debian/ossec-hids/var/ossec/rules/topleveldomain_rules.xml

   1 <!-- Rules for detecting maybe critical top-level-domains  -->
   2 <!-- https://www.symantec.com/blogs/feature-stories/top-20-shady-top-level-domains, https://twitter.com/someinfosecguy -->
   3
   4 <!-- 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT kino.to:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE -->
   5
   6 <group name="web-access,">
   7
   8   <rule id="31111" level="2">
   9     <if_sid>31100</if_sid>
  10     <url>.top:|.to:|.gq:|.cf:|.men:|.loan:|.ml:|.work:|.click:|.tk:|.country:|.pw:|.party:|.trade:|.review:|.club:|.bid:|.country:|.stream:|.download:|.xin:|.gdn:|.racing:|.jetzt:|.win:|.vip:|.ren:|.kim:|.mom:|.date:|.wang:|.accountants:|.science:|.work:|.ninja:|.xyz:|.faith:|.zip:|.racing:|.cricket:|.space:|.realtor:|.christmas:|.gdn:|.pro:</url>
  11     <description>Maybe critical URL access attempt</description>
  12   </rule>
  13
  14 </group>