Snort mailing list archives
RE: Adware/Malware Rules List
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Sun, 29 Feb 2004 15:25:58 -0500
I came here looking for exactly this. That's a start....problem is there are SO MANY of these stupid things! I'd like to alert on Gator and all the rest of 'em so we can keep our machines clean. Here are a couple that I have set up...not many but maybe it will help get things rolling: alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\: updateserver.gator.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates"; content:"Host\: updates.installshield.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;) Here's a link to a rather old posting (Jan 2002) related to this issue. There's a pretty good sized list here but many of them have probably changed: http://groups.google.com/groups?q=snort+adware+rules <http://groups.google.com/groups?q=snort+adware+rules&hl=en&lr=&ie=UTF-8 &oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum= 6> &hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.b igpond.net.au&rnum=6 Here's another related site: http://www.doxdesk.com/parasite/ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Darden, Patrick S. Sent: Friday, February 27, 2004 11:05 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Adware/Malware Rules List I had a large number of requests for my ruleset for Ad/Malware, so I have placed it on the web at: https://www.armc.org/malware/ It ain't nothing special, but it works for us. If you have any additions, please email me so we can make this ruleset grow into something useful. Thanks, --Patrick Darden --Internetworking Manager
Current thread:
- Adware/Malware Rules List Darden, Patrick S. (Feb 27)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)
- RE: Adware/Malware Rules List Mark E. Donaldson (Feb 29)
- Re: Adware/Malware Rules List Max Valdez (Mar 01)
- Re: Adware/Malware Rules List Bryan Irvine (Mar 02)
- <Possible follow-ups>
- Re: Adware/Malware Rules List James Nonya (Mar 02)
- RE: Adware/Malware Rules List Jerry Shenk (Mar 04)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)