:!"linkedin.us"; endswith; nocase; content:!"linkedin.ca"; endswith; nocase; content:!"licdn.com"; endswith; nocase; content:!"linkedin-ei.com"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2022_04_23, updated_at 2022_08_03; sid:3312672; rev:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to supicious URL - possible Linkedin phishing 🎣"; flow: to_server, stateless; http.uri; content:"/linkedin."; nocase;  classtype:trojan-activity; metadata:created_at 2022_04_23, updated_at 2022_08_03; sid:3312673; rev:2;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🌐 HTTP connection to free hosting service observed in 🎣 phishing and malware 😈 campaign"; flow: to_server, stateless; http.host.raw; content:"serversmtptrack.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_05_31, updated_at 2022_08_03; sid:3312674; rev:3;)

###TLS###

###SNI suspect###

alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to 🎣 phishing domain observed"; flow:established,to_server; tls_sni; content:"kundeunivers.dk"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2021_10_30, updated_at 2021_10_30; sid:3312675; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to suspicious domain - possible Facebook phishing 🎣"; flow:established,to_server; tls_sni; content:"facebook"; nocase; content:!"facebook.com"; endswith; nocase; content:!"facebook.net"; endswith; nocase; content:!"facebookmail.com"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2021_11_03, updated_at 2024_05_12; sid:3312676; rev:5;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to suspicious domain - possible DHL phishing 🎣"; flow:established,to_server; tls_sni; content:"dhl"; nocase; content:!"dhl.com"; endswith; nocase; content:!".dhl"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2021_11_03, updated_at 2021_11_03; sid:3312677; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to suspicious domain - possible Linkedin phishing 🎣"; flow:established,to_server; tls_sni; content:"linkedin"; nocase; content:!"LINKEDIN.BLOG"; endswith; nocase; content:!"linkedin.blue"; endswith; nocase; content:!"linkedin.cloud"; endswith; nocase; content:!"linkedin.co"; endswith; nocase; content:!"LINKEDIN.COM"; endswith; nocase; content:!"linkedin.do"; endswith; nocase; content:!"linkedin.fr"; endswith; nocase; content:!"linkedin.global"; endswith; nocase; content:!"linkedin.in"; endswith; nocase; content:!"linkedin.info"; endswith; nocase; content:!"linkedin.link"; endswith; nocase; content:!"LINKEDIN.NET"; endswith; nocase; content:!"linkedin.one"; endswith; nocase; content:!"LINKEDIN.ONL"; endswith; nocase; content:!"LINKEDIN.ONLINE"; endswith; nocase; content:!"LINKEDIN.ORG"; endswith; nocase; content:!"linkedin.photo"; endswith; nocase; content:!"linkedin.sex"; endswith; nocase; content:!"LINKEDIN.SITE"; endswith; nocase; content:!"linkedin.ski"; endswith; nocase; content:!"LINKEDIN.SPACE"; endswith; nocase; content:!"LINKEDIN.STORE"; endswith; nocase; content:!"LINKEDIN.TECH"; endswith; nocase; content:!"linkedin.top"; endswith; nocase; content:!"linkedin.voyage"; endswith; nocase; content:!"LINKEDIN.WEBSITE"; endswith; nocase; content:!"linkedin.work"; endswith; nocase; content:!"LINKEDIN.XYZ"; endswith; nocase; content:!"linkedin.audio"; endswith; nocase; content:!"LINKEDIN.BEST"; endswith; nocase; content:!"linkedin.biz"; endswith; nocase; content:!"linkedin.club"; endswith; nocase; content:!"linkedin.gay"; endswith; nocase; content:!"linkedin.alsace"; endswith; nocase; content:!"linkedin.app"; endswith; nocase; content:!"LINKEDIN.ASIA"; endswith; nocase; content:!"linkedin.dev"; endswith; nocase; content:!"linkedin.page"; endswith; nocase; content:!"linkedin.us"; endswith; nocase; content:!"linkedin.ca"; endswith; nocase; content:!"licdn.com"; endswith; nocase; content:!"linkedin-ei.com"; endswith; nocase; classtype:trojan-activity; metadata:created_at 2022_04_23, updated_at 2022_05_08; sid:3312678; rev:2;)

###SNI connu###

alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"app.pipefy.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312679; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"form.jotform.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312680; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"godaddysites.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312681; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"weebly.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312682; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"weblium.site"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312683; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"caspio.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312684; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"tripod.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312685; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"creatorlink.net"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_14, updated_at 2022_01_31; sid:3312686; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"moonfruit.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312687; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"yolasite.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312688; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"formbucket.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_14, updated_at 2022_01_31; sid:3312689; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"ucoz.net"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312690; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"000webhost.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_14, updated_at 2022_01_31; sid:3312691; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"wixsite.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312692; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"ucoz.ru"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312693; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"clan.su"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312694; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"wix.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312695; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"usite.pro"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312696; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"ucoz.org"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_01_31, updated_at 2022_02_14; sid:3312697; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"odoo.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_10, updated_at 2022_02_14; sid:3312698; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"formspree.io"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_10, updated_at 2022_02_14; sid:3312699; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"workers.dev"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_02_10, updated_at 2022_02_14; sid:3312700; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to default Azure domain > observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:".web.core.windows.net"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2022_04_16, updated_at 2022_04_16; sid:3312701; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to sabfree.org 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"sabfree.org"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2022_04_16, updated_at 2022_04_16; sid:3312702; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free CRM service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:".bitrix24."; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_04_17, updated_at 2022_04_17; sid:3312703; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"app.pipefy.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_05_23, updated_at 2022_05_23; sid:3312704; rev:3;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"coffeecup.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_05_31, updated_at 2022_05_31; sid:3312705; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:!"www"; nocase; startswith; content:".clickfunnels.com"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_08_03, updated_at 2022_08_03; sid:3312706; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:".fleek.co"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_08_08, updated_at 2022_08_08; sid:3312707; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to cheque.ma 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"cheque.ma"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2022_08_24, updated_at 2022_08_24; sid:3312708; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:".boxmode.io"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_10_12, updated_at 2022_10_12; sid:3312709; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:".page.dev"; nocase; endswith; classtype:trojan-activity; metadata:created_at 2022_11_04, updated_at 2022_11_04; sid:3312710; rev:2;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to refinemines.co 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"refinemines.co"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2022_12_13, updated_at 2022_12_13; sid:3312711; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to qu-n.com 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"qu-n.com"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2023_02_13, updated_at 2023_02_13; sid:3312712; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to oua-z.com 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"oua-z.com"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2023_02_13, updated_at 2023_02_13; sid:3312713; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to xi-uc.de 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"xi-uc.de"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2023_02_13, updated_at 2023_02_13; sid:3312714; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to nb-p.eu 🚨 observed in 🎣 phishing campaign to steal credentials"; flow:established,to_server; tls_sni; content:"nb-p.eu"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2023_02_13, updated_at 2023_02_13; sid:3312715; rev:1;)
alert tls any any -> any any (msg:"🐾 - 🔒 TLS connexion to free hosting service observed in 🎣 phishing campaign"; flow:established,to_server; tls_sni; content:"builder-preview.com"; nocase; endswith; classtype:bad-unknown; metadata:created_at 2024_05_21, updated_at 2024_06_23; sid:3321266; rev:2;)
### Dataset ###
alert dns any any -> any any (msg:"🐾 -⚠ DNS request to suspicious domain in french TLD 🇫🇷 - Listed by Red Flag Domains 🚩"; dns_query; dataset:isset,red_flag_domains,type string,load red_flag_domains.lst; reference: url,https://red.flag.domains/; metadata:created_at 2023_08_21, updated_at 2024_02_13; sid:3300731; rev:6; classtype:bad-unknown;)
alert tls any any -> any any (msg:"🐾 -⚠ TLS connection to suspicious domain in french TLD 🇫🇷 - Listed by Red Flag Domains 🚩"; flow:to_server, stateless; tls_sni; dataset:isset,red_flag_domains,type string,load red_flag_domains.lst; reference: url,https://red.flag.domains/; metadata:created_at 2024_02_13, updated_at 2024_02_13; sid:3301126; rev:4; classtype:bad-unknown;)
alert http any any -> any any (msg:"🐾 -⚠ HTTP connection to suspicious domain in french TLD 🇫🇷 - Listed by Red Flag Domains 🚩"; flow:to_server, stateless; http.host.raw; dataset:isset,red_flag_domains,type string,load red_flag_domains.lst; reference: url,https://red.flag.domains/; metadata:created_at 2024_02_22, updated_at 2024_02_22; sid:3301144; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"🐾 -⚠ DNS request to suspicious domain - Listed by OpenPhish 🎣"; dns_query; dataset:isset,openphish,type string,load openphish.lst; reference: url,https://openphish.com/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321281; rev:1; classtype:bad-unknown;)
alert tls any any -> any any (msg:"🐾 -⚠ TLS connection to suspicious domain - Listed by OpenPhish 🎣"; flow:to_server, stateless; tls_sni; dataset:isset,openphish,type string,load openphish.lst; reference: url,https://openphish.com/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321282; rev:1; classtype:bad-unknown;)
alert http any any -> any any (msg:"🐾 -⚠ HTTP connection to suspicious - Listed by OpenPhish 🎣"; flow:to_server, stateless; http.host.raw; dataset:isset,openphish,type string,load openphish.lst; reference: url,https://openphish.com/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321283; rev:1; classtype:bad-unknown;)
alert dns any any -> any any (msg:"🐾 -⚠ DNS request to suspicious domain - Listed by PhishStats 🎣"; dns_query; dataset:isset,phishstats,type string,load phishstats.lst; reference: url,https://phishstats.info/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321284; rev:1; classtype:bad-unknown;)
alert tls any any -> any any (msg:"🐾 -⚠ TLS connection to suspicious domain - Listed by PhishStats 🎣"; flow:to_server, stateless; tls_sni; dataset:isset,phishstats,type string,load phishstats.lst; reference: url,https://phishstats.info/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321285; rev:1; classtype:bad-unknown;)
alert http any any -> any any (msg:"🐾 -⚠ HTTP connection to suspicious - Listed by PhishStats 🎣"; flow:to_server, stateless; http.host.raw; dataset:isset,phishstats,type string,load phishstats.lst; reference: url,https://phishstats.info/; metadata:created_at 2024_06_23, updated_at 2024_06_23; sid:3321286; rev:1; classtype:bad-unknown;)