📄 spyware-put.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - download files"; flow:to_server,established; uricontent:"/cgi-bin/MirrorSearch.dll?"; nocase; content:"User-Agent|3A|"; nocase; content:"DA"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*DA/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware adtools-communicator runtime detection - download self-update"; flow:to_server,established; uricontent:"/clientcontent/StewieGriffin/selfupdate.asp?"; nocase; uricontent:"i="; nocase; uricontent:"v="; nocase; uricontent:"FI="; nocase; content:"User-Agent|3A|"; nocase; content:"AdTools"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*AdTools/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5901; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware keenvalue runtime detection"; flow:to_server,established; uricontent:"/ping.html"; nocase; content:"User-Agent|3A|"; nocase; content:"My"; distance:0; nocase; content:"AppName"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*My\s+AppName/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094138; classtype:misc-activity; sid:5796; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; uricontent:"/tr.js?"; nocase; uricontent:"a="; nocase; uricontent:"r="; nocase; content:"Host|3A|"; nocase; content:"myway.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*myway\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 1"; flow:to_server,established; uricontent:"/9899/srng/reg.php?"; nocase; uricontent:"IpAddr="; nocase; uricontent:"OS="; nocase; uricontent:"RegistryChanged="; nocase; uricontent:"RegistryUpdate="; nocase; uricontent:"Basedir="; nocase; uricontent:"SrngInstalled="; nocase; uricontent:"SrngVer="; nocase; uricontent:"PCID="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5890; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware anwb toolbar runtime detection - display advertisement"; flow:to_server,established; uricontent:"/weer.xml"; nocase; content:"Host|3A|"; nocase; content:"toolbar.anwb.nl"; distance:0; nocase; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; pcre:"/^Host\x3A\stoolbar\.anwb\.nl/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1139; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342; classtype:successful-recon-limited; sid:5980; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker painter runtime detection - redirect to klikvipsearch"; flow:to_server,established; uricontent:"/search.php?"; nocase; uricontent:"aff="; nocase; uricontent:"q="; nocase; content:"Host|3A|"; nocase; content:"www.klikvipsearch.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\.klikvipsearch\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5919; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashbar runtime detection - stats track"; flow:to_server,established; uricontent:"/cgi-bin/connect.cgi?"; nocase; uricontent:"usr="; nocase; uricontent:"title=CashSurfers"; nocase; uricontent:"url="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - tcp port 407"; flow:to_server,established; content:"|00 01|"; depth:2; content:"|00|R|00|%"; offset:4; flowbits:set,Timbuktu_Pro_TCPPort_407; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:5895; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker raxsearch detection - pop-up raxsearch window"; flow:to_server,established; uricontent:"/search.m?"; nocase; uricontent:"a="; nocase; uricontent:"q="; nocase; uricontent:"r=rxh"; nocase; content:"Host|3A|"; nocase; content:"www.raxsearch.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\.raxsearch\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5960; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT keylogger pc actmon pro runtime detection - http"; flow:to_server,established; uricontent:"/index_a.htm"; nocase; content:"User-Agent|3A|"; nocase; content:"ActMon"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*ActMon/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1989; classtype:successful-recon-limited; sid:5789; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware push toolbar installtime detection - user information collect"; flow:to_server,established; uricontent:"/stats/stats.cgi"; nocase; content:"userFile="; nocase; content:"Host|3A|"; nocase; content:"push.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*push\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5984; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware warez_p2p runtime detection - p2p client home"; flow:to_server,established; uricontent:"/home.php?"; nocase; uricontent:"ver="; nocase; uricontent:"co="; nocase; uricontent:"NewUser="; nocase; uricontent:"info=WDC"; nocase; metadata:policy security-ips drop; reference:url,www.download.com/Warez-P2P/3640-2166_4-10417974.html; reference:url,www.spywareguide.com/product_list_category.php?category_id=12; classtype:misc-activity; sid:5847; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware offeragent runtime detection - information checking"; flow:to_server,established; uricontent:"/103/co.aspx?"; nocase; uricontent:"guid="; nocase; uricontent:"cv="; nocase; uricontent:"cfv="; nocase; uricontent:"sfv="; nocase; uricontent:"ciso="; nocase; content:"Host|3A|"; nocase; content:"dist.atlas-ia.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*dist\x2Eatlas\x2Dia\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710; classtype:misc-activity; sid:5995; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - track user activity & get 'relates links' of the toolbar"; flow:to_server,established; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"dat=nsa"; nocase; uricontent:"ver=visicom"; nocase; uricontent:"uid="; nocase; uricontent:"url="; nocase; content:"Host|3A|"; nocase; content:"xml.alexa.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*xml\.alexa\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5964; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - log hits"; flow:to_server,established; uricontent:"/cgi-bin/hits/log.cgi/"; nocase; uricontent:".ADbar|3A|X"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5747; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler VX2/DLmax/BestOffers/Aurora runtime detection"; flow:to_server,established; uricontent:"/a/Drk.syn"; nocase; uricontent:"adcontext="; nocase; uricontent:"countrycodein="; nocase; uricontent:"lastAdTime="; nocase; uricontent:"lastAdCode="; nocase; uricontent:"cookie1="; nocase; uricontent:"cookie2="; nocase; uricontent:"cookie3="; nocase; uricontent:"cookie4="; nocase; uricontent:"InstID="; nocase; uricontent:"status="; nocase; uricontent:"smode="; nocase; uricontent:"bho="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; reference:url,www.spywareguide.com/product_show.php?id=1646; reference:url,www.spywareguide.com/product_show.php?id=2012; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076992; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089623; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096297; classtype:misc-activity; sid:5846; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - pass user info to server"; flow:to_server,established; uricontent:"/newsurfer4/"; nocase; pcre:"/\x2Fnewsurfer4\x2F((register\.asp)|(survey\.asp\?nUserId=))/Ui"; metadata:policy security-ips drop; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5826; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashbar runtime detection - ads request"; flow:to_server,established; uricontent:"/ads.aspx?"; nocase; uricontent:"s="; nocase; uricontent:"z="; uricontent:"f="; nocase; uricontent:"c="; uricontent:"n="; nocase; uricontent:"ns="; nocase; content:"Host|3A|"; nocase; content:"ads.grokads.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*ads\.grokads\.com/smi"; threshold:type limit, track by_src, count 1, seconds 1200; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5928; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status"; flow:to_server,established; content:"/STAT"; depth:5; nocase; flowbits:set,StealthRedirector_StatusCheck3; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:5817; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware iggsey toolbar detection - simpleticker.htm request"; flow:to_server,established; uricontent:"/Browser/CT48638/1_Simpleticker.htm"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5949; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - configuration download"; flow:to_server,established; uricontent:"/download/toolbar/locatorstoolbar"; nocase; pcre:"/\x2Fdownload\x2Ftoolbar\x2Flocatorstoolbar[A-z0-9]+\x2Ephp/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5914; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware zapspot runtime detection - pop up ads"; flow:to_server,established; uricontent:"/cbb/frame.asp?"; nocase; uricontent:"cbb="; nocase; uricontent:"ver="; nocase; content:"Host|3A|"; nocase; content:"www.zapspot.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Ezapspot\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1714; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075441; classtype:misc-activity; sid:5865; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware smartpops runtime detection"; flow:to_server, established; uricontent:"/adserv/GetAd.pl"; nocase; uricontent:"sid="; nocase; uricontent:"pid="; nocase; uricontent:"lid="; nocase; uricontent:"rfs="; nocase; uricontent:"kw="; nocase; uricontent:"uri="; nocase; uricontent:"sn="; nocase; uricontent:"cv="; nocase; uricontent:"mdm="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1910; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074758; classtype:misc-activity; sid:5911; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - startup"; flow:to_server,established; uricontent:"/cgi-bin/ads9.dll?R="; nocase; content:"User-Agent|3A|"; nocase; content:"DA"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*DA/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5902; rev:3;)
💿 文件大小 17049 K
👤 上传用户 nassdaq
📂 所属分类其他行业
🏷️ 相关标签

#snapshot #Latest #Rules #This
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -