This topic has been deleted. Only users with topic management privileges can see it.
-
Howdy, I have been working on learning Suricata and having a hard time understanding the implications of suppression lists.
I am currently blocking in legacy mode and have issues getting updates to go through to Ubuntu endpoints with the connections being flagged as the following:
02/23/2020-12:30:20.284064 [Block Dst] [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 93.93.130.39:80I have a couple of other ones that I have issue with but we’ll focus on just this one for now. I have added a handful of IP’s to my pass list(including the one above), yet I still run into issues updating, with the alert showing in my logs.
I read about suppression lists earlier this morning and started trying them out to see if that would resolve the issue. The one I started with adding is the following:
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package managementAfter that I ran an update to see what would happen. It looks like the updates still had issues, but the logs didn’t show the request. I’m not entirely sure what’s wrong here or if there is something obvious I’m missing.
my knowledge base for supression lists so far:
- https://www.reddit.com/r/PFSENSE/comments/8yb25q/pfsense_suricata_suppress_list/
- https://docs.netgate.com/pfsense/en/latest/ids-ips/snort-suppress-list.html
pass list doc I reviewed:
- https://docs.netgate.com/pfsense/en/latest/ids-ips/snort-passlist.html?highlight=pass%20list
-
A rule on a Suppression List is still evaluated, but it will not log an alert and will not cause a block. However, CPU cycles are still expended evaluating packets against the suppressed rule.
A disabled rule is not even loaded into memory by the Suricata engine. Thus disabled rules do not consume CPU cycles and, since they are not even loaded, can’t produce either alerts or blocks.
A Pass List is a different animal entirely and is a pfSense-specific customization in Suricata. Legacy Mode blocking uses a custom output plugin compiled into the Suricata binary. That plugin receives a copy of every single alert generated by the Suricata traffic inspection engine. The custom plugin examines the IP addresses in the alerting packet and checks if they are on a configured Pass List for the interface. If they are, then no block is generated for that rule BUT the alert from the rule will still print to the log and show up on the ALERTS tab. It just does not result in blocked traffic. However, if an IP address in the alerting rule is not covered by a configured Pass List, then a block for that IP is inserted into the firewall’s
pfpacket filter table called snort2c.So how do suppressed rules fit into the block logic? A suppressed rule can’t generate an alert, and with no alert generated to be passed over to the custom blocking plugin, suppressed rules can’t generate blocks.
-
@bmeeks Thank you for the very informative response. I want to ask once more, however, only for clarification sake to me:
- When you say a
block, that is referring to the action of suricata blocking a connection. - When a rule is processed from the suppression list against a connection, that takes a cycle and, provided that the connection fits what’s in the suppression list, will allow it through.
Am I correct in my statements and understanding of how these functions and nomenclature work?
Thank you again for the help!
- When you say a
-
@bmeeks Can it generate drops though?
-
@strongthany said in Does supression in suricata mean blocking or hiding the alert?:
@bmeeks Thank you for the very informative response. I want to ask once more, however, only for clarification sake to me:
- When you say a
block, that is referring to the action of suricata blocking a connection. - When a rule is processed from the suppression list against a connection, that takes a cycle and, provided that the connection fits what’s in the suppression list, will allow it through.
Am I correct in my statements and understanding of how these functions and nomenclature work?
Thank you again for the help!
Yes, that is correct. Suricata on pfSense «blocks» by way of the custom output plugin I mentioned, That plugin implements a block by making a system
ioctl()call to the kernel to add an IP address to a pre-existingpftable called snort2c.Suppression Lists prevent alerts, and because of the way the custom blocking plugin works, when there is no alert there can be no block either. The plugin works only by looking at alerts.
- When you say a
-
@Bob-Dig said in Does supression in suricata mean blocking or hiding the alert?:
@bmeeks Can it generate drops though?
No, a suppressed rule cannot generate a drop. Suppressed rules don’t «fire», and thus they can’t produce the action contained in their «action» verb keyword (be it ALERT, REJECT, PASS or DROP).
Think of a suppressed rule as being the same as a disabled rule, but suppressed rules use CPU cycles while disabled rules do not. The purpose of Suppress Lists in an IDS/IPS is so you can create certain situations where problematic or false-positive prone rules in your environment can be, in effect, bypassed when certain conditions are met (the suppression criteria).
-
Thank you for the reply, that all made it very clear.
-
@bmeeks Thanks, that I didn’t understand till now, have to clear the suppression list.
-
@Bob-Dig I kinda wish we had a alert-hiding-function as well. For example my logs always shows
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent ET INFO Windows OS Submitting USB Metadata to Microsoftwhich I always want to be blocked or dropped but not show up anymore or maybe show up but very small or half hidden or something.
-
@Bob-Dig said in Does supression in suricata mean blocking or hiding the alert?:
@Bob-Dig I kinda wish we had a alert-hiding-function as well. For example my logs always shows
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent ET INFO Windows OS Submitting USB Metadata to Microsoftwhich I always want to be blocked or dropped but not show up anymore or maybe show up but very small or half hidden or something.
Unfortunately that’s just not how Suricata (or any IDS/IPS that I am familiar with) works. And think about the puzzling issues that would be caused by a rule whose action fired (drop or reject, for instance), but nothing was logged about the action.
-
@Bob-Dig said in Does supression in suricata mean blocking or hiding the alert?:
@Bob-Dig I kinda wish we had a alert-hiding-function as well. For example my logs always shows
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent ET INFO Windows OS Submitting USB Metadata to Microsoftwhich I always want to be blocked or dropped but not show up anymore or maybe show up but very small or half hidden or something.
One other point — if you are using Inline IPS Mode I suggest changing the action of these types of rules to REJECT instead of DROP. Since it is your clients initiating the transfer to Microsoft, they will attempt the connection. If it is dropped, the client gets nothing back and will probably sit and wait for a timeout. If the action is REJECT, the client is immediately sent back a notification by Suricata that the destination is not accepting connections and thus your LAN clients will not wait for a timeout.
Drops are good on the WAN or for external connections coming in where you want the attacker to think nothing is even there. Rejects work better when trying to block LAN-initiated traffic (or in many cases such as blocking routine telemetry). For malware type rules, a drop is perferred.
-
@bmeeks Thanks again. I have to use the Legacy Mode, because the virtual NICs in Hyper-V are not supported for inline mode.
-
On the note of that, how would one check if their interface supports netmap/inline?
-
@strongthany said in Does supression in suricata mean blocking or hiding the alert?:
On the note of that, how would one check if their interface supports netmap/inline?
These NIC drivers currently support the netmap device in FreeBSD: em(4), igb(4), ixbge(4), lem(4), re(4).
Features such as limiters and alternate queing algorithms do not work with netmap. So if your NIC is using one of the drivers listed above, and you are not doing using limiters, then inline mode with netmap should work for you.
Information on configuring the supported Intel NICs can be found in this forum sticky post: https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces.
Управление компьютеромПланировщик заданийБиблиотека планировщика заданийMicrosoftWindows
все эти задачи — кандидаты на отключение:
«MicrosoftWindowsCustomer Experience Improvement ProgramKernelCeipTask»,
«MicrosoftWindowsCustomer Experience Improvement ProgramUsbCeip»,
«MicrosoftWindowsPower Efficiency DiagnosticsAnalyzeSystem»,
«MicrosoftWindowsShellFamilySafetyMonitor»,
«MicrosoftWindowsShellFamilySafetyRefresh»,
«MicrosoftOfficeOffice 15 Subscription Heartbeat»,
«MicrosoftOfficeOfficeTelemetryAgentFallBack»,
«MicrosoftOfficeOfficeTelemetryAgentLogOn»,
«MicrosoftWindowsApplication ExperienceAitAgent»,
«MicrosoftWindowsApplication ExperienceProgramDataUpdater»,
«MicrosoftWindowsApplication ExperienceStartupAppTask»,
«MicrosoftWindowsAutochkProxy»,
«MicrosoftWindowsCustomer Experience Improvement ProgramBthSQM»,
«MicrosoftWindowsCustomer Experience Improvement ProgramConsolidator»,
«Microsoft Office 15 Sync Maintenance for %COMPUTERNAME%-%USERNAME% %COMPUTERNAME%»,
«MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser»,
«MicrosoftWindowsApplication ExperienceProgramDataUpdater»,
«MicrosoftWindowsDiskDiagnosticMicrosoft-Windows-DiskDiagnosticDataCollector»,
«MicrosoftWindowsNetTraceGatherNetworkInfo»,
«MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser»,
«MicrosoftWindowsCustomer Experience Improvement ProgramHypervisorFlightingTask»,
«MicrosoftWindowsNetTraceGatherNetworkInfo»,
Если на странице вы заметили в посте отсутствие изображений, просьба сообщить , нажав на кнопку.
