⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 specific-threats.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.j smtp propagation detection"; flow:to_server,established; content:"AFM8bJHtPFvDEkEXcUExflY49kR1cEEIUkM9CVRyaW0/TddNAkkvfRRVUkxRaCWgRLFeZa2d|0D 0A|ppsmHIgcP6Qp8ve2TB1lRQtVcHAiPE23aXCUdGYrkyxJZUtwfXxuCusU7RVxrDNuboGBhT0s"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030214-1700-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EJ&VSect=T; classtype:trojan-activity; sid:9392; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS klez.b web propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9346; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS zhangpo smtp propagation detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"zhangpo"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*zhangpo/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareremove.com/removeZhangpo.html; classtype:trojan-activity; sid:9328; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS fizzer smtp propagation detection"; flow:to_server,established; content:"i8Zew4tMJAQzwDgBdAdAgDwIAHX5w1WL7ItFDFOLXRRWVzP/M/aJRQyFwIldFHUM/3UI6Mz///9Z|0D 0A|iUUMhdt1DP91EOi8////WYlFFItFFDlFDHdqg30YAHQjhcB2Uzt1DHNTi00Qi1UIigwPOgwWdQNG"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32fizzera.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-050821-0316-99&tabid=2; classtype:trojan-activity; sid:9358; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.y smtp propagation detection"; flow:to_server,established; content:"SzXgMkNWL9sVG+tK+PAvoGAHIBs6uGCk+LimunCOdVZetTLfshMihnVwSZSOMgbeJ1nQ2VuH|0D 0A|OE0A6SCpjgS431+O+Uwr0hbFwC0Tt9gjk5n006G2DLQ93fwnPbO2fmzcaPYFYNhTijcHgc6u"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32netskyy.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-042011-2621-99&tabid=2; classtype:trojan-activity; sid:9383; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SPECIFIC-THREATS zotob attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|E0 07 00 00|"; within:4; distance:4; content:"|C0 07 00 00 00 00 00 00|"; within:8; distance:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,www.microsoft.com/technet/security/bulletin/ms05-039.mspx; classtype:trojan-activity; sid:9421; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS ganda smtp propagation detection"; flow:to_server,established; content:"cXJ1dmFiemFickBob3RtYWlsLmNvbT4NCgA8cmVkQGZuYS5zZT4N|0D 0A|CgA8ZGViYXR0QHN2dC5zZT4NCgA8c3VzYW5uZS5zam9zdGVkdEB0aWRuaW5nZW4udG8+DQoAPHNr|0D 0A|b2x2ZXJrZXRAc2tvbHZlcmtldC5zZT4NCgA8bWFyeS5tYXJ0ZW5zc29uQGFmdG9uYmxhZGV0LnNl"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32gandaa.html; classtype:trojan-activity; sid:9413; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"OsrkDtNPNg9Xj38hSOB7pKSR+RzaaUnt5GIvg8wXTYQPiLhBPWmLUXYLSN2KDpF0AWHCd8Po"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:9425; rev:5;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS abotus smtp propagation detection"; flow:to_server,established; content:"cPf//1ChHGtAAFDokPv//6Eca0AAUOh1+///i0UIuhhnQAC5AAQAAOhn9v//M8BaWVlkiRBonzpA|0D 0A|AI1F+LoCAAAA6E31///D6b/v///r61tZWV3CBACLwFWL7DPAVWjHOkAAZP8wZIkgM8BaWVlkiRBo"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.isecuritysource.com/threats/worm/w32-abotus-worm-m.aspx; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2001-082919-3906-99&tabid=2; classtype:trojan-activity; sid:9400; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mydoom.m smtp propagation detection"; flow:to_server,established; content:"lo5vuBR4VSCJ1pbUTU2ox8gc4A7MEBs3U817uUY7ImH0QRZX+0j2rTCxLjEuMiWWIIQOBqYHIChO|0D 0A|szw6IGwkHhEcctMplAHMtW17PTAB6V1wlG2EO/ggyW8ZTQYiUQdbzhMuIwM4aEvQxSUDthPd7S6"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mydoom_m.shtml; classtype:trojan-activity; sid:9331; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS cult.b smtp propagation detection"; flow:to_server,established; content:"HgAAAAAAAAAAAAAAAAAAQAAA|0D 0A|wDEuMjIAVVBYIQwJAgkUTDlhQxNezL9kAACkGQAAIEAAACYAABn+//L/McBA|0D 0A|i0wkBPdBBAYAdA+LRCQIi1QkEIkCuAO5/3fvEMNTVlc"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/72/worm_cult.b.html; reference:url,www.sophos.com/security/analyses/w32cultb.html; classtype:trojan-activity; sid:9360; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.m smtp propagation detection"; flow:to_server,established; content:"f+xt2OHdR5d|0A|oYEgACjEdRRHXvYmP9iDPXUL7TXuZkm+6wfHeTAGsEn3sfxyGYt9/GE5yHe7tcZ/Hhj4ORt835ps|0A|Mx+zk+UMO/RnXp7d+QBQQEz4gFL098fbv+3/G3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9362; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mydoom.i smtp propagation detection"; flow:to_server,established; content:"LjI2BDAAorXCxzNJTUVPLDRQ04B9WAN1VEJ5QE1mwWlkOx4gVjm42kp3LOx0Ni1UeepAb S3soFBE|0D 0A|2eN0L/d4UADTtkc7IQkKO a/NWrhyPSJSInMFcbG2vdotVqfZNTFPGIKG5hzoQwecasmOtdZACjEX"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mydoom_i.shtml; classtype:trojan-activity; sid:9338; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS fishlet.a smtp propagation detection"; flow:to_server,established; content:"AAACAAAAQAAAAAQAAAANAAoAAAAAABgAAABcAGYAaQBzAGgAbABlAHQALgBiAGkAbgAAAAAAVgAA|0D 0A|AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32fishleta.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=12285; classtype:trojan-activity; sid:9376; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS paroc.a smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"PROSAC"; distance:0; nocase; content:"DQoJV2Vs|0D 0A|Y29tZSB0byBQUk9TQUMgKG11bHRpbWVkaWEgcGFjaykNCgkt"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Paroc.Worm&threatid=53258; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-061121-1025-99&tabid=2; classtype:trojan-activity; sid:9342; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS collo.a smtp propagation detection"; flow:to_server,established; content:"UP8VWBIAAYPEDI1FoFBoAgEAAP91cP8VVBIAAf91cP8VUBIAAenf/v//aHQTAAFqCv81XIAAAf91|0D 0A|eOsTi0V8aHQTAAFqDP81XIAAAf9wDP8VCBIAATPAX15bg8VoycIQAFeLfCQMM8CD/wF2U1aLdCQM"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Collo.a; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23787; classtype:trojan-activity; sid:9385; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"SPECIFIC-THREATS deborm.q netshare propagation detection"; flow:to_server,established; content:"|AB B4|+|F6 04 19 B8 9F CB|t|24|HpR|04 A6 8E|R|17 B1 7F 8A 1E|z|12 8C B8 0C|aVM|81 7C|0|AC|8|BA B5 EE 1A|B|9B|a*xe@|D1|q8|22|T|B7|.`|11 E0|iQ}|C7 CA C1 81 D9|i|B7 A4|C|BE|0|23|2X|9A DF 5C 3B|v|12 CC| |80 AD 7C|cT|19|.|AE|!