🐾 - 🚨 Suspicious JA3 👿 + SSL/TLS trafic on unusual SSL/TLS port - Likely C2 connection / Emotet / Trickbot / Meterpreter - Suricata Rule 3300711 (pawpatrules)

🐾 - 🚨 Suspicious JA3 👿 + SSL/TLS trafic on unusual SSL/TLS port - Likely C2 connection / Emotet / Trickbot / Meterpreter

SID: 3300711Rev: 21 views

Sourcepawpatrules

CreatedNovember 14, 2022

UpdatedNovember 14, 2022

Classificationtrojan-activity

alert tls any any -> any ![443,465,563,587,636,695,853,898,989,990,992,993,994,995,2376,2484,3269,4116,3424,4843,5061,5085,5228,5349,5671,5986,6513,6514,6619,6697,8243,8883] (msg:"🐾 - 🚨 Suspicious JA3 👿 + SSL/TLS trafic on unusual SSL/TLS port - Likely C2 connection / Emotet / Trickbot / Meterpreter"; flow:to_server, stateless; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; metadata:former_category JA3; threshold:type limit, track by_src, seconds 60, count 1; reference:url,https://sslbl.abuse.ch/ja3-fingerprints/8916410db85077a5460817142dcbc8de/; reference:url,https://securitynews.sonicwall.com/xmlpost/emotet-is-back/; reference:url,https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers; metadata:created_at 2022_11_14, updated_at 2022_11_14; sid:3300711; rev:2; classtype:trojan-activity;)

References

url	https://sslbl.abuse.ch/ja3-fingerprints/8916410db85077a5460817142dcbc8de/
url	https://securitynews.sonicwall.com/xmlpost/emotet-is-back/
url	https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

🐾 - 🚨 Suspicious JA3 👿 + SSL/TLS trafic on unusual SSL/TLS port - Likely C2 connection / Emotet / Trickbot / Meterpreter

References

Metadata

Comments (0)