rcfontana
commented
2 years ago There's a SIGMA rule on that same level for proxy logs! https://github.com/SigmaHQ/sigma/blob/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml
Open rcfontana opened 3 years ago
rcfontana
commented
2 years ago There's a SIGMA rule on that same level for proxy logs! https://github.com/SigmaHQ/sigma/blob/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml
I had this idea that we could monitor weirdness in our network by checking proxy connections to poor reputation TLDs. Besides that, matching on some specific extensions would also be interesting.
Example.: GET request to some .party with request_url: .bin
SpamHaus - Reference