⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 spyware-put.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Keylogger runtime detection - hwpe word filtered echelon log"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"HWPE"; distance:0; nocase; content:"Word"; distance:0; nocase; content:"Filtered"; distance:0; nocase; content:"Echelon"; distance:0; nocase; content:"LOG"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*HWPE\s+Word\s+Filtered\s+Echelon\s+LOG/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5780; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware e2give runtime detection - check update"; flow:to_server,established; uricontent:"/go/check?"; nocase; uricontent:"build="; nocase; uricontent:"source="; nocase; content:"Host|3A|"; nocase; content:"e2give.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*e2give\.com/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashbar runtime detection - pop-up ad 1"; flow:to_server,established; uricontent:"si="; nocase; content:"Host|3A|"; nocase; content:"www.metareward.com"; distance:0; nocase; pcre:"/\x2F(f|s)\?[^\r\n]*si=/Ui"; pcre:"/^Host\x3A[^\r\n]*www\.metareward\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5929; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker funbuddyicons runtime detection - request config"; flow:to_server,established; uricontent:"/mySpeedbarCfg2.jsp?"; nocase; uricontent:"s="; nocase; uricontent:"p=ZB"; nocase; uricontent:"v="; nocase; uricontent:"e="; nocase; uricontent:"r="; nocase; uricontent:"l="; nocase; uricontent:"c="; nocase; uricontent:"a="; nocase; metadata:policy security-ips drop; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5855; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker begin2search runtime detection - download unauthorized code"; flow:to_server, established; uricontent:".compress"; nocase; pcre:"/\x2F(dist|SupportFiles)\x2F[^\r\n]*\.compress/Ui"; content:"User-Agent|3A|"; nocase; content:"NSISDL"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*NSISDL/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5767; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware fftoolbar toolbar runtime detection - display advertisement news"; flow:to_server,established; uricontent:"/downloads/toolbar/ticker.xml"; nocase; content:"Host|3A|"; nocase; content:"fast-finder"; distance:0; nocase; pcre:"/^Host\x3A\swww\.fast-finder\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5922; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A|"; nocase; content:"desksearch.dropspam.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*desksearch\.dropspam\.com/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - redirect"; flow:to_server,established; uricontent:"/cgi-bin/lzRedirect.cgi"; nocase; uricontent:"id="; nocase; uricontent:"act="; nocase; uricontent:"type="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5745; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ist powerscan runtime detection"; flow:to_server, established; uricontent:"adv_id="; nocase; uricontent:"campaign="; nocase; uricontent:"origin="; nocase; uricontent:"program_id="; nocase; uricontent:"subprogram_id="; nocase; uricontent:"site_id="; nocase; uricontent:"ref_url="; nocase; content:"Host|3A|"; nocase; content:"power-cleaner"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*power\x2Dcleaner/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=981; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077266; classtype:misc-activity; sid:5795; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker seeqtoolbar runtime detection - autosearch hijack or search in toolbar"; flow:to_server, established; uricontent:"/results.jsp"; nocase; uricontent:"portal_id="; nocase; uricontent:"domain=seeq.com"; nocase; uricontent:"tag=toolbar"; nocase; uricontent:"keyword="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5981; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; uricontent:"/frameset3.asp"; nocase; uricontent:"MID="; nocase; uricontent:"ruleID="; nocase; uricontent:"popupID="; nocase; uricontent:"doPopup="; nocase; uricontent:"version="; nocase; uricontent:"requested="; nocase; uricontent:"CustomerID="; nocase; uricontent:"owner="; nocase; uricontent:"refer="; nocase; uricontent:"LastPrefs="; uricontent:"GUID="; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:5809; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker marketscore runtime detection"; flow:to_server, established; content:"User-Agent|3A|"; nocase; content:"OSSProxy"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*OSSProxy/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=488; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43974; classtype:misc-activity; sid:5760; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - ads"; flow:to_server,established; uricontent:"/exit/exit.html?act="; nocase; uricontent:".ADbar|3A|X"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5748; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware warez_p2p runtime detection - ip.php request"; flow:to_server,established; uricontent:"/cache/ip.php"; nocase; content:"User-Agent|3A|"; nocase; content:"Warez"; distance:0; nocase; content:"Beta"; distance:0; nocase; content:"Client"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Warez\s+Beta\s+Client/smi"; metadata:policy security-ips drop; reference:url,www.download.com/Warez-P2P/3640-2166_4-10417974.html; reference:url,www.spywareguide.com/product_list_category.php?category_id=12; classtype:misc-activity; sid:5848; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - get toolbar cfg"; flow:to_server,established; uricontent:"/searchfast/"; nocase; uricontent:"/communicatortb"; nocase; uricontent:".cfg"; nocase; pcre:"/\x2Fsearchfast\x2F\d+\x2Fcommunicatortb\d+\.cfg/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5965; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - add coolsites to ie favorites"; flow:to_server,established; uricontent:"/ezsb"; nocase; uricontent:"/bar_pl/fav.fcgi?"; nocase; uricontent:"aff_id="; nocase; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Ffav\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5756; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - search request 2"; flow:to_server,established; uricontent:"/search.cgi?"; nocase; uricontent:"tbid="; nocase; uricontent:"query="; nocase; content:"Host|3A|"; nocase; content:"search.dropspam.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*search\.dropspam\.com/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - news ticker"; flow:to_server,established; uricontent:"/searchfast/ticker.xml"; nocase; content:"Host|3A|"; nocase; content:"www.thecommunicator.net"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\.thecommunicator\.net/smi"; threshold:type limit, track by_src, count 1, seconds 1800; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5961; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - search in toolbar"; flow:to_server,established; uricontent:"/?"; nocase; uricontent:"qry_str="; nocase; uricontent:"src=tbi"; nocase; uricontent:"tid="; nocase; uricontent:"ref="; nocase; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5864; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - sidebar search"; flow:to_server,established; uricontent:"/search.php?"; nocase; uricontent:"sidebar=method"; nocase; uricontent:"que="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5916; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Keylogger gurl watcher runtime detection"; flow:to_server, established; content:"X-Mailer|3A|"; nocase; content:"GURL"; distance:0; nocase; content:"Watcher"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*GURL\s+Watcher/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=503; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080847; classtype:successful-recon-limited; sid:5777; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware weirdontheweb runtime detection - update notifier"; flow:to_server,established; uricontent:"/notifier/"; nocase; uricontent:"v="; nocase; uricontent:"b="; nocase; uricontent:"guid="; nocase; uricontent:"metadata="; nocase; content:"Host|3A|"; nocase; content:"www.weirdontheweb.net"; distance:0; nocase; pcre:"/\x2Fnotifier\x2F(configINTERNAL\.ini)|(update\.cgi)\?/Ui"; pcre:"/^Host\x3A[^\r\n]*www.weirdontheweb.net/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5948; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker topfive searchassistant detection - side search"; flow:to_server,established; uricontent:"/index.php?"; nocase; uricontent:"st="; nocase; uricontent:"ldid="; nocase; uricontent:"fpid="; nocase; uricontent:"fdid="; nocase; uricontent:"prid="; nocase; uricontent:"tpid="; nocase; uricontent:"ttid="; nocase; uricontent:"tspid="; nocase; uricontent:"pn="; nocase; uricontent:"x="; nocase; uricontent:"y="; nocase; content:"Referer|3A|"; nocase; content:"ws1.appswebservice.com/index.php?tpid="; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fws1\.appswebservice\.com\x2Findex\.php\?tpid=/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5976; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status"; flow:from_server,established; flowbits:isset,StealthRedirector_StatusCheck3; content:"TCP"; nocase; content:"Redirection"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^TCP\s+Redirection\s+is/smi"; flowbits:set,StealthRedirector_StatusCheck4; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:5818; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker smart finder detection - search engines hijack"; flow:to_server,established; uricontent:"/gc/xsearch.php?"; nocase; uricontent:"qq="; nocase; uricontent:"pin="; nocase; uricontent:"v0="; nocase; content:"Host|3A|"; nocase; content:"presentsearch.net"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*presentsearch\.net/smi"; threshold:type limit, track by_src, count 1, seconds 900; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5973; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Snoopware pc acme pro runtime detection"; flow:to_server,established; flowbits:isset,PCAcmePro; content:"Attached"; nocase; content:"file"; distance:0; nocase; content:"is"; distance:0; nocase; content:"PC"; distance:0; nocase; content:"Acme"; distance:0; nocase; content:"report"; distance:0; nocase; pcre:"/Attached\s+file\s+is\s+PC\s+Acme\s+report/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5874; rev:3;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -