LoFP LoFP / rare legitimate software downloads from low quality tlds

Techniques

Sample rules

HTTP Request to Low Reputation TLD or Suspicious File Extension

Description

Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.

Detection logic

condition: selection_suspicious_tld and 1 of selection_malicious_*
selection_malicious_ext:
  uri|endswith:
  - .bat
  - .bin
  - .cmd
  - .cpl
  - .dll
  - .dylib
  - .elf
  - .exe
  - .hta
  - .iso
  - .jar
  - .js
  - .lnk
  - .msi
  - .pif
  - .ps1
  - .py
  - .reg
  - .scr
  - .sh
  - .so
  - .vbs
  - .wsf
selection_malicious_mime:
  resp_mime_types:
  - application/vnd.microsoft.portable-executable
  - application/x-bat
  - application/x-dosexec
  - application/x-elf
  - application/x-iso9660-image
  - application/x-java-archive
  - application/x-ms-shortcut
  - application/x-msdos-program
  - application/x-msdownload
  - application/x-python-code
  - application/x-sh
selection_suspicious_tld:
  host|endswith:
  - .bid
  - .by
  - .cf
  - .click
  - .cm
  - .ga
  - .gq
  - .ir
  - .kp
  - .loan
  - .ml
  - .mm
  - .party
  - .pw
  - .ru
  - .su
  - .sy
  - .tk
  - .top
  - .tv
  - .ve
  - .work
  - .xyz