Snort mailing list archives
RE: Adware/Malware Rules List
From: "Mark E. Donaldson" <markee () bandwidthco com>
Date: Sun, 29 Feb 2004 13:09:13 -0800
I think it was Patrick Darden who posted this rule: alert ip any any -> any any (msg:"Malware flowgo"; content:"flowgo";nocase;) I would advise against any rule where the content=msg. If it ever triggers, and you are logging to a remote syslog server or database, a "snowball" effect will kick in and you will DOS the network and servers. The logging information alone will keep triggering the rule logarithmically. _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jerry Shenk Sent: Sunday, February 29, 2004 12:26 PM To: 'Darden, Patrick S.'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Adware/Malware Rules List I came here looking for exactly this. That's a start....problem is there are SO MANY of these stupid things! I'd like to alert on Gator and all the rest of 'em so we can keep our machines clean. Here are a couple that I have set up...not many but maybe it will help get things rolling: alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\: updateserver.gator.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates"; content:"Host\: updates.installshield.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;) Here's a link to a rather old posting (Jan 2002) related to this issue. There's a pretty good sized list here but many of them have probably changed: http://groups.google.com/groups?q=snort+adware+rules <http://groups.google.com/groups?q=snort+adware+rules&hl=en&lr=&ie=UTF-8&oe= UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum=6> &hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpo nd.net.au&rnum=6 Here's another related site: http://www.doxdesk.com/parasite/ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Darden, Patrick S. Sent: Friday, February 27, 2004 11:05 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Adware/Malware Rules List I had a large number of requests for my ruleset for Ad/Malware, so I have placed it on the web at: https://www.armc.org/malware/ It ain't nothing special, but it works for us. If you have any additions, please email me so we can make this ruleset grow into something useful. Thanks, --Patrick Darden --Internetworking Manager
Current thread:
- Adware/Malware Rules List Darden, Patrick S. (Feb 27)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)
- RE: Adware/Malware Rules List Mark E. Donaldson (Feb 29)
- Re: Adware/Malware Rules List Max Valdez (Mar 01)
- Re: Adware/Malware Rules List Bryan Irvine (Mar 02)
- <Possible follow-ups>
- Re: Adware/Malware Rules List James Nonya (Mar 02)
- RE: Adware/Malware Rules List Jerry Shenk (Mar 04)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)