################################################################
# abuse.ch Feodo Tracker Suricata / Snort Ruleset              #
# Last updated: 2025-03-07 08:40:05 UTC                        #
#                                                              #
# Terms Of Use: https://feodotracker.abuse.ch/blocklist/       #
# For questions please contact feodotracker [at] abuse.ch      #
################################################################
#
alert tcp $HOME_NET any -> [149.28.156.183] 443 (msg:"Feodo Tracker: potential Emotet CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/149.28.156.183/; sid:900508909; rev:1;)
alert tcp $HOME_NET any -> [162.243.103.246] 8080 (msg:"Feodo Tracker: potential Emotet CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/162.243.103.246/; sid:900509159; rev:1;)
alert tcp $HOME_NET any -> [91.230.49.1] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/91.230.49.1/; sid:900513682; rev:1;)
alert tcp $HOME_NET any -> [193.238.227.136] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/193.238.227.136/; sid:900513683; rev:1;)
alert tcp $HOME_NET any -> [172.232.58.237] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/172.232.58.237/; sid:900513684; rev:1;)
alert tcp $HOME_NET any -> [172.232.58.169] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/172.232.58.169/; sid:900513685; rev:1;)
# END 6 entries