|8E F8 84|R|F5|1n|D7 1B|8|E8 B0|<U1F|BE B7 16 8B 89 17|Z2|B0 ED|%ED|C4 07 8B B6 CF 92 B2 22|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32debormq.html; classtype:trojan-activity; sid:9356; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.p smtp propagation detection"; flow:to_server,established; content:"Yid5ICdT|0D 0A|J2sneSdOJ2UndCcuJ0MnWicgJ0MnbydyJ3AqJwAAJ0QncidvJ3AncCdlJ2QnUydrJ3knTidl|0D 0A|J3QnACdTJ2sneSdOJ2UndCdGJ2knZydoJ3QncydCJ2EnYydrAAAAAHVzZXJj"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-032110-4938-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EP&VSect=T; classtype:trojan-activity; sid:9326; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS totilix.a smtp propagation detection"; flow:to_server,established; content:"YjpDKytIT09LkOkckUAAoQ+RQADB4AKjE5FAAFJqAOglfQAAi9DoMhgAAFroyAsAAOgrGAAAagDo|0D 0A|PCQAAFlouJBAAGoA6P98AACjF5FAAGoA6ddeAADpaiQAADPAoAGRQADDoReRQADDYLsAULC8U2it"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Worm.Totilix.a&threatid=6703; reference:url,www.viruslist.com/en/viruslist.html?id=4097; classtype:trojan-activity; sid:9398; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.i smtp propagation detection"; flow:to_server,established; content:"A8Hjz"; content:"A8Hjz1XwgeLbymX/OMH6BAnTW4NTKTT7VvYLxgQ+PRHBjYpIBpIj7OxkWZbl8A8C7MD+SqZkBhTr|0A|VP9NDD+w5chL7D866BN1I2Vn7giaB2cqOQ1LZIaFNwpjlXTaJQ+TCqW4q6H"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32mimaili.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-111317-1701-99&tabid=2; classtype:trojan-activity; sid:9391; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS hanged smtp propagation detection"; flow:to_server,established; content:"AExhWABYYUwAWGFMAE5ld19GYW1vdVNfR2lyTHMAQS5TLk4uAFNNVFA6VGhlX0hhbmdlZEBqYXp6|0D 0A|ZnJlZS5jb20AU01UUDpUaGVfSGFuZ2VkQGhvdG1haWwuY29tAFNleF9TcGFtXyxfRXhjdXNFX01l"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Email-Worm.Win32.Hanged&threatid=81170; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Hanged; classtype:trojan-activity; sid:9399; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.f smtp propagation detection"; flow:to_server,established; content:"LkRMTAAAAEdldFByb2NBZGRyZXNzAAAATG9hZExpYnJhcnlBAAAARXhpdFByb2Nlc3MAAABW|0D 0A|aXJ0dWFsQWxsb2MAAABWaXJ0dWFsRnJlZQAAAE1lc3NhZ2VCb3hBAAAAAABqe5M2t6ajjak1"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/bagle_f.shtml; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45199; classtype:trojan-activity; sid:9386; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS creepy.b smtp propagation detection"; flow:to_server,established; content:"i8iFyXUFM8BeW8OhUIREAIkBiQ1QhEQAM9KLwgPAjUTBBIseiRiJ|0D 0A|BkKD+mR17IsGixCJFl5bw5CJAIlABMOLwFNWi/KL2Oid////hcB1BTPAXlvDixaJUAiLVgSJUAyL"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,vil.nai.com/vil/content/v_112739.htm; reference:url,www.emsisoft.com/en/malware/?Email-Worm.Win32.Creepy.b; classtype:trojan-activity; sid:9374; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SPECIFIC-THREATS sasser attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; content:"|EC 03 00 00|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:trojan-activity; sid:9419; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.a smtp propagation detection"; flow:to_server,established; content:"g8QMX15bw1WJ5VNWV1VqAGoAaJIQQAD/dQjoVkYAAF1fXluJ7F3D/FWJ5YPs|0A|CFNWV1WLXQyLRQijMEBHAIkdNEBHAPdABAYAAAB1colF+ItFEIlF/KM0QEcAjUX4iUP8"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaila.html; classtype:trojan-activity; sid:9332; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS klez.e web propagation detection"; flow:to_server,established; content:"|F2 99 00 00 03|+|16|-|A8 90 BA 8A 9A 29|0PH|80|@8` Z|00 08 80|+|A0 80 00 00|X|29|h|00|H`|E8|Z0P@Zhp+|E0| |E0| |29 90 18|0Z0P@Z|88 90|+ |88|P|F8 29 BA E2 A2 A2|ZX|00 88|+ X|88|`|29|h|00|H`|E8|Z0P@Zhp+|10 B8| |A8|h|29|h|00|H`|E8|Z0P@Zhp+|B0 88 B8 00 00 88 29 98 00 B8|`|F8|PXZ"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9364; rev:4;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -