specific-threats.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2006 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#----------
# SPECIFIC-THREATS RULES
#----------


# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS klez.d web propagation detection"; flow:to_server,established; content:"agzyrywelb@igdupgdu.fgs|00|klgfp@yswma.fgs.fd|00|pyaab@igdupgdu.fgs|00|rywelb@163.fgs|00|bwdbwd@yswma.fgs.fd|00|ca1980@163.fgs|00|lmlm@igdupgdu.fgs|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32klezd.html; classtype:trojan-activity; sid:9363; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.e smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"don't be late!"; distance:0; nocase; content:"gBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAA|0A|AABQRQAATAEDAEKhoz8AAAAAAAAAAOAADwELAQI3ADAAAAAQAAAAIAcA0FIHAAAwBwAA"; pcre:"/^Subject\x3A[^\r\n]*don't\sbe\slate!/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.e@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaile.html; classtype:trojan-activity; sid:9333; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS gokar http propagation detectiot"; flow:from_server,established; content:"|0B|Bp|D6|p|00 C2 91 C5 83 DE 3B 08 C9| Ll|F8|l|18 F0 80|K!|89|.*|B0 AC 0C C8 08 88 93 E4|d1%7|DF BA 84 3A 3B|,|02 0C E7|,,8|80 D1 24 B1|j|10 D4 E0 E8|>B|C1 29 D3|I|F7 D8 1B C0 05 96 A4 D6 03 01 AE 7C 91 0F 9D A5 BA 95|F|8D 02|'n|99 8F E0 15 98 A0|j|FF FD BE|G|BE B3 EC A3 E1 17 C4|h|DC 3A|f|B8 02 F9 0E 81 CE E2 1B E4 10 13 C8 E7 E3 0C 3B E4 0C C6 01|`6h|D3|h|C0 98 99 87 8C 3B|V|D3|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/gokar.shtml; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=10606; classtype:trojan-activity; sid:9401; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SPECIFIC-THREATS lovegate attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; within:36; content:"|9F|u|18 00|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; classtype:trojan-activity; sid:9423; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS lovgate.a smtp propagation detection"; flow:to_server,established; content:"+3UubBZU6QPutdRcZrPEvAZmzZcNakN47VPYbNzc7Nrua2tqc5hULfvf2fjX3Ec6W|0D 0A|bgNaUl7vgcZCDx77BhbeP1Jav5WWRj/8Tjd7mGGE798zp8rczW6tVaQvEyw5Ww3WpU0MwG5nq6G5"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=22549; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576; classtype:trojan-activity; sid:9352; rev:4;)