После прочтения материала » Задачи в планировщике, выполняющие сбор информации для отправки в Microsoft «, можно просмотреть форум и поискать темы по данной игре.
Если вам понравился материал «Задачи в планировщике, выполняющие сбор информации для отправки в Microsoft», — поделитесь ним с другими.
—>Категория : Статьи: Windows 10 | —>Добавил : Фокусник (27.08.2015) —>Просмотров : 8764 | —> Теги : Windows 10
Внимание: Все ссылки и не относящиеся к теме комментарии будут удаляться. Для ссылок есть форум.
To submit a bulk metadata package:
Sign the bulk metadata package with the SignTool tool.
Sign in to the Dashboard from either the Hardware Dev Center or the Windows Dev Center by using a Microsoft account.
Under Device metadata, click Create bulk submission.
Browse for and select your new bulk metadata package, and then click Submit.
Creating a Bulk Submission Package
A bulk metadata submission package is the package format in which multiple device metadata packages can be submitted to the Dashboard.
Bulk metadata submission packages should be uploaded to the Dashboard by using the bulk submission feature. This feature removes the user interface for creating experiences to ease the uploading of multiple metadata packages simultaneously. The information to create experiences and modify package attributes is contained in the BulkMetadataSubmission XML document.
A maximum of 50 devicemetadata-ms or devicemanifest-ms files can be included in a bulk package.
For info about using the Device Metadata Submission Wizard to create a bulk metadata package, see Creating a device metadata submission package in Visual Studio.
Bulk Metadata Submission Package Contents
Each bulk metadata submission package consists of the following components:
Device metadata package(s)
Device metadata packages contain information and graphics to display device icons, set actions, and utilize device experience features.
Device manifest package(s)
Device manifest packages contain information to validate device metadata packages.
BulkMetadataSubmission XML document
This document contains data used to properly submit packages without a user interface. The Dashboard uses information in this document to create experiences with friendly names, organize packages into experiences, update experiences, and mark individual packages as preview.
The XML documents must be saved by using UTF-8 encoding.
You must include at least one device metadata or device manifest package in your bulk metadata submission package.
Structure of a Bulk Metadata Submission Package
The components of a bulk metadata submission package are stored in a compressed cabinet file. The file name must have a suffix of “.bulkmetadata-ms.”
Each bulk metadata submission package must have the following structure:
Filename1, Filename2, Filename3, Filename4, and so on, must be GUIDs.
To create the BulkMetadataSubmission.xml, see Creating BulkMetadataSubmission.xml below.
To develop the device metadata package, *.devicemetadata-ms, see Device Metadata Package Schema Reference for Windows 8.
To develop the device manifest package, *.devicemanifest-ms, see Submit a PC device manifest package.
You can use the Cabarc tool to create these CAB packages. To learn more about this tool, see Cabarc Overview.
When you create a *.bulkmetadata-ms file by using the Cabarc tool, you must create a local directory in which the device metadata packages (*.devicemetadata-ms), the device manifest packages (*.devicemanifest-ms), and the BulkMetadataSubmission XML document are at the root of the directory.
Remarks
The .devicemetadata-ms and .devicemanifest-ms filenames must specify the GUID without the curly brace (<>) delimiters.
The GUID for each device metadata package and device manifest package must be unique. When you create a new or revised package, you must create a new GUID.
For more details about how to create cabinet files, see Microsoft Cabinet SDK.
Example
The following is an example of how to use the Cabarc tool to create a .bulkmetadata-ms file. In this example, the components of the bulk metadata file are located in a local directory that is named BulkPackages:
The GUID.pcmetadata-ms file was created in a local directory that is named PCFiles:
You can find more information about this tool in Cabarc Overview.
BulkMetadataSubmission XML Schema
A bulk metadata submission package contains one BulkMetadataSubmission.xml document, which has information that the Dashboard uses to create experiences with friendly names, organize packages into experiences, update experiences, and mark individual packages as preview.
The data in the BulkMetadataSubmission.xml document is formatted based on the BulkMetadataSubmission XML schema, which is described below.
The XML document must be saved by using UTF-8 encoding.
BulkMetadataSubmission XML Schema NameSpace
The following is the namespace of the PcMetadataSubmission XML schema: http://schemas.microsoft.com/Windows/2010/08/MetadataSubmission/BulkMetadataSubmission
Overview of BulkMetadataSubmission XML Elements/Attributes
The following table describes the metadata elements and attributes of the BulkMetadataSubmission XML schema.
| Element/Attributes | Element/Attribute type | Required/ optional |
|---|---|---|
| Experience | ExperienceType | Required |
| ExperienceName | xs:string | Required |
| ExperienceId | tns:GUIDType | Optional |
| PackageList | tns:PackageListType | Required |
| PackageFileName | PackageFileNameType | Required |
| preview | xs:Boolean | Required |
| locale | xs:string | Required |
| Qualification | tns:QualificationType | Required |
| LogoSubmissionIDList | tns:LogoSubmissionIDListType | Optional |
| LogoSubmissionID | xs:integer | Required |
| update | xs:Boolean | Required |
BulkMetadataSubmission XML Schema Metadata
The following is the BulkMetadataSubmission XML schema metadata:
BulkMetadataSubmission XML Schema Reference
The BulkMetadataSubmission XML schema defines the following elements and attributes:
Experience Element
The Experience element specifies information for a single experience. For more information about experiences, see Device Metadata Package Schema Reference for Windows 8.
Based on this information, the Dashboard either creates an experience with the correct information and submits packages to this experience, or updates an existing experience with new packages.
More than one Experience element can be used to specify multiple experiences. This allows for a single submission of many packages for different devices.
For example, see the following.
ExperienceName Element
The ExperienceName element specifies the name of an experience. The Dashboard will create an experience with this name if this is a new experience. Or, it ignores this value when this is an update to an existing experience.
ExperienceId Element
The ExperienceId element specifies the GUID that is the Experience ID. This value is required when updating an existing experience. The Dashboard uses this value to identify the experience to update.
PackageList Element
The PackageList element specifies the list of device metadata or device manifest packages to be included in an experience. The Dashboard uses this information to add packages to a new or existing experience.
PackageFileName Element
The PackageFileName element specifies the filename and information of a single device metadata or device manifest package. The Dashboard uses this information to add a package to a new or existing experience, and correctly mark the package as preview if indicated. Based on the preview and locale values, the Dashboard also deletes existing packages if required
The preview and locale attributes of the PackageFileName element allow the Dashboard to update your existing live package with a newly submitted package.
For example, if an en-US preview package already exists in the experience, and an en-US preview package was submitted in a bulk metadata submission package for the same experience, the existing package would be automatically deleted and the new package would be submitted.
For this reason, it is also important to be careful when updating packages to avoid accidental deletions.
preview Attribute
The preview attribute specifies whether a device metadata or device manifest package should be marked preview. See PackageFileName Element for more information about how the Dashboard uses this value.
locale Attribute
The locale attribute specifies the declared locale (from PackageInfo.xml) of a device metadata or device manifest package should be marked preview. See PackageFileName Element for more information about how the Dashboard uses this value.
Qualification Element
The Qualification element specifies whether the device has a Logo certification, is included in the Inbox Driver Distribution Agreement (IDDA) list, or uses a Microsoft inbox driver. The Dashboard uses this information to ensure correct device certification for the type of device metadata you are submitting.
Features such as Device Stage are not available for devices that have not passed Logo certification and are not on the IDDA list.
You can select one of two options for each experience. These options and their definitions are indicated in the table below:
| Enumeration value | Description |
|---|---|
| Logo/IDDA | Your device has a Logo certification or is on the IDDA list. If you have a Logo certification, you will need to specify the specific Logo Submission IDs in the LogoSubmissionIDList element. |
| MicrosoftInboxDrive | Your device uses a Microsoft inbox driver. Some features of device metadata might not be available when using this qualification level (such as Device Stage) |
LogoSubmissionIDList Element
The LogoSubmissionIDList element specifies the list of logo certification(s) for a device. See Qualification Element for more information about how the Dashboard uses this value.
LogoSubmissionID Element
The LogoSubmissionID element specifies an individual logo certification for a device. See Qualification Element for more information about how the Dashboard uses this value.
Multiple LogoSubmissionID elements can be used to indicate multiple Logo certifications for a single device. Users should list all logo certifications for their device in the list. The following is an example where multiple logo certifications are listed:
update Attribute
The update attribute designates whether or not an experience is being updated. The Dashboard uses this value to update an experience by deleting conflicting packages and uploading new packages when the update attribute is set to true. When the update attribute is set to false, the Dashboard will create a new experience and upload new packages to it.
BulkMetadataSubmission XML Example
The following XML document uses the BulkMetadataSubmission XML schema to specify the components of the BulkMetadataSubmission XML document.
Adblock
detector
-
2018-06-09, 16:32
#1
Junior Member
Anti-Beacon is missing a Windows 10 telemetry behavior
I have SB-AB 1.2 installed with full protection enabled.
However while looking at my f/w, which is running snort to detect suspect and known threats, in the logs I see the following:
Code:
Date Pri Proto Class Src Port Dest Port SID Desc 2018-06-09 03:00:20 3 TCP Misc activity 192.168.0.101 63707 40.80.145.27 80 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft 2018-06-09 03:00:20 3 TCP Misc activity 192.168.0.101 63707 40.80.145.27 80 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft 2018-06-09 03:00:20 3 TCP Misc activity 192.168.0.101 63707 40.80.145.27 80 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft 2018-06-09 03:00:20 3 TCP Misc activity 192.168.0.101 63707 40.80.145.27 80 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft
Looks like the latest Windows update major release added something.
Anti-Beacon is missing a Windows 10 telemetry behavioralert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; threshold:type limit, seconds 300, count 1, track by_src; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
Added 2020-09-17 18:29:31 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; threshold:type limit, seconds 300, count 1, track by_src; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2019_09_30;)
Added 2020-08-05 19:14:24 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; threshold:type limit, seconds 300, count 1, track by_src; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2019_09_30;)
Added 2019-10-01 08:28:57 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; threshold:type limit, seconds 300, count 1, track by_src; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2019_09_30;)
Added 2019-10-01 04:23:22 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2018_01_31;)
Added 2018-09-13 19:54:31 UTC
Added 2018-09-13 18:02:02 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ET INFO Windows OS Submitting USB Metadata to Microsoft»; flow:established,to_server; content:»POST»; http_method; content:»metadata.svc»; http_uri; isdataat:!1,relative; content:»/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|»; http_header; content:»MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT»; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2018_01_31;)
Added 2018-01-31 17:08:34 UTC
[***] Summary: [***]
7 new Open, 24 new Pro (7 + 17). GandCrab, MSIL/Derkziel, MSIL/Vermin RAT, Various Mobile, Various Phishing.
[+++] Added rules: [+++]
Open:
2025275 — ET INFO Windows OS Submitting USB Metadata to Microsoft (info.rules)
2025276 — ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-31 (current_events.rules)
2025277 — ET CURRENT_EVENTS Apple iTunes Phishing Landing (DE) 2018-01-31 (current_events.rules)
2025278 — ET CURRENT_EVENTS Mailbox Verification Phishing Landing 2018-01-31 (current_events.rules)
2025279 — ET CURRENT_EVENTS Hellion Postmaster Phishing Landing 2018-01-31 (current_events.rules)
2025280 — ET CURRENT_EVENTS Generic Roundcube Multi-Brand Phishing Landing 2018-01-31 (current_events.rules)
2025281 — ET CURRENT_EVENTS Cloned Website Phishing Landing — Saved Website Comment Observed (current_events.rules)
Pro:
2829498 — ETPRO TROJAN GandCrab DNS Lookup 1 (trojan.rules)
2829499 — ETPRO TROJAN GandCrab DNS Lookup 2 (trojan.rules)
2829500 — ETPRO TROJAN GandCrab DNS Lookup 3 (trojan.rules)
2829501 — ETPRO TROJAN GandCrab DNS Lookup 4 (trojan.rules)
2829502 — ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 268 (mobile_malware.rules)
2829503 — ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 269 (mobile_malware.rules)
2829504 — ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 270 (mobile_malware.rules)
2829505 — ETPRO TROJAN MSIL/Derkziel CnC Activity (trojan.rules)
2829506 — ETPRO TROJAN Possible POWERSTATS Related Badness M1 (trojan.rules)
2829507 — ETPRO TROJAN MSIL/Vermin RAT Checkin via SOAP (trojan.rules)
2829508 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 1) (trojan.rules)
2829509 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 2) (trojan.rules)
2829510 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 3) (trojan.rules)
2829511 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 4) (trojan.rules)
2829512 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 5) (trojan.rules)
2829513 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 6) (trojan.rules)
2829514 — ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-31 7) (trojan.rules)
[///] Modified active rules: [///]
2025120 — ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check (trojan.rules)
2826094 — ETPRO TROJAN Lazarus FoggyBrass Variant CnC Callback (trojan.rules)
2828913 — ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
Summary title:
7 new Open, 24 new Pro (7 + 17). GandCrab, MSIL/Derkziel, MSIL/Vermin RAT, Various Mobile, Various Phishing.
Check an IP Address, Domain Name, or Subnet
e.g. 176.194.84.241, microsoft.com, or 5.188.10.0/24
52.247.37.26 was found in our database!
This IP was reported 7 times. Confidence of Abuse is 0%: ?
| ISP | Microsoft Corporation |
|---|---|
| Usage Type | Data Center/Web Hosting/Transit |
| Domain Name | microsoft.com |
| Country |
 United States of America |
| City | Boydton, Virginia |
IP info including ISP, Usage Type, and Location provided by IP2Location. Updated monthly.
IP Abuse Reports for 52.247.37.26:
This IP address has been reported a total of 7 times from 4 distinct sources.
52.247.37.26 was first reported on March 3rd 2021, and the most recent report was 1 year ago.
Old Reports:
The most recent abuse report for this IP address is from 1 year ago. It is possible that this IP is no longer involved in abusive activities.
| Reporter | Date | Comment | Categories | |
|---|---|---|---|---|
|
Joe-Mark |
11 Jun 2021 |
Blocked by Sophos UTM Network Protection / proto=6 . srcport=80 . dstport=55216 . (2235) |
Hacking Brute-Force |
|
|
xm4rcell0x |
01 Jun 2021 |
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
Hacking | |
|
Tecnica |
18 May 2021 |
ET INFO Windows OS Submitting USB Metadata to Microsoft |
Hacking Bad Web Bot |
|
|
|
16 Apr 2021 |
US_Microsoft_<177>1618592463 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client … show moreUS_Microsoft_<177>1618592463 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [Classification: Unknown Traffic] [Priority: 3]: <seconione-ens192-1> {TCP} 203.176.121.26:55568 show less |
Hacking | |
|
|
02 Apr 2021 |
US_Microsoft_<177>1617363151 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client … show moreUS_Microsoft_<177>1617363151 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [Classification: Unknown Traffic] [Priority: 3]: <seconione-ens192-1> {TCP} 203.176.121.26:62037 show less |
Hacking | |
|
|
19 Mar 2021 |
US_Microsoft_<177>1616149581 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client … show moreUS_Microsoft_<177>1616149581 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [Classification: Unknown Traffic] [Priority: 3]: <seconione-ens192-1> {TCP} 203.176.121.26:58055 show less |
Hacking | |
|
|
03 Mar 2021 |
US_Microsoft_<177>1614764708 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client … show moreUS_Microsoft_<177>1614764708 [1:2027390:2] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [Classification: Unknown Traffic] [Priority: 3]: <seconione-ens192-1> {TCP} 203.176.121.26:60655 show less |
Hacking |
Showing 1 to
7
of 7 reports
Is this your IP? You may request to takedown any associated reports. We will attempt to verify your ownership. Request Takedown 🚩