rule.xml

一款轻量级的入侵检测系统 对于网页中的shellcode有一定的防范能力

<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&b=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>name=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Win32.Lager Trojan Initial Checkin</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>/cp/rule.php?</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>v=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&b=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>name=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Win32.Lager Trojan Reporting</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>/sp/post.php</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>POST</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>data=</payload>
<offset></offset>
<depth>400</depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Win32.Lager Trojan Reporting Spam</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>Server\: nginx/0.</payload>
<offset>17</offset>
<depth>40</depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>Content-Type\: text/html</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>\:80\;255.255.255.255</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Possible Web-based DDoS-command being issued</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>options.cgi?user_id=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&version_id=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&passphrase=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Orderjack Reporting User Activity</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>POST</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>php?</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>Content-Type: binary</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>LLAH</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Prg Trojan v0.1-v0.3 Data Upload</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>80</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>HTTP</payload>
<offset></offset>
<depth>4</depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>|0D 0A 68 61 6C 6C 3A|</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Prg Trojan Server Reply</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>MZ</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>|1D B9 F2 75 62 85 5A 4F 15 48 52 1D 50 90 41 89 37 9F FF 94 CE A6 3E 63 35 AB 29 6B 30 43 2F 45 46 B0 E1 C2 11 7F 0C 55 0F C7|</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Prg Trojan v0.1 Binary In Transit</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>MZ</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>|13 B9 F2 75 62 85 5A 4F 15 48 19 1D 10 4F 0D 5B 04 5B 04 60 CE 5F 00 67 F5 AE 25 6B 20 41 23 B3|</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Prg Trojan v0.2 Binary In Transit</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>MZ</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>|5E 7D 66 7D 28 40 19 88 5F 8C 13 50 15 59 08 58 3C 97 00 9B 33 A5 F9 AF 39 68 F0 9F 27 AF E9 A8 25 B7 18 B6 15 7F 0E B6 1A|</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Prg Trojan v0.3 Binary In Transit</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>.php?ut=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&idr=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&lang=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&ver=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>&winver=</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN PWS-LDPinch Reporting User Activity</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>26</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>From\: \"PC ID\:</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>Subject\: INFECTED</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<content>
<payload>esta infectado</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>LEEDING-EDGE VIRUS PWS Banker Trojan Sending Report of Infection</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>User-Agent\: RookIE</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>25</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>postcard.gif.exe</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming SMTP</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>110</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>postcard.gif.exe</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming POP3</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>220</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>postcard.gif.exe</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming IMAP</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>postcard.gif.exe</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase>true</nocase>
</content>
<msg>BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming HTTP</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>User-Agent\: MyAgent</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent)</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>80</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>/snatch/module</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<content>
<payload>User-Agent: Snatch-System</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN Snatch Reporting User Activity</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>|01 68 73 35 70 00 00|</payload>
<offset></offset>
<depth>7</depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN SpamThru trojan peer exchange</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize>6</dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>XSMTPX</payload>
<offset></offset>
<depth></depth>
<distance></distance>
<nocase></nocase>
</content>
<msg>BLEEDING-EDGE TROJAN SpamThru trojan SMTP test successful</msg>
</rule>
<rule>
<proto>tcp</proto>
<srcip>any</srcip>
<dstip>any</dstip>
<srcport>any</srcport>
<dstport>any</dstport>
<direction>single</direction>
<ttl></ttl>
<tos></tos>
<identity></identity>
<dsize></dsize>
<flags></flags>
<seq></seq>
<ack></ack>
<windows></windows>
<content>
<payload>|01 68 73 35 70 00 01|</payload>
<