📄 rule.xml.bak

📁 一款轻量级的入侵检测系统对于网页中的shellcode有一定的防范能力
💻 BAK
📖 第 1 页 / 共 5 页
字号:
<windows></windows><content><payload>|01 00|</payload><offset>2</offset><depth>4</depth><distance></distance><nocase>true</nocase></content><content><payload>|00 0f 00 01|</payload><offset></offset><depth></depth><distance>8</distance><nocase>true</nocase></content><msg>BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High Count</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/getnumtemp.asp?nip=0</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Dialer</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/perl/invoc_oneway.pl</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>?id_service=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&nom_exe=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&skin=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&id_produit=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Dialer-715 Install Checkin</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-agent\: cv_v</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Diazom Trojan User-Agent in Use (cv_v2.0.1)</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/adload.php?a1=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>a3=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&a4=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&a5=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>Host\:</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Downloader-1355 Checking In</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-Agent\: IRC-U v</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-Agent\: linkrunner</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner)</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>.php?p=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>?machineid=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&connection=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&iplan=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Dumador Reporting User Activity</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>rfe.php?</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>cmp=dun_tekfirst</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>guid=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>TROJAN Trojan.Duntek establishing remote connection</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>MAIL FROM:</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><content><payload>logs@logs.com</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN - elitekeylogger v1.0 reporting - InOutbound</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>Subject\: Microsoft Windows</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>INFECTADO</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>25</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>PC INFECTADO COM SUCCESSO</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/ww20/script.php?id=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&config=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&config=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>User-Agent\: Rescue/9.11</payload><offset></offset><depth></depth><distance></distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11)</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/sd.php</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Possible Goldun Dropsite 1</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/fix.php</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Possible Goldun Dropsite 2</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/fix.php</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE TROJAN Possible Goldun Dropsite 2</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/reg?u=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&v=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&s=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&su=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&p=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE BOTNET HTTP Botnet reg</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>/update.php?port=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&checktime=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&uptime=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&result=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&localip=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>&id=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><content><payload>$hash=</payload><offset></offset><depth></depth><distance></distance><nocase>true</nocase></content><msg>BLEEDING-EDGE BOTNET BwB Botnet Checkin</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize><flags></flags><seq></seq><ack></ack><windows></windows><content><payload>|47 45 54 20 2F 72 65 67 3F 75 3D|</payload><offset></offset><depth>11</depth><distance></distance><nocase></nocase></content><content><payload>|26 76 3D|</payload><offset></offset><depth></depth><distance>8</distance><nocase></nocase></content><msg>BLEEDING-EDGE TROJAN Possible Bobax trojan infection</msg></rule><rule><proto>tcp</proto><srcip>any</srcip><dstip>any</dstip><srcport>any</srcport><dstport>80</dstport><direction>single</direction><ttl></ttl><tos></tos><identity></identity><dsize></dsize>
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -