📄 backdoor.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR fkwp 2.0 runtime detection - connection attempt client-to-server"; flow:to_server,established; content:"AUTH"; depth:4; nocase; flowbits:set,fkwp_conn_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6030; rev:4;)alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - show nude pic"; flow:from_server,established; flowbits:isset,AutoSpy_ShowNudePicture; content:"nude Raider pic"; depth:15; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6082; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fear 0.2 runtime detection - php notification"; flow:to_server,established; uricontent:"body=FeaR"; nocase; pcre:"/body=FeaR\x25200\x2E2\x2E0\x2520Online\x3A\x2520\x5BIP_\d+\x2E\d+\x2E\d+\x2E\d+\x5D\x2520\x5BPort_/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6042; rev:2;)alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR unicorn runtime detection - initial connection"; flow:from_server,established; content:"Connected to"; depth:12; nocase; pcre:"/^Connected\s+to\s+[^\r\n]*\x28\d+\.\d+\.\d+\.\d+\x29/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6166; rev:2;)alert tcp $HOME_NET 50766 -> $EXTERNAL_NET any (msg:"BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:from_server,established; flowbits:isset,back.fore.v1.0.conn.1; content:"access ok "; depth:10; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6117; rev:2;)alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - download file"; flow:to_client; flowbits:isset,Alvgus_DownloadFile; content:"tfTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/^tfTransferring\s+file\s+from\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6106; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - show autospy"; flow:to_server,established; content:"frmauto"; depth:7; flowbits:set,AutoSpy_ShowAutoSpy; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6079; rev:2;)alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR netcontrol v1.0.8 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.netcontro.1.0.8.conn; content:"con1.08"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6150; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; flowbits:isset,bifrose.rev_conn.2; content:"|02 00 00 00 90|x"; flowbits:unset,bifrose.rev_conn.2; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6057; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fade 1.0 runtime detection - notification"; flow:to_server,established; uricontent:"win="; nocase; uricontent:"rpass="; nocase; uricontent:"ServerType=Fade"; nocase; uricontent:"id="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6039; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ls|0D 0A|"; depth:4; flowbits:set,CookieMonster_FileExplorer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6173; rev:2;)alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR optixlite 1.0 runtime detection - connection failure server-to-client"; flow:from_server,established; flowbits:isset,optixlite_suc_conn_cts; content:"password"; depth:8; nocase; pcre:"/^password\x3B0\x3BIncorrect\s+password/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6068; rev:5;)alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - view server-to-client"; flow:to_client; flowbits:isset,Dirtxt_View; content:"view"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6157; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR tequila bandita 1.2 runtime detection - reverse connection"; flow:to_server,established; content:"|07|LAN|07|Win"; depth:28; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/t/toquitobandito/Tequilabandita1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083232; classtype:trojan-activity; sid:6025; rev:3;)alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - upload file"; flow:to_client; flowbits:isset,Alvgus_UploadFile; content:"ttTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"to"; distance:0; nocase; pcre:"/^ttTransferring\s+file\s+to\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6104; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:from_server,established; content:"resp1Conectado"; depth:14; flowbits:set,A_Trojan_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6087; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fear 0.2 runtime detection - cgi notification"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"id=FeaR-Server"; nocase; uricontent:"win="; nocase; uricontent:"rpass="; nocase; uricontent:"connection="; nocase; uricontent:"s7pass="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6043; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR silent spy 2.10 runtime detection - icq notification"; flow:to_server,established; uricontent:"/argh/notify.php?emailaddr="; nocase; uricontent:"msg=SERVER"; nocase; content:"User-Agent|3A|"; nocase; content:"SiLENT"; distance:0; nocase; content:"SPY"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*SiLENT\s+SPY/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6023; rev:2;)alert udp $HOME_NET 18001 -> $EXTERNAL_NET 18000 (msg:"BACKDOOR cyberpaky runtime detection"; content:"H02EXE"; nocase; content:"File"; distance:0; nocase; content:"Name|3A|"; distance:0; nocase; content:"CYBERPAKY"; distance:0; nocase; content:"Operating"; distance:0; nocase; content:"System"; distance:0; nocase; pcre:"/H02EXE\s+File\s+Name\x3A\s+CYBERPAKY\x0D\x0AOperating\s+System/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-cyberpaky-trojan.html; reference:url,www.megasecurity.org/trojans/c/cyberpaky/Cyberpaky1.8.html; classtype:trojan-activity; sid:6028; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:from_server,established; content:"xr"; depth:2; nocase; flowbits:set,backdoor.hellzaddiction.1.0E.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6140; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - show nude pic"; flow:to_server,established; content:"nraider"; depth:7; flowbits:set,AutoSpy_ShowNudePicture; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6081; rev:2;)alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - do script remotely"; flow:from_server,established; flowbits:isset,FunFactory_doscript; content:"100014"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6054; rev:3;)alert udp $EXTERNAL_NET any -> $HOME_NET 10666 (msg:"BACKDOOR ambush 1.0 runtime detection - ping client-to-server"; flow:to_server; content:"10"; depth:2; nocase; flowbits:set,Ambush_Ping; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6123; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"BACKDOOR delirium of disorder runtime detection - stop keylogger"; flow:to_server,established; content:"stopklog"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6160; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|BA DA B0 B5 CC EC CA B9| 2.41 "; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*2\x2E41/smi"; flowbits:set,DKangel_Email; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6125; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection - kill kernel"; flow:to_server,established; content:"krnlkill|0D 0A|"; depth:10; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6175; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection - send messages"; flow:to_server,established; content:"sndmsg|5C|"; depth:7; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6133; rev:2;)alert tcp $HOME_NET 5400 -> $EXTERNAL_NET any (msg:"BACKDOOR bladerunner 0.80 runtime detection"; flow:from_server,established; content:"Blade Runner"; depth:12; nocase; pcre:"/^Blade\s+Runner\s+ver\s+\d+/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bladerunner/BladeRunner0.80a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=862; classtype:trojan-activity; sid:6179; rev:2;)alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - chdir server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Chdir; content:"chdir "; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6153; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:from_server,established; flowbits:isset,backdoor.hellzaddiction.1.0E.conn; content:"R_Server"; depth:8; nocase; content:"version|3A|"; distance:0; nocase; pcre:"/^R_Server\s+version\x3A\d+\x2E\d+[^\r\n]*R\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6141; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR unicorn runtime detection - set wallpaper client-to-server"; flow:to_server,established; content:"WALLPAPER "; depth:10; nocase; flowbits:set,Unicore_SetWallpaper; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6167; rev:4;)alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tf"; depth:2; nocase; flowbits:set,Alvgus_DownloadFile; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6105; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR coolcat runtime connection detection - tcp 2"; flow:to_server,established; flowbits:isset,CoolCat.1; content:"password |22|"; depth:10; nocase; flowbits:set,CoolCat.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6013; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get drive info"; flow:from_server,established; flowbits:isset,A_Trojan_GetDriveInfo; content:"infdr"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6094; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_server,established; content:"877110"; depth:6; flowbits:set,Fade_kl; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6040; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"BACKDOOR freak 1.0 runtime detection - irc notification"; flow:to_server,established; content:"NICK"; nocase; content:"FrEaK_ViCTiM"; distance:0; nocase; pcre:"/^NICK\s+FrEaK_ViCTiM\x0D\x0A/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6070; rev:2;)alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR cookie monster 0.24 runtime detection - file explorer"; flow:from_server,established; flowbits:isset,CookieMonster_FileExplorer; content:"ls|01|.|01|..|01|"; depth:8; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6174; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR netbus 1.7 runtime detection - email notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"NetBus"; distance:0; nocase; content:"server"; distance:0; nocase; content:"is"; distance:0; nocase; content:"up"; distance:0; nocase; content:"and"; distance:0; nocase; content:"running"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*NetBus\s+server\s+is\s+up\s+and\s+running/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:6037; rev:2;)alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR unicorn runtime detection - set wallpaper server-to-client"; flow:from_server,established; flowbits:isset,Unicore_SetWallpaper; content:"Wallpaper Changed"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6168; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"BACKDOOR delirium of disorder runtime detection - enable keylogger"; flow:to_server,established; content:"enableklog"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6159; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option client-to-server 2"; flow:to_server,established; flowbits:isset,Mantis_Notify2; content:"notifsubject"; depth:12; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6146; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR ultimate destruction runtime detection - kill windows client-to-server"; flow:to_server,established; content:"Killwidows|7C|"; depth:11; nocase; metadata:policy security-ips drop; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6178; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 20001 (msg:"BACKDOOR millenium v1.0 runtime detection"; flow:to_server,established; content:"Millenium"; depth:9; nocase; pcre:"/^Millenium\s+\d+\x2E\d+\x2D/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076392; classtype:trojan-activity; sid:6122; rev:2;)alert udp $HOME_NET 10666 -> $EXTERNAL_NET any (msg:"BACKDOOR ambush 1.0 runtime detection - ping server-to-client"; flow:to_client; flowbits:isset,Ambush_Ping; content:"=======>> AMBUSH v"; depth:18; nocase; metadata:policy security
上一页 1 2 3 45
💿 文件大小 17049 K
👤 上传用户 nassdaq
📂 所属分类其他行业
🏷️ 相关标签

#snapshot #Latest #Rules #This
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -