⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 specific-threats.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SPECIFIC-THREATS /winnt/explorer.exe unicode klez infection attempt attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,&,2,28,little,relative; content:"|5C 00|w|00|i|00|n|00|n|00|t|00 5C 00|e|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; within:41; distance:51; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:9424; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.s smtp propagation detection"; flow:to_server,established; content:"AAAAAAAAAAx|0A|AMBAi0wkBPdB5gbhjwJ0D69ErgiOVIAQiQK4A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOj Ug|0A|MFhgcAyDHv7/dNw7//HsGgONNHaLDLNkqzBID3x"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9366; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS atak.b smtp propagation detection"; flow:to_server,established; content:"OsJMFEHYgBh19HlTYBliOtoPlfhIFVsjwTiRgBgMU+ZVSARWhclXidGWdED5LdJLArJcQ1DSfENl|0D 0A|cmgc0ooDhxdHUODyQ//V6tBJVtc2IBPS7SAmCAw7wXUWiRzJMEgI5UA/pM45Gl1qDJkPuJI/4V6j"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32atakb.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-120309-3312-99&tabid=2; classtype:trojan-activity; sid:9409; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"SPECIFIC-THREATS deborm.x netshare propagation detection"; flow:to_server,established; content:"0@|00 0A 00 00 00|SV|8B|5|A8| @|00|W|8D|E|F0|j|0A|P|FF|5|28|0@|00 FF D6 8B|]|08 8D|E|F0|PS|E8 9D 08 00 00 BF|L0@|00|WS|E8 8B 08 00 00 8D|E|F0|j|0A|P|FF|5|D0|2@|00 FF D6 8D|E|F0|PS|E8|s|08 00 00|WS|E8|l|08 00 00 8D|E|F0|j|0A|P|FF|5|D4|2@|00 FF D6 83 C4|D|8D|E|F0|PS|E8|Q|08 00 00|WS|E8|J|08 00 00 8D|E|F0|j|0A|P|FF|5"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.X; classtype:trojan-activity; sid:9353; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.af smtp propagation detection"; flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/netsky-af.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF; classtype:trojan-activity; sid:9405; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"SPECIFIC-THREATS jitux msn messenger propagation detection"; flow:to_server,established; content:"http|3A|//www.home.no/"; nocase; content:"/jituxramon.exe"; distance:0; nocase; pcre:"/http\x3A\x2F\x2Fwww\x2Ehome\x2Eno\x2F[^\r\n]*\x2Fjituxramon\x2Eexe/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,vil.nai.com/vil/content/v_100931.htm; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-123116-3525-99&tabid=2; classtype:trojan-activity; sid:9380; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.g smtp propagation detection"; flow:to_server,established; content:"VdBjl"; content:"VdBjlpmHLVfqaPUitmytmlPwIiJiViqPhDwHsP8fO2CDfCpkZVVqQCfFgXUtB+gfgDUcrZZOjpqX|0A|l20NIkQDEwEOAOwgy2VA5OSAJBx7JeRs391cnLJAlivkZdzcmZBvNipSWthsl41k2B3UrdTsguvQ"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-110414-0646-99; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=37467; classtype:trojan-activity; sid:9388; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.n smtp propagation detection"; flow:to_server,established; content:"UwFU9VVzpIrXAls0zlhDNOHldmMULkXDsJRNQZiPekC47DW5vF9mS3gKhBe2I0JSPouRMRBl|0D 0A|w8AJvAcDlRprEHbYgf+GOmWVzZa5XNbrM7AlDCyZfmBiCbABUFgAlCxXE2JRonBJRXLSoLAA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45593; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FBAGLE%2EN&VSect=T; classtype:trojan-activity; sid:9394; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS plemood smtp propagation detection"; flow:to_server,established; content:"+FVQACNg1tXQABQV7hVQed3/9BWV7guaud3/9ALwHQW6IkPAADotxQAAOjqFAAA/7NPVkAAw42DZVVAAFBqAGoAuMTC53f/0I2DWVBAAGoAagBTUGoAagC4N6znd/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.2-spyware.com/remove-i-worm-plemood.html; classtype:trojan-activity; sid:9349; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS neysid smtp propagation detection"; flow:to_server,established; content:"1eO8sLlq7UIor1GwCmto7XsiMt9GchrcNlbVPh1GT18n0EDLTWKdYxpB5nZPeoxCHDzQuKOyEtsb|0D 0A|MCqnv2Y1wJoGWMGEslVIzj05hLSGDTLIbGy0uaslY66ENTqEiiXk5HxsL8KRnL2EpjwzDZScLR3G"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.logiguard.com/spyware/i/i-worm-neysid.htm; reference:url,www.spywareremove.com/removeIWormNeysid.html; classtype:trojan-activity; sid:9397; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS agist.a smtp propagation detection"; flow:to_server,established; content:"0ZpkFIcReXCdLfAeEs4k5jglICV+BEij4zH+Xi5QwyfgLb+rO0XnE1xMuyBdVbgW95IPgAVLAnSC|0D 0A|g/5gJes8k0qLVgSAmSvKuNMATWIQ9+HB6gYajUIFsMBdgfogIBxSfyxQ0g6YSxpQiQ8WSQnT55rV"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,secunia.com/virus_information/10752/agist.a/; reference:url,www.sarc.com/avcenter/venc/data/w32.agist.a@mm.html; classtype:trojan-activity; sid:9368; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS blebla.a smtp propagation detection"; flow:to_server,established; content:"JfzwQACLwP8lnPFAAIvA/yWY8UAAi8D/JZTxQACLwP8lkPFAAIvA/yWM8UAAi8D/JYjxQACLwFOD|0D 0A|xLy7CgAAAFToYf////ZEJCwBdAUPt1wkMIvDg8REW8OLwP8l+PBAAIvA/yX08EAAi8D/JfDwQACL"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,vil.nai.com/vil/content/v_98894.htm; reference:url,www.sophos.com/security/analyses/w32bleblaa.html; classtype:trojan-activity; sid:9372; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS klez.i web propagation detection"; flow:to_server,established; content:"E|5C 05|]d|9E|Z<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv|29|cpu/e|E6|"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=11837; classtype:trojan-activity; sid:9340; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS lovgate.c smtp propagation detection"; flow:to_server,established; content:"TeRqfPMR5vXWeeZ2NfAaLY1DVPPPFiBi5r34VPgF8sIEpG0shzV4b30euDVoQer6QFQy78snUIPq|0D 0A|EWuSIUAv+OGl1QNYkJXTV5/HzOViMIBfVAY2WQpM6/DVgZ5n8h0ILVu+fjHF1MpcoGgQjIjsDs68"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/lovgate.shtml; classtype:trojan-activity; sid:9334; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS bagle.a http notification detection"; flow:to_server,established; uricontent:"/1.php?p="; nocase; content:"User-Agent|3A|"; nocase; content:"beagle_beagle"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9418; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.s smtp propagation detection"; flow:to_server,established; content:"xAJ2g9vb5s6MgEwifAAA99d2k9vrFPl057JOQIiRxvTw54r4l64U/qrFiXxGSJOoS9u77/mo|0D 0A|T/01iESEpu/wemHvlfNyYs+hogBpkojHr6r1w6r5OLdqdovbvwQmcoqsu7aPznGT+6qsCYET"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/netsky_s.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-040512-2436-99&tabid=2; classtype:trojan-activity; sid:9379; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.b smtp propagation detection"; flow:to_server,established; content:"22cYrYFsp1tV//KXbPbtRRQ4EnUCswFdIl62BQ6BxjtHcmMEwQ573GF0vGNi9B8wPXivfVoL|0D 0A|N9j04cZWzkL7aT31JBRq3/LZM/lJiQo0hUcu9GPvsGExeAQ1eAxsh/8gV4B9/iB1C7h0dRD3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/bagle_b.