Snort mailing list archives
RE: Adware/Malware Rules List
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 4 Mar 2004 13:48:35 -0500
Here's my current malware.rules file which is a compilation of what's been recommended here in the past week. Just this AM, I added the variable INTERNET_PROXIES (couldn't think of a better name;). I was getting some hits on traffic from internal mail servers and a squid box. This was actually quite helpful. We've pinpointed about a half dozen machines that must have numerous copies of malware installed and another 50 that are just infected to a 'normal' level. The "workstation guy" said "thanks"...haha!! ...he's gonna be working overtime for a month! #http://www.armc.org/malware/ #The INTERNET_PROXIES variable should be set to servers that process a lot of internet traffic. # This is a rather broad definitions of a proxy. Things that should go here are: # Mail servers and scanners - they kindof proxy mail;) # Web proxies, cache servers, etc. var INTERNET_PROXIES [10.1.1.201, 10.1.1.202] alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\: updateserver.gator.com"; flags: PA;) alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Installshield updates"; content:"Host\: updates.installshield.com"; flags: PA;) alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Comet Systems update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware Keenvalue"; content:"Keenvalue";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware flowgo"; content:"flowgo";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware 2020search"; content:"2020search";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware rcprograms"; content:"rcprograms";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware gator"; content:"webpdpcookie";nocase;) ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Adware/Malware Rules List Darden, Patrick S. (Feb 27)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)
- RE: Adware/Malware Rules List Mark E. Donaldson (Feb 29)
- Re: Adware/Malware Rules List Max Valdez (Mar 01)
- Re: Adware/Malware Rules List Bryan Irvine (Mar 02)
- <Possible follow-ups>
- Re: Adware/Malware Rules List James Nonya (Mar 02)
- RE: Adware/Malware Rules List Jerry Shenk (Mar 04)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)