Corelight reference url

benjeems · web-flow · commit 0b64d9b2d17e · 2021-05-08T10:40:34.000+10:00
diff --git a/suricata/pingback.rules b/suricata/pingback.rules
@@ -1,5 +1,5 @@
-alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - upload"; icode:0; content:"upload"; nocase; depth:6; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/category/corelight-labs/ ;classtype:trojan-activity; sid:3000000; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
-alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - download"; icode:0; content:"download"; nocase; depth:8; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/category/corelight-labs/ ;classtype:trojan-activity; sid:3000001; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
-alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - exep/exec"; icode:0; content:"exe"; nocase; depth:3; pcre:"/^exe[pc]/i"; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/category/corelight-labs/ ;classtype:trojan-activity; sid:3000002; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
-alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - shell"; icode:0; content:"shell"; nocase; depth:5; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/category/corelight-labs/ ;classtype:trojan-activity; sid:3000003; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
-alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - rexec"; icode:0; content:"rexec"; nocase; depth:5; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/category/corelight-labs/ ;classtype:trojan-activity; sid:3000004; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
+alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - upload"; icode:0; content:"upload"; nocase; depth:6; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ ;classtype:trojan-activity; sid:3000000; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
+alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - download"; icode:0; content:"download"; nocase; depth:8; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ ;classtype:trojan-activity; sid:3000001; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
+alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - exep/exec"; icode:0; content:"exe"; nocase; depth:3; pcre:"/^exe[pc]/i"; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ ;classtype:trojan-activity; sid:3000002; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
+alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - shell"; icode:0; content:"shell"; nocase; depth:5; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ ;classtype:trojan-activity; sid:3000003; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
+alert icmp any any -> any any (msg:"CORELIGHT An ICMP message contains 'Pingback' C2 command - rexec"; icode:0; content:"rexec"; nocase; depth:5; content:"|00 00 00|"; within:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:url,corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ ;classtype:trojan-activity; sid:3000004; rev:1; metadata:created_at 2021_05_05, updated_at 2021_05_05;)