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021713-3625-99&tabid=2; classtype:trojan-activity; sid:9370; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SPECIFIC-THREATS msblast attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; within:36; content:"|9D 13 00 01|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; classtype:trojan-activity; sid:9422; rev:4;)# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPECIFIC-THREATS welchia tftp propagation detection"; flow:to_server; content:"C|BB 0E|Gy3a38DM4|EC|5e|C2 0A 86 0B|Yde|02 EE|s|EB 18 0A B9|S9Cb|05|Zk|ED|F|29|cf|0D|dl|08|5u@|EB E7|8sm-95|23 AC|p+%|1D|3f|F1|s|FF 03|-|09 CD 00|q -i %s <|02 03 F2|get  nSVC|80 C0 CA 96|/|29 D6|b|80 C0| |9E CF 24 BE|-|EB D6|w&k |A9|8Shar|F0 D6 80 DD|+g|00|l|00 EC|DTCo|24 D0|L|07|B|FA 13|j|EF|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.pchell.com/virus/welchia.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99&tabid=2; classtype:trojan-activity; sid:9402; rev:5;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mydoom.g smtp propagation detection"; flow:to_server,established; content:"B0QnUGCDNE08WiwoB4MNMsggGBAnBHf27GA//CMX7CNH5A/y7CBNQdTAI5e4I0jTDHaoB5xkkCCD|0D 0A|DTaIF4QvfIMNMth0H2xkB1wMMsggVExEMthgg0B/MEco0jSDDRwPFFoIybODDQAH/CIv9CLBXjPY"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mydoom_g.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030213-0918-99&tabid=2; classtype:trojan-activity; sid:9377; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.x smtp propagation detection"; flow:to_server,established; content:"g8QMhcB1Fv////+DffwCdA5qZP8VYHBAAEaD/gJ81jPAXsnD|0D 0A|i0QkDIHsKN5+97cBKlNVVos1bB1XM+1oABAQVccA7d9s7xYA/9ZQNWiL2DvdD4RWAhL2N7f2|0D 0A|ahFqAgEV"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/netsky_x.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X; classtype:trojan-activity; sid:9337; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"SPECIFIC-THREATS deborm.r netshare propagation detection"; flow:to_server,established; content:"=X|A2|/|EF D1 BD C2 EB|0|5C 98|U|1A 08|c|AE|0|F1 06 C4 0B|m|D2 84|W|08|Z/|AD 02 0D|t|12|/|DA D7|>|C6|<|B2 DD 85 18 CF|,1j|8A F0 CF|Z|A4|`|87 D4|NP|89|@|F2 14 23 B8|R9|BF 0C B6 84|f|29 BA 02 0D F0 1D F6 B6|5C|04|n|99 10 BE 1D|j|0A DF 9A|P|BC CE DC C0|R9FlPT|BD CF|f|D4 CF F7|b|99 DD 8A 00 F0 E9 14|~b|9B EF C4 0C 24 96|,|14 89 D7|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32debormr.html; classtype:trojan-activity; sid:9357; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"SPECIFIC-THREATS klez.b netshare propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9347; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS yarner.b smtp propagation detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"Trojaner-Info<webmaster@trojaner-info.de>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Trojaner-Info Newsletter"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Trojaner-Info<webmaster@trojaner-info\x2Ede>/smi"; pcre:"/^Subject\x3A[^\r\n]*Trojaner-Info\sNewsletter/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-021912-4244-99&tabid=2; classtype:trojan-activity; sid:9329; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS fearso.c smtp propagation detection"; flow:to_server,established; content:"W4niV2CNlkzNbJ91T1IgkFpIUag2/cL3Sy5za4C8BhwOwEDr72oCP3sBuUkp0D0NoEh1djz3tvfr|0D 0A|PY2GLMgIGNbPfqP9LTUUqLLXdKC4DoH+8FHNt922QnUL9OtN9dKAdLrOtrM5zrElF1Bw9RA101DY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/security/analyses/w32noferc.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=35646; classtype:trojan-activity; sid:9382; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.k smtp propagation detection"; flow:to_server,established; content:"QIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgAEEAAZP81AAAAAGSJJQAAAACLRCQgi1gIi3AM|0A|g/7/dCA7dCQkdBqNNHaLDLOLTCQIi0gMg3yzBAB11/9Uswjr0WSPBQAAAACDxAxfXl"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mimail_k.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailk.html; classtype:trojan-activity; sid:9350; rev:4;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -