BaroqueInMind

BaroqueInMind, 1 year ago

There is none. It's all conjecture or circumstantial.

BaroqueInMind, 1 year ago

Send us all a maps pin on where y'all are getting hitched.

BaroqueInMind, 1 year ago

I do this already and also am inside an encrypted Cloudflare tunnel... Still getting EMOTET warnings from my IDS.

BaroqueInMind, 1 year ago

My Jellyfin server keeps getting pinged by EMOTET malware lately. Everyone here should be aware if you expose the Jellyfin port to the internet it will get data exfiltration attempts. Use strong passwords.

BaroqueInMind, 1 year ago (edited 1 year ago)

I have nginx setup and acessing through a Cloudflare tunnel but still getting EMOTET issues detected by my IDS.

BaroqueInMind, 1 year ago

I will simply copy/paste here then:

I have a refurbished server rack system that is running Zeek and also Suricata. I have a managed switch that will duplicate all network traffic to the system that is running those applications and a JBOD setup to store the countless logs. I have scoured through nearly all the CISA documents and alert reports to copy the various Snort rules they mention in each report and also purchased a specific modem to connect with my ISP that provides a service to monitor my traffic that has Minim.

I am a cybersecurity expert and still don't know what I'm doing most of the time, so this is literally scratching the surface, as well as only detecting threats not really stopping them which requires more knowledge.

BaroqueInMind, 1 year ago

I have a refurbished server rack system that is running Zeek and also Suricata. I have a managed switch that will duplicate all network traffic to the system that is running those applications and a JBOD setup to store the countless logs. I have scoured through nearly all the CISA documents and alert reports to copy the various Snort rules they mention in each report and also purchased a specific modem to connect with my ISP that provides a service to monitor my traffic that has Minim.

I am a cybersecurity expert and still don't know what I'm doing most of the time, so this is literally scratching the surface, as well as only detecting threats not really stopping them which requires more knowledge.

BaroqueInMind, 1 year ago

First read this

Then use the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)

And the following:

alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-content/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-content/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<17; classtype:http-uri; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; metadata:service http;)

And also this one:

alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-admin/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-admin/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<15; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; classtype:http-uri; metadata:service http;)

BaroqueInMind, 1 year ago (edited 1 year ago)

Mines behind an NGINX reverse proxy as well. EMOTET is a very advanced malware and can get around those now. My IDS detected data exfiltration to an unknown Brazilian IP, and I have a VPN with an IP tunnel on top of my reverse proxy, as well as everything on port 443. It still found a way.

BaroqueInMind, 1 year ago (edited 1 year ago)

To anyone wondering why, it is because it is Arch linux with pre-configured drivers and also it is one of the few distros that are on the bleeding edge of updates and features. Bleeding edge because one update might cut you and break everything for no reason. That being said, I've used Arch for almost a decade for my gaming PC and never had huge issues that reverting to the previous kernel at reboot did not fix.