⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 specific-threats.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.a smtp propagation detection"; flow:to_server,established; content:"aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl|0D 0A|LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9417; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS kipis.a smtp propagation detection"; flow:to_server,established; content:"xfs9Znq3mJL1CnQXg0epFP4RHBO0n6naXaPhHWdmQaxirccYvMqyYqxiVpY//VZeM7veQEB19ehg|0A|YFK0if9HLNsz9SBqjj/QOGh01hINh2u4f6VGfrwbNSTdzqkjQnZKcB1Ind/UezfRD6KGUHmZkXfy"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41312; classtype:trojan-activity; sid:9345; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS lovgate.e smtp propagation detection"; flow:to_server,established; content:"OziaMMstyp3ZvEfNLZDdGUotsJcU9AUzGyIbVCkkslc8AX44pHVQ7cFVd7zMsneJSAaBvoS3iUeo|0D 0A|hlEQ24NXuyvw8X2q88Vmjnqxjk0ouK8Fqb71DLdEZ2FbTDGrGuRodeFwiNi+pKq863l"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32lovgatee.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-030416-4942-99&tabid=2; classtype:trojan-activity; sid:9406; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS klez.g web propagation detection"; flow:to_server,established; content:"|0A 08|P|D8|{|18|0|D8 D8 18|Py80|D8|P|18 0A 08|P|D8|{@0@0y8P|18|0|B8 0A|`|00 10 0A|8 {hP|D8|y8P|18|0"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32klezg.html; classtype:trojan-activity; sid:9339; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"SPECIFIC-THREATS deborm.u netshare propagation detection"; flow:to_server,established; content:"|A3|Hp@|00 81|=Hp@|00 F0 00 00 00|~|0A C7 05|Hp@|00 0A 00 00 00|j|0A 8D|M|F0|Q|8B 15|Hp@|00|R|E8 E1|L|00 00 83 C4 0C 8D|E|F0|P|8B|M|08|Q|E8 DB 0D 00 00 83 C4 08|hlp@|00 8B|U|08|R|E8 DA 0D 00 00 83 C4 08|j|0A 8D|E|F0|P|8B 0D 90|{@|00|Q|E8 AB|L|00 00 83 C4 0C 8D|U|F0|R|8B|E|08|P|E8 B5 0D 00 00 83 C4 08|hpp@|00 8B|M|08|Q|E8|"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.U; classtype:trojan-activity; sid:9355; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS kadra smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; content:"filename="; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.kaspersky.com/news?id=260&ipcountry=CA#kadra; classtype:trojan-activity; sid:9343; rev:5;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS netsky.af smtp propagation detection"; flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/netsky-af.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF; classtype:trojan-activity; sid:9327; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS duksten.c smtp propagation detection"; flow:to_server,established; content:"+QAEAE1FhFEAAaABBIAD/VCMgIADcAAAABJnSlP+aThqAAKRKqKioqDQAAABA|0D 0A|Q/hAAQDQfAIgACn/KoVAQACjzQ0IAE0AocDVAACa//81cw0IAP9RJUBAADNaKVL/qebQEAAaEtAQAP+opCAgAIUMdAYaEtAQAP+oxCAgADSQGoAA/xXkICAAQJ5EiAgA"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.hftonline.com/forum/archive/index.php/t-11044.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-122016-4223-99&tabid=2; classtype:trojan-activity; sid:9375; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS beglur.a smtp propagation detection"; flow:to_server,established; content:"bszmmP1TlDRGFDA1uDG1GyF3fw7zQae3hTJk7dtK0xmjv339SvtDPLhswsFAGUQX34naqqcKxEjp|0A|yns2FwCn9oiRtoiyYFfwAsT6v/2SvioeIkj2WAb6lQoNyzLUhbQtpekiV9ZUpOW2u4Lv73FPrkud"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.hacksoft.com.pe/virus/w32_beglur_a.htm; reference:url,www.viruslibrary.com/virusinfo/I-Worm.Beglur.a.htm; classtype:trojan-activity; sid:9384; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"SPECIFIC-THREATS sinmsn.b msn propagation detection"; flow:to_server,established; content:"Application-File|3A|"; nocase; content:"smb.exe"; distance:0; nocase; content:"Application-FileSize|3A|"; distance:0; nocase; content:"163840"; distance:0; nocase; pcre:"/^Application-File\x3A\s+smb.exe\r\nApplication-FileSize\x3A\s+163840/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/smibag.shtml; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23776; classtype:trojan-activity; sid:9412; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS bagle.k smtp propagation detection"; flow:to_server,established; content:"RcJ0RFKbuZlqeaaoQ76D0Tf6ESD+RgjrN6QDtvvsvNXbR6BlXZviaG3d1NJtmU++UEmRCixX|0D 0A|RCaDz8IzdWIidAq1dzJwwTvIJglu/0IQwX8WrLD6EheQRlQhil5PQbv9oC3Y0HgAfIERnIb5"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45304; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EK&VSect=T; classtype:trojan-activity; sid:9393; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"SPECIFIC-THREATS deborm.d netshare propagation detection"; flow:to_server,established; content:"E|F4 00 00 00 00 8B 8D E8 FB FF FF 89|M|F0 EB 09 FF 15|dsB|00 89|E|F4 83|}|F0 00|uy|83|}|F4 00|t,|83|}|F4 05|u|15 C7 05|DVB|00 09 00 00 00 8B|U|F4 89 15|HVB|00 EB 0C 8B|E|F4|P|E8|*I|00 00 83 C4 04 83 C8 FF EB|P|8B|M|08 C1 F9 05 8B|U|08 83 E2 1F 8B 04 8D|@nB|00 0F BE|L|D0 04 83 E1|@|85 C9|t|0F 8B|U|0C 0F BE 02 83 F8 1A|u|04|3|C0 EB 22 C7 05|DVB|00 1C 00 00 00 C7 05|HVB|00 00 00 00 00 83 C8 FF EB 09 8B|E|F0|+|85 E0 FB|"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=24653; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=30322; classtype:trojan-activity; sid:9390; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS lovelorn.a smtp propagation detection"; flow:to_server,established; content:"dGpuby9meWYAT1VUTE9PSy5FWEVOZXRDYXB0b3IuZXhlbWlyYzMyLmV4ZWFpbS5leGVZcGFnZXIu|0D 0A|ZXhlAHV2anNidWRpYm9kdnBkZXBqb2J6QXpiaXBwL2RwbgBOUUhfTE9WRQBsb3ZlX2xvcm5AeWFo|0D 0A|b28uY29tAE5RSF9MT1ZFTE9STgB0aHV5cXV5ZW5AeWFob28uY29tAE5RSABsb3ZlbG9ybkB5YWhv"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35041; classtype:trojan-activity; sid:9414; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS lacrow smtp propagation detection"; flow:to_server,established; content:"ZT0iTVMtNTYwOTVNX1BBVENILmV4ZSINCgAAAP////8XAAAAQ29udGVudC1JRDogPFNPTUVDSUQ+DQoA/////w4AAAAtLS0tQUJDREVGLS0NCgAA/////wUAAAANCi4NCgAAAP////8GAAAAUVVJVA0KAABDOlxNUy01NjA5NU1fUEFUQ0guZXhlAAD/////EwAAAEM6XExpc3Rl"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Lacrow@mm&threatid=53187; classtype:trojan-activity; sid:9408; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mydoom.e smtp propagation detection"; flow:to_server,established; content:"o/lN3R5KdgmabpkbqcebrJGVMv/b3+ITcXF4dYrKKEjm3bi1PPcb8ZqKgf//hf6sWTRLdExjstH/|0D 0A|x69YBOSAkClWPEs4oEv//3+BfjW9C702c15JmOUe8W2ey1TAvxOujvc6/7/1/0UA4y/RTfLKo95+"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mydoom_e.shtml; classtype:trojan-activity; sid:9330; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS plexus.a smtp propagation detection"; flow:to_server,established; content:"YGVjaG9yIHdwdW4zJXMGZNs+6WEKUxRsRxYMIXDnZ2d04XN1cMku+XjqlhcKcXVpdA9HZoxeLSBzOowm80FoWlbIUi0/SXKAZnZiYTogMQYuMA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,vil.nai.com/vil/content/v_126116.htm; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39272; classtype:trojan-activity; sid:9415; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mydoom.ap attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"Received message is available at"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:9426; rev:4;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPECIFIC-THREATS mimail.l smtp propagation detection"; flow:to_server,established; content:"Subject|3A| Re[2]"; nocase; content:"Hi Greg its Wendy."; distance:0; nocase; content:"I was shocked, when I found out that it wasn't you but|0D 0A|your twin brother!!!"; distance:0; nocase; content:"name=|22|wendy.zip|22|"; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.f-secure.com/v-descs/mimail_l.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimaill.html; classtype:trojan-activity; sid:9361; rev:4;)# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SPECIFIC-THREATS Trojan Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALEir"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:10075; rev:3;)# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACWwe"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:10083; rev:3;)# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SPECIFIC-THREATS Trojan Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVW0u"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:10073; rev:3;)# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SPECIFIC-THREATS Trojan Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/dT"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; sid:10071; rev:3;)# alert tcp $EXTERNAL_NET any
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -