📄 rule.xml

📁 一款轻量级的入侵检测系统对于网页中的shellcode有一定的防范能力
💻 XML
📖 第 1 页 / 共 5 页
字号:
<proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>23</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>rewt</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BACKDOOR MISC rewt attempt</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>23</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>rewt</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BACKDOOR MISC rewt attempt</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|F6 13 00 00|</payload><offset></offset><depth>4</depth><distance></distance><nocase></nocase></content><msg>BACKDOOR poison ivy 2.1.2 runtime detection</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|55 8B EC 50 B8 02 00 00 00 81 C4 04 F0 FF FF|</payload><offset></offset><depth>15</depth><distance></distance><nocase></nocase></content><msg>BACKDOOR poison ivy 2.1.2 runtime detection - init connection</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|55 8B EC 50 B8 02 00 00 00 81 C4 04 F0 FF FF|</payload><offset></offset><depth>15</depth><distance></distance><nocase></nocase></content><msg>BACKDOOR poison ivy 2.1.2 runtime detection - init connection</msg></rule><!-- virus rules--><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-Agent: PE-</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS Generic Downloader Outbound HTTP connection - Downloading Code</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS - Bugbear@MM virus in SMTP</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>139</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS - BugBear@MM virus in Network share</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>139</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS - BugBear@MM Worm Copied to Startup Folder</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>UEsDBAoA</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><content><payload>ojRrPyGt</payload><offset></offset><depth></depth><distance>8</distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS Mytob.X [clam] SMTP InOutbound</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>RE9TIG1v</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><content><payload>GUuDQ0KJ</payload><offset></offset><depth></depth><distance>1</distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS W32.Nugache SMTP InOutbound</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS WinUpack Modified PE Header InOutbound</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/new_array2.php?speed=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE VIRUS Sality Trojan Web Update</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-Agent\: KUKU</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09)</msg></rule><rule><proto>udp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>8998</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize>8</dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|5c bf 01 29 ca 62 eb f1|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS Sobig.E-F Trojan Site Download Request</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>80</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>[AspackDie!]</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><content><payload>|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE VIRUS Trojan-Spy.Win32.Bancos Download</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>Subject\: \: ZOMBIE</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>X-Library\: Indy 9.00.10</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>&first& # </payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize>8</dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|99 9b 86 8a 85 80 9a 9d|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>kill3d</payload><offset>0</offset><depth>6</depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize>10</dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>&SEXREPLY&</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|cf 8f|</payload><offset></offset><depth>2</depth><distance></distance><nocase></nocase></content><content><payload>|20 26 26 26|</payload><offset></offset><depth></depth><distance>50</distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize>6</dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|cf ab a8 a7 ae cf|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>any</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize>9</dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|cf ab a8 a4 ae cf 26 26 26|</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>X-Library\: Indy 9</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial Email to Owner</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>80</srcport><dstport>1639</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>GET </payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>reactor</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page</msg></rule><rule><proto>udp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>53</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack>
💿 文件大小 90 K
👤 上传用户 shanon
📂 所属分类其他
🏷️ 相关标签

#shellcode #轻量级 #入侵检测系统 #页
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -