|
Emerging Threats BRO RBN Rules
# Emerging Threats BRO RBN rules.
#
# Rules to detect known Russian Business Network (RBN) hosts. These lists are updated daily or better from many sources
#
# We do not necessarily declare that these hosts are all bad, or that RBN is inherently an evil organization. Use this
# information as you see fit.
#
# More information available at doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2008, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
#general hosts
signature sid-2406000 {
ip-proto == ip
src-ip == local_nets
dst-ip == 58.65.233.0/24,58.65.239.66/31,65.99.192.0/20,65.254.48.0/20,66.232.96.0/19,66.252.0.0/19,69.50.160.0/19,81.94.16.0
/20,81.95.128.0/19,85.249.23.0/24,85.255.112.0/24,85.255.116.0/24,85.255.121.0/24,88.201.208.0/20,194.146.204.0
/22,194.226.64.0/20,194.226.96.0/24,195.114.16.0/23,195.64.140.0/23,195.64.162.0/23,208.72.160.0/20
event "ET RBN Known Russian Business Network Traffic"
}
#individual general hosts
signature sid-2406001 {
ip-proto == ip
src-ip == local_nets
dst-ip == 62.140.208.131,62.140.208.197,62.154.15.154,65.254.54.178,66.252.1.255,67.18.179.15,67.19.24.168,67.19.24.169,67.19.24.170,67.19.24.171,67.19.24.172,67.19.24.173,67.19.24.174,67.19.24.175,67.19.72.205,67.19.72.206,67.137.217.219,72.10.164.69,72.20.14.3,72.20.25.134,74.54.31.196,80.70.239.253,84.45.24.53,84.45.47.130,84.45.90.141,85.133.4.138,89.149.186.77,89.149.186.81,89.149.186.89,193.93.232.6,195.66.226.151,213.200.78.66,213.200.79.194,213.200.80.46,216.180.244.179,217.118.119.26
event "ET RBN Known Russian Business Network Traffic"
}
#chinese
signature sid-2406002 {
ip-proto == ip
src-ip == local_nets
dst ip == 91.196.232.0/22,91.194.140.0/23,91.198.71.0/24,91.193.40.0/22,91.193.56.0/22,193.33.128.0/23,194.110.69.0/24,91.195.116.0/23
event "ET RBN Known Russian Business Network Traffic - Chinese Nets"
}
#Panamanian/Central America
signature sid-2406003 {
ip-proto == ip
src-ip == local_nets
dst ip == 200.115.160.0/20
event "ET RBN Known Russian Business Network Traffic - Central American Nets"
}
# Updated 2008-07-01 12:14:45
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 159.25.97.69,190.15.72.0/21,190.15.73.221,190.15.73.222,190.15.73.223,190.15.73.251,190.15.73.252,193.33.128.0/23,193.39.113.199,193.39.113.2
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 193.93.232.6,193.93.235.5,194.110.69.0/24,194.126.174.124,194.146.204.0/22,194.226.64.0/20,194.226.96.0/24,194.67.0.0/18,194.67.27.115,194.67.27.125
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 194.67.28.250,194.67.28.62,194.67.35.133,194.67.35.250,195.114.16.0/23,195.225.176.68,195.225.177.54,195.225.177.7,195.3.144.30,195.3.144.77
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 195.5.116.233/32,195.5.117.233/32,195.5.117.234/32,195.64.140.0/23,195.64.162.0/23,195.66.226.151,200.115.160.0/20,202.124.241.0/24,203.117.0.0/16,203.121.0.0/17
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 204.251.15.190,206.161.200.34,206.161.200.36,207.226.173.114,207.226.173.67,207.44.185.10,207.44.185.100,208.109.78.58,208.48.15.11,208.48.15.13
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 208.48.15.62,208.72.160.0/20,208.72.168.0/21,208.72.170.187,208.72.170.189,208.79.82.50,208.79.82.66,209.8.30.2,209.85.84.199,212.24.53.0/24
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 213.132.196.200,213.132.196.211,213.189.27.133/32,213.200.78.66,213.200.79.194,213.200.80.46,213.99.178.180,216.118.117.68,216.180.244.179,216.195.44.0/24
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 216.195.49.100,216.195.49.159,216.195.49.88,216.195.50.159,216.195.50.162,216.195.50.238,216.195.50.51,216.195.50.56,216.195.50.81,216.255.176.0/20
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 216.255.179.243/32,216.255.185.237,216.255.190.74,216.69.177.200,216.7.89.11,216.7.89.12,216.7.89.13,216.7.89.14,216.7.89.15,216.7.89.16
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 216.7.89.17,216.7.89.18,216.8.177.26,217.118.119.26,58.65.232.0/21,62.140.208.131,62.140.208.197,62.154.15.154,63.243.188.0/24,64.111.192.0/20
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 64.111.208.0/24,64.111.209.0/24,64.111.210.0/24,64.111.211.0/24,64.111.216.0/21,64.28.176.0/20,64.28.177.74,64.28.180.0/24,64.28.181.0/24,64.28.182.106
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 64.28.182.107,64.28.182.122,64.28.182.146,64.28.182.151,64.28.182.163,64.28.182.195,64.28.182.196,64.28.182.66,64.28.182.68,64.28.182.8
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 64.28.183.162,64.28.183.44,64.28.183.45,64.28.183.99,64.28.184.0/24,64.69.68.141,64.71.133.0/24,65.254.48.0/20,65.254.54.178,65.99.192.0/20
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 66.152.85.101,66.152.85.110,66.152.85.116,66.152.85.123,66.232.96.0/19,66.244.254.0/24,66.252.0.0/19,66.252.1.255,66.29.15.141,66.45.254.244
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 66.45.254.245,67.137.217.219,67.18.179.0/24,67.19.24.0/24,67.19.24.168,67.19.24.169,67.19.24.170,67.19.24.171,67.19.24.172,67.19.24.173
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 67.19.24.174,67.19.24.175,67.19.51.0/24,67.19.72.202,67.19.72.205,67.19.72.206,67.43.236.0/24,67.55.64.0/19,67.55.81.0/24,68.178.232.100
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 69.20.117.228,69.20.68.36,69.22.162.0/23,69.22.168.0/21,69.22.184.0/22,69.31.128.2,69.31.40.0/21,69.31.64.0/20,69.39.224.27,69.42.216.122
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 69.46.224.0/20,69.50.160.0/19,69.50.166.130/32,69.50.166.139/32,69.50.166.196,69.50.168.102,69.50.168.98,69.50.168.99,69.50.170.174,69.50.170.82
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 69.50.176.227,69.50.176.228,69.50.176.229,69.50.188.3,69.50.188.4,69.50.190.14/32,69.50.190.3/32,69.50.190.6/32,69.64.155.110,69.64.155.132
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 72.10.164.69,72.20.0.0/19,72.232.194.194/32,72.232.197.83,74.54.31.196,77.91.224.0/21,77.91.225.14,77.91.225.18,77.91.225.2,77.91.225.20
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 77.91.225.3,77.91.225.30,77.91.225.4,77.91.225.5,77.91.225.6,77.91.225.7,77.91.225.8,77.91.225.9,77.91.226.5,77.91.226.6
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 77.91.226.7,77.91.227.178,77.91.227.202,77.91.227.203,77.91.227.208,77.91.227.209,77.91.227.211,77.91.227.246,77.91.227.247,77.91.227.253
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 77.91.228.106,77.91.228.110,77.91.228.111,77.91.228.121,77.91.228.122,77.91.228.125,77.91.228.126,77.91.228.130,77.91.228.131,77.91.228.139
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 77.91.228.140,77.91.228.141,77.91.228.142,77.91.228.155,77.91.228.156,77.91.228.180,77.91.228.44,77.91.228.51,77.91.228.53,77.91.228.7
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 77.91.229.103,77.91.229.106,77.91.229.107,78.159.96.135/32,8.15.231.110,80.70.224.0/20,80.70.239.253,80.77.80.67/32,80.77.85.135/32,80.77.87.243/32
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 81.29.241.9,81.29.249.38,81.94.16.0/20,81.95.128.0/19,81.95.144.0/20,81.95.144.182,81.95.144.3,81.95.145.186,81.95.146.250,81.95.147.182
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 81.95.147.202/31,81.95.148.130/31,81.95.148.132/31,81.95.148.18,81.95.149.110/31,81.95.149.171,81.95.149.178,81.95.149.181,81.95.149.27,81.95.153.243
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 81.95.154.41,81.95.156.0/22,82.114.64.251,82.146.56.140,82.98.86.170,83.222.0.0/19,84.16.252.148/32,84.45.24.53,84.45.47.130,84.45.90.141
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 85.12.60.22,85.133.4.138,85.17.173.219,85.249.23.0/24,85.255.112.0/20,85.255.114.202,85.255.114.206,85.255.115.178,85.255.115.180,85.255.116.0/24
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 85.255.116.211/32,85.255.117.202,85.255.117.205,85.255.117.60,85.255.117.62,85.255.118.0/24,85.255.118.212/32,85.255.118.214/32,85.255.118.245/32,85.255.118.34/32
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 85.255.119.125,85.255.119.126,85.255.119.251,85.255.119.254,85.255.119.66,85.255.119.67,85.255.120.106,85.255.120.107,85.255.120.110/32,85.255.120.50
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 85.255.121.0/24,85.255.121.146/32,87.117.252.0/24,88.201.208.0/20,88.214.192.192/32,88.255.90.0/24,88.255.94.0/24,88.255.94.210,89.149.186.77,89.149.186.81
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 89.149.186.89,89.149.209.160/32,89.149.220.21/32,89.149.220.22/32,89.149.226.22/32,89.149.227.195/32,89.18.181.0/24,89.208.19.194,91.192.106.0/23,91.193.40.0/22
event "ET RBN Known Russian Business Network Monitored Domains"
}
signature sid- {
ip-proto == ip
src-ip == local_nets
dst-ip == 91.193.56.0/22,91.194.140.0/23,91.195.116.0/23,91.196.232.0/22,91.198.71.0/24,91.202.60.0/24,91.202.61.0/24,91.202.62.0/24,91.202.63.0/24
event "ET RBN Known Russian Business Network Monitored Domains"
}
http://www.emergingthreats.net/bro/e...-bro-rbn.rules
Last edited by Scrub; 09-05-08 at 02:25 AM.
|
07-16-08, 09:20 AM
Linear Mode
