⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 backdoor.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR fkwp 2.0 runtime detection - connection success"; flow:from_server,established; flowbits:isset,fkwp_conn_cts; content:"SUC"; depth:3; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6033; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"BACKDOOR clindestine 1.0 runtime detection - capture small screen"; flow:to_server,established; content:"small"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6137; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 57341 (msg:"BACKDOOR netraider 0.0 runtime detection"; flow:to_server,established; content:"NSClient-sPISPJ99"; depth:17; nocase; flowbits:set,backdoor.netraider.0.0.runtime; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6180; rev:2;)alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - check server"; flow:to_client; flowbits:isset,Alvgus_CheckServer; content:"stAlvgus"; depth:8; nocase; content:"Trojan"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"2000"; distance:0; nocase; pcre:"/^stAlvgus\'s\s+Trojan\s+Server\s+2000/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6098; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - upload"; flow:to_server,established; content:"|AB 86 01 00 12 00 00 00|"; flowbits:set,FunFactory_upload; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6049; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get harddisk info"; flow:from_server,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6092; rev:2;)alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"BACKDOOR forced entry v1.1 beta runtime detection"; flow:from_server,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2160; classtype:trojan-activity; sid:6110; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR netshadow runtime detection"; flow:to_server,established; content:"AJust"; nocase; content:"server"; distance:0; nocase; pcre:"/^\d+\x0dAJust\s+a\s+server\x00[^\r\n]*\x00\d+\.\d+\.\d+\.\d+\x00/smi"; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html; reference:url,www.megasecurity.org/trojans/n/netshadow/Netshadow_a.html; classtype:trojan-activity; sid:6027; rev:2;)alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - upload"; flow:from_server,established; flowbits:isset,FunFactory_upload; content:"100011"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6050; rev:3;)alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"BACKDOOR dirtxt runtime detection - view client-to-server"; flow:to_server; content:"view"; depth:4; nocase; flowbits:set,Dirtxt_View; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6156; rev:5;)alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - view content of directory"; flow:to_client; flowbits:isset,Alvgus_ViewDirectory; content:"diGetting"; depth:9; nocase; content:"content"; distance:0; nocase; content:"directory"; distance:0; nocase; pcre:"/^diGetting\s+content\s+of\s+directory\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6100; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,fear_0_2.conn.1; content:"QTAz"; depth:4; nocase; flowbits:set,fear_0_2.conn.2; flowbits:noalert; flowbits:unset,fear_0_2.conn.1; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6045; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 2589 (msg:"BACKDOOR dagger v1.1.40 runtime detection"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:15; nocase; flowbits:set,backdoor.dagger.1.1.40.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1477; classtype:trojan-activity; sid:6108; rev:2;)alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"connect|3B|"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6016; rev:3;)alert tcp $HOME_NET 7648 -> $EXTERNAL_NET any (msg:"BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,xhx_cts; content:" ["; depth:2; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6075; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getowner"; depth:8; flowbits:set,Chupacabra_GetComputerName; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6129; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,neurotickat.1; content:"FTPON"; nocase; content:"TIME"; distance:0; nocase; pcre:"/FTPON\d+\s+TIME\d+\s+/smi"; flowbits:set,neurotickat.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6061; rev:3;)alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - show autospy"; flow:from_server,established; flowbits:isset,AutoSpy_ShowAutoSpy; content:"autoSpY shown"; depth:13; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6080; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR neurotickat1.3 runtime detection - cgi notification"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"win="; nocase; uricontent:"pass="; nocase; uricontent:"connection="; nocase; uricontent:"id=NEUROTICKA"; nocase; uricontent:"s7pass="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6059; rev:2;)alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - ftp open"; flow:from_server,established; content:"220 HellzAddiction FTP server."; depth:30; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6142; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR psyrat 1.0 runtime detection"; flow:from_server,established; content:"GOODPWD"; depth:7; nocase; flowbits:set,backdoor.psyrat.runtime.detection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6164; rev:2;)alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - info server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Info; content:"info"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6155; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ver|0D 0A|"; depth:5; flowbits:set,CookieMonster_GetVersionInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6171; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - go to address client-to-server"; flow:to_server,established; content:"gotoadres"; depth:9; nocase; flowbits:set,Mantis_GotoAdress; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6147; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 50766 (msg:"BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_server,established; content:"access flatboost6302"; depth:20; nocase; flowbits:set,back.fore.v1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6116; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infhd"; depth:5; flowbits:set,A_Trojan_GetHarddiskInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6091; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR freak 1.0 runtime detection - icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR backage 3.1 runtime detection"; flow:to_server,established; content:"ExecuteUnloadAll"; depth:16; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1186; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=698; classtype:trojan-activity; sid:6107; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR coolcat runtime connection detection - tcp 1"; flow:to_server,established; content:"testforconnection|0D 0A|"; depth:19; nocase; flowbits:set,CoolCat.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6012; rev:3;)alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR fkwp 2.0 runtime detection - connection attempt server-to-client"; flow:from_server,established; flowbits:isset,fkwp_conn_cts; content:"FAI"; depth:3; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6031; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"BACKDOOR net runner runtime detection - initial connection client-to-server"; flow:to_server,established; content:"|0E|Get Resolution"; depth:15; nocase; flowbits:set,NetRunner_Init_Connection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6118; rev:4;)alert tcp $HOME_NET 33812 -> $EXTERNAL_NET any (msg:"BACKDOOR back attack v1.4 runtime detection"; flow:from_server,established; content:" You"; depth:4; nocase; content:"are"; distance:0; nocase; content:"now"; distance:0; nocase; content:"connected"; distance:0; nocase; content:"to"; distance:0; nocase; content:"an"; distance:0; nocase; content:"BackAtTaCk"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/You\s+are\s+now\s+connected\s+to\s+an\s+BackAtTaCk\s+server/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074438; classtype:trojan-activity; sid:6151; rev:2;)alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"di"; depth:2; nocase; flowbits:set,Alvgus_ViewDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6099; rev:3;)alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - get information"; flow:from_server,established; flowbits:isset,AutoSpy_GetInformation; content:"Product Name"; depth:12; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6078; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR optix 1.32 runtime detection - init conn"; flow:from_server,established; content:" |0D 0A|"; depth:3; nocase; flowbits:set,back.optix.1.32.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6111; rev:2;)alert udp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"BACKDOOR dkangel runtime detection - udp client-to-server"; flow:to_server; content:"This is made by yyt_hac!"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6127; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21212 (msg:"BACKDOOR schwindler 1.82 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,schwindler; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6063; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - set volume"; flow:to_server,established; content:"|B0 86 01 00 01 00 00 00|0"; flowbits:set,FunFactory_volume; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6051; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR psyrat 1.0 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.psyrat.runtime.detection; content:"PsyRAT_10A"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6165; rev:2;)alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR bifrose 1.1 runtime detection"; flow:from_server,established; flowbits:isset,bifrose.rev_conn.1; content:"|02 00 00 00|4x"; flowbits:set,bifrose.rev_conn.2; flowbits:noalert; flowbits:unset,bifrose.rev_conn.1; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6056; rev:3;)alert tcp $HOME_NET 831 -> $EXTERNAL_NET any (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,neurotickat.2; content:"One"; nocase; content:"more"; distance:0; nocase; content:"step"; distance:0; nocase; content:"until"; distance:0; nocase; content:"connection."; distance:0; nocase; pcre:"/One\s+more\s+step\s+until\s+connection\x2E/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6062; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option client-to-server 1"; flow:to_server,established; content:"notifuin"; depth:8; nocase; flowbits:set,Mantis_Notify1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6144; rev:4;)alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR minicommand runtime detection - directory listing server-to-client"; flow:from_server,established; content:"minicommand"; nocase; content:"fileserver"; distance:0; nocase; content:"ready"; distance:0; nocase; pcre:"/minicommand\s+fileserver\s+ready\.\r\n/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6036; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,A_Trojan_InitConnection; content:"conec"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6088; rev:2;)alert tcp $EXTERNAL_NET 4226 -> $HOME_NET any (msg:"BACKDOOR silent spy 2.10 command response port 4226"; flow:from_server,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6022; rev:4;)alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"BACKDOOR net runner runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,NetRunner_Init_Connection; content:"|0F|New Resoltutione"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6119; rev:4;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -