⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 backdoor.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice/mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; metadata:policy security-ips drop; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:12;)alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3010; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3011; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3012; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3013; rev:4;)alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3014; rev:5;)alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3015; rev:5;)alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3016; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:3063; rev:3;)alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:policy security-ips drop; classtype:misc-activity; sid:3064; rev:3;)alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3081; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3082; rev:4;)alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3083; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:policy security-ips drop; classtype:trojan-activity; sid:3155; rev:3;)alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (msg:"BACKDOOR Amanda 2.0 connection established"; flow:from_server,established; content:"Connected To Amanda 2.0"; depth:23; metadata:policy security-ips drop; classtype:trojan-activity; sid:3635; rev:3;)alert tcp $HOME_NET 17499 -> $EXTERNAL_NET any (msg:"BACKDOOR Crazzy Net 5.0 connection established"; flow:from_server,established; content:"Crazzynet"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; sid:3636; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1204 (msg:"BACKDOOR amiboide uploader runtime detection - init connection"; flow:to_server,established; content:"23L'esclave|09|49152|09|65535"; depth:23; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088579; classtype:trojan-activity; sid:6076; rev:2;)alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6101; rev:3;)alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"st"; depth:2; nocase; flowbits:set,Alvgus_CheckServer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6097; rev:3;)alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR cookie monster 0.24 runtime detection - get version info"; flow:from_server,established; flowbits:isset,CookieMonster_GetVersionInfo; content:"Cookie"; content:"Monster"; distance:0; content:"server"; distance:0; content:"engine"; distance:0; pcre:"/Cookie\s+Monster\s+server\s+engine/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6172; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option server-to-client"; flow:from_server,established; flowbits:isset,Mantis_Notify1; content:"sendsubject"; depth:11; nocase; flowbits:set,Mantis_Notify2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6145; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR fear 0.2 runtime detection - initial connection"; flow:from_server,established; content:"QTAze1l9"; depth:8; nocase; flowbits:set,fear_0_2.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6044; rev:3;)alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"BACKDOOR dagger v1.1.40 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.dagger.1.1.40.conn; content:"|07 00 00 00 03 00 00 00|Yes"; depth:11; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6109; rev:2;)alert tcp $HOME_NET 57341 -> $EXTERNAL_NET any (msg:"BACKDOOR netraider 0.0 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.netraider.0.0.runtime; content:"NSServer-sPISPJ99"; depth:17; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6181; rev:2;)alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"BACKDOOR dsk lite 1.0 runtime detection - disconnect"; flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"disconnect"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6017; rev:3;)alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - connect"; flow:from_server,established; flowbits:isset,FunFactory_conn; content:"100013Agentsvr^^Merlin"; nocase; pcre:"/^100013Agentsvr\x5E\x5EMerlin/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6048; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection - delete file"; flow:to_server,established; content:"delete|5C|"; depth:7; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6134; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR optix 1.32 runtime detection - init conn"; flow:from_server,established; flowbits:isset,back.optix.1.32.conn.2; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!"; distance:0; nocase; pcre:"/^001\xACOptix\s+Pro\s+v\d+\x2E\d+\s+Connected\s+Successfully\x21/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6113; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR nuclear rat v6_21 runtime detection"; flow:from_server,established; content:"|C2 C5 CD C4 FD F9 FF 86 E4 9A F8 FF E5 9B 98 E5 FC E1 FD A9 FC C2 C5 99 C0 A9|"; depth:26; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077717; classtype:trojan-activity; sid:6024; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - make directory"; flow:to_server,established; content:"mkdir"; depth:5; flowbits:set,AutoSpy_MakeDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6085; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR optixlite 1.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"from=Optix+Lite"; nocase; uricontent:"fromemail="; nocase; uricontent:"subject=From+Optix+Lite"; nocase; uricontent:"body="; nocase; uricontent:"to="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6069; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; content:"VER "; depth:4; nocase; flowbits:set,neurotickat.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6060; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; flowbits:isset,DKangel_Email; content:"yyt_hac"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6126; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 7648 (msg:"BACKDOOR xhx 1.6 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"UAIIA"; depth:5; nocase; content:"XHX"; distance:0; nocase; content:"YANER"; distance:0; nocase; pcre:"/^UAIIA\s+XHX\s+YANER/smi"; flowbits:set,xhx_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6074; rev:3;)alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client"; flow:from_server,established; flowbits:isset,optixlite_suc_conn_cts; content:"password"; depth:8; nocase; content:"Optix"; distance:0; nocase; content:"Lite"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Ready"; distance:0; nocase; pcre:"/^password\x3B1\x3BOptix\s+Lite\s+Server\s+Ready/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6066; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR neurotickat1.3 runtime detection - icq notification"; flow:to_server,established; uricontent:"Uin="; nocase; uricontent:"Name=The+Hosts+port+is"; nocase; uricontent:"Name=Your+Host+is"; nocase; uricontent:"Send=yes"; nocase; pcre:"/Name=Your\+Host\+is\x3A[^\r\n]*\+The\+password\+is\x3A[^\r\n]*\+Version\+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6058; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - get information"; flow:to_server,established; content:"info"; depth:4; flowbits:set,AutoSpy_GetInformation; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6077; rev:2;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -