RE: Adware/Malware Rules List

["Jerry Shenk" <jshenk () decommunications com>]

I came here looking for exactly this.  That's a start....problem is
there are SO MANY of these stupid things!  I'd like to alert on Gator
and all the rest of 'em so we can keep our machines clean.
 
Here are a couple that I have set up...not many but maybe it will help
get things rolling:
alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates";
content:"Host\: updateserver.gator.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates";
content:"Host\: updates.installshield.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update";
content:"Host\: update.cc.cometsystems.com"; flags: PA;)

 
Here's a link to a rather old posting (Jan 2002) related to this issue.
There's a pretty good sized list here but many of them have probably
changed:
http://groups.google.com/groups?q=snort+adware+rules
<http://groups.google.com/groups?q=snort+adware+rules&hl=en&lr=&ie=UTF-8
&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum=
6>
&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.b
igpond.net.au&rnum=6
 
Here's another related site:
http://www.doxdesk.com/parasite/
 

-----Original Message----- 
 
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Darden,
Patrick S.
Sent: Friday, February 27, 2004 11:05 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Adware/Malware Rules List


I had a large number of requests for my ruleset for Ad/Malware, so I
have placed it on the web at:
 
https://www.armc.org/malware/
 
It ain't nothing special, but it works for us.  If you have any
additions, please email me so we can 
make this ruleset grow into something useful.
 
Thanks,
--Patrick Darden
--Internetworking Manager