⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 virus.rules

📁 入侵检测系统.linux下与MySql连用的例子
💻 RULES
字号:
🔍 
# $Id: virus.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $#------------# VIRUS RULES#------------## NOTE: These rules are NOT being actively maintained.  If you would like# to update these rules, e-mail snort-sigs@lists.sourceforge.net#alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; content:"Suddlently"; sid:720; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible pif Worm"; content: ".pif"; nocase; sid:721; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase; sid:722; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myromeo.exe"; nocase; sid:723; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myjuliet.chm"; nocase; sid:724; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "ble bla"; nocase; sid:725; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "I Love You"; sid:726; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Sorry... Hey you !"; sid:727; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "my picture from shake-beer"; sid:728; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible shs Worm"; content: ".shs"; nocase; sid:730; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:731; rev:1;)alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732; rev:1;)alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; content:"nongmin_cn"; reference:MCAFEE,98775; sid:733; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; content: "Software provide by [MATRiX]"; nocase;  sid:734; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Matrix has you..."; sid:735; rev:1;)alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; content: "funguscrack@hotmail.com"; nocase; sid:736; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase; sid:737; rev:1;)alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon"; reference:MCAFEE,98696; sid:738; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase; reference:MCAFEE,10389; sid:739; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs""; nocase; reference:MCAFEE,10497; sid:740; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|"; reference:MCAFEE,10109; sid:741; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109; sid:743; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; content:"filename=\"XPASS.XLS\""; nocase; reference:MCAFEE,10145; sid:745; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|"; reference:MCAFEE,10225; sid:746; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase; sid:747; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|"; reference:MCAFEE,10388; sid:748; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|"; reference:MCAFEE,10471; sid:749; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Video Worm"; content: "filename=\"VIDEO.EXE\""; nocase; sid:750; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; content: "filename=\"KAK.HTA""; nocase; reference:MCAFEE,10509; sid:751; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Virus - Possible Suppl Worm"; content:"filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361; sid:752; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase; reference:MCAFEE,10540; sid:753; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"MONEY.DOC""; nocase; reference:MCAFEE,10502; sid:754; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; content:"filename=\"irok.exe\""; nocase; reference:MCAFEE,98552; sid:755; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; content:"filename=\"Fix2001.exe\""; nocase; reference:MCAFEE,10355; sid:756; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE""; nocase; reference:MCAFEE,10505; sid:757; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; content: "filename=\"THE_FLY.CHM""; nocase; reference:MCAFEE,10478; sid:758; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC""; nocase; reference:MCAFEE,10502; sid:759; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase; reference:MCAFEE,10467; sid:760; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase; reference:MCAFEE,10540; sid:761; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase; reference:MCAFEE,10540; sid:762; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase; reference:MCAFEE,10540; sid:763; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase; reference:MCAFEE,10540; sid:764; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase; reference:MCAFEE,10540; sid:765; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase; reference:MCAFEE,10540; sid:766; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase; reference:MCAFEE,10540; sid:767; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase; reference:MCAFEE,10540; sid:768; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase; reference:MCAFEE,10540; sid:769; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase; reference:MCAFEE,10540; sid:770; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; content:"filename=\"Toadie.exe\""; nocase; reference:MCAFEE,10540; sid:771; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; sid:772; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes"; reference:MCAFEE,10144; sid:773; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|"; sid:774; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!"; reference:MCAFEE,10418; sid:775; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase; reference:MCAFEE,10540; sid:776; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|"; reference:MCAFEE,10467; sid:777; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|"; reference:MCAFEE,10461; sid:778; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase; reference:MCAFEE,10540; sid:779; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase; reference:MCAFEE,10540; sid:780; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase; reference:MCAFEE,10540; sid:781; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase; reference:MCAFEE,10540; sid:782; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase; reference:MCAFEE,10540; sid:783; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase; reference:MCAFEE,10540; sid:784; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase; reference:MCAFEE,10540; sid:785; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase; reference:MCAFEE,10540; sid:786; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase; reference:MCAFEE,10540; sid:787; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase; reference:MCAFEE,10540; sid:788; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase; reference:MCAFEE,1054; sid:789; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|"; sid:790; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase; reference:MCAFEE,10540; sid:791; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase; reference:MCAFEE,98661; sid:792; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase; sid:793; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"Explorer.doc\""; nocase; reference:MCAFEE,98661; sid:794; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801; rev:1;)alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802; rev:1;)

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -