📄 spyware-put.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcastpc runtime detection - get up-to-date movie/tv/ad information"; flow:to_server,established; uricontent:"/client/"; nocase; uricontent:".aspx"; nocase; content:"User-Agent|3A|"; nocase; content:".NET"; distance:0; nocase; content:"CLR"; distance:0; nocase; content:"Host|3A|"; nocase; content:"www.broadcastpc.tv"; distance:0; nocase; pcre:"/\x2Fclient\x2F(view|tvlistings|tvshowtickets|movietickets)\x2Easpx/Ui"; pcre:"/^User-Agent\x3A[^\r\n]*\.NET\s+CLR.*Host\x3A[^\r\n]*www\.broadcastpc\.tv/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5990; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware browserpal runtime detection - adblocker function"; flow:to_server,established; uricontent:"/perl/adblocker.pl"; nocase; content:"User-Agent|3A|"; nocase; content:"Popup"; distance:0; nocase; content:"Stopper"; distance:0; nocase; content:"|28|BDLL|29|"; distance:0; nocase; content:"Agent"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Popup\s+Stopper\s+\x28BDLL\x29\s+Agent/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5955; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT trackware searchinweb detection - collect information"; flow:to_server,established; uricontent:"/r?X="; nocase; content:"Referer|3A|"; nocase; content:"www.searchinweb.com/search.php?said=bar&q="; distance:0; nocase; content:"Host|3A|"; nocase; content:"c.goclick.com"; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fwww\.searchinweb\.com\x2Fsearch\.php\?said=bar.*Host\x3A[^\r\n]*c\.goclick\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5969; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home search merchant redirect check"; flow:to_server,established; uricontent:"/GR_check_site.html"; nocase; content:"User-Agent|3A|"; nocase; content:"SAH"; distance:0; nocase; content:"Agent"; distance:0; nocase; pcre:"/^User-Agent\x3A\s*SAH\*Agent/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:5808; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - search hijack 2"; flow:to_server,established; uricontent:"/phrase.php?"; nocase; uricontent:"text="; nocase; uricontent:"tid="; nocase; uricontent:"ref="; nocase; pcre:"/tid\x3D\x25toolbar\x5Fid.*ref\x3D\x25user\x5Fid/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5863; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hithopper runtime detection - click toolbar buttons"; flow:to_server, established; uricontent:"/xml/toolbar/"; nocase; content:"Host|3A|"; nocase; content:"www.hithopper.com"; distance:0; nocase; pcre:"/\x2Fxml\x2Ftoolbar\x2F(sports)|(news)|(horoscope2)|(horoscope)|(weather2)|(weather)\.php/Ui"; pcre:"/^Host\x3A[^\r\n]*www\.hithopper\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5788; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - toolbar search"; flow:to_server,established; uricontent:"/dir/"; nocase; content:"Host|3A|"; nocase; content:"www.locators.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Elocators\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5917; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware praizetoolbar runtime detection"; flow:to_server,established; uricontent:"/toolbar/"; nocase; content:"Host|3A|"; nocase; content:"www.praize.com"; distance:0; nocase; pcre:"/\x2Ftoolbar\x2F((version\x2Etxt)|(notifytoolbar\x2Ehtml))/smi"; pcre:"/^Host\x3A[^\r\n]*www\x2Epraize\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1812; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079048; classtype:misc-activity; sid:5858; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware active shopper runtime detection - check"; flow:to_server,established; uricontent:"/check.asp?"; nocase; uricontent:"search="; nocase; uricontent:"dom="; nocase; content:"Host|3A|"; nocase; content:"sidebar.activeshopper.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*sidebar\.activeshopper\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5925; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"|22|Stealth"; distance:0; nocase; content:"Redirector|22|"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"My"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"address"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x22Stealth\s+Redirector\x22.*Subject\x3A[^\r\n]*My\s+IP\s+Address/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5812; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker comet systems runtime search detection - search request 1"; flow:to_server,established; uricontent:"/dp/search?"; nocase; uricontent:"product="; nocase; uricontent:"src_id="; nocase; uricontent:"it="; nocase; uricontent:"client_id="; nocase; uricontent:"version="; nocase; uricontent:"qry="; nocase; content:"Host|3A|"; nocase; content:"as.cometsystems.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*as\.cometsystems\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5832; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status"; flow:from_server,established; flowbits:isset,StealthRedirector_StatusCheck4; content:"FTP"; nocase; content:"Redirection"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^FTP\s+Redirection\s+is/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5819; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; uricontent:"/cgi-bin/ads9.dll?"; nocase; uricontent:"HTML="; nocase; uricontent:"DAUI="; nocase; uricontent:"INC="; nocase; uricontent:"DL="; nocase; uricontent:"CX="; nocase; uricontent:"CY="; nocase; uricontent:"IIA="; nocase; uricontent:"IIG="; nocase; uricontent:"IIP="; nocase; uricontent:"III="; nocase; uricontent:"V="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer stripplayer runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Strip-Player"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Strip-Player/smi"; threshold:type limit, track by_src, count 1 , seconds 60 ; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=455; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548; classtype:misc-activity; sid:5824; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Snoopware hyperlinker runtime detection"; flow:to_server,established; uricontent:"/lm/rtl3i.asp"; nocase; uricontent:"si="; nocase; uricontent:"k="; nocase; content:"Host|3A|"; nocase; content:"www.serverlogic3.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Eserverlogic3\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,www.doxdesk.com/parasite/Hyperlinker.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090785; classtype:successful-recon-limited; sid:5872; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies saria 1.0 runtime detection - send user information"; flow:to_server, established; uricontent:"op="; nocase; uricontent:"vic="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"pass="; nocase; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker begin2search runtime detection - pass information"; flow:to_server, established; uricontent:"/client/fcgi/stats-post2.fcgi"; nocase; content:"User-Agent|3A|"; nocase; content:"WebConnLib"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*WebConnLib/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5768; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - catch search keyword"; flow:to_server,established; uricontent:"/keyword.php?"; nocase; uricontent:"installID="; nocase; uricontent:"keyword="; nocase; uricontent:"partnerID="; nocase; uricontent:"partnerReferID="; nocase; content:"Host|3A|"; nocase; content:"searchfst.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*searchfst\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5962; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool ghostvoice 1.02 icq notification of server installation"; flow:to_server,established; uricontent:"/scripts/WWPMsg.dll"; nocase; content:"from=GhostVoiceServer"; nocase; content:"fromemail="; distance:0; nocase; content:"subject=GhostVoice"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"body="; distance:0; nocase; content:"to="; distance:0; nocase; content:"Send="; distance:0; nocase; pcre:"/^from=GhostVoiceServer[^\r\n]*fromemail=[^\r\n]*subject=GhostVoice\s+Online[^\r\n]*body=[^\r\n]*to=[^\r\n]*Send=/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1970; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224; classtype:misc-activity; sid:5956; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - update"; flow:to_server,established; uricontent:"/cgi-bin/update.dll?"; nocase; content:"User-Agent|3A|"; nocase; content:"dapupd"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*dapupd/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker smart finder detection - track hits"; flow:to_server,established; uricontent:"/cnt/hp?"; nocase; content:"Host|3A|"; nocase; content:"www.trackhits.cc"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\.trackhits\.cc/smi"; threshold:type limit, track by_src, count 1, seconds 900; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5971; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sep runtime detection"; flow:to_server,established; uricontent:"/ad/?"; nocase; uricontent:"st="; nocase; uricontent:"SE="; nocase; uricontent:"SID="; nocase; content:"Host|3A|"; nocase; content:"www.searchreslt.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchreslt\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,process.networktechs.com/sep.dll.php; classtype:misc-activity; sid:5840; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker topfive searchassistant detection - post user information to server"; flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A|"; nocase; content:"TM_SEARCH3"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*TM_SEARCH3/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5977; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware adtools-communicator runtime detection - collect information"; flow:to_server,established; content:"yourname="; nocase; content:"youremail="; distance:0; nocase; content:"recipname="; distance:0; nocase; content:"recipemail="; distance:0; nocase; content:"AD="; distance:0; nocase; content:"User-Agent|3A|"; nocase; content:"Async"; distance:0; nocase; content:"HTTP"; distance:0; nocase; content:"Agent"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Async\s+HTTP\s+Agent/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware alexa runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Alexa"; distance:0; nocase; content:"Toolbar"; distance:0; n
上一页 1 2 3 45
💿 文件大小 17049 K
👤 上传用户 nassdaq
📂 所属分类其他行业
🏷️ 相关标签

#snapshot #Latest #Rules #This
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -