Snort mailing list archives

RE: Adware/Malware Rules List

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 4 Mar 2004 13:48:35 -0500

Here's my current malware.rules file which is a compilation of what's
been recommended here in the past week.  Just this AM, I added the
variable INTERNET_PROXIES (couldn't think of a better name;).  I was
getting some hits on traffic from internal mail servers and a squid box.

This was actually quite helpful.  We've pinpointed about a half dozen
machines that must have numerous copies of malware installed and another
50 that are just infected to a 'normal' level.  The "workstation guy"
said "thanks"...haha!!  ...he's gonna be working overtime for a month!

#http://www.armc.org/malware/

#The INTERNET_PROXIES variable should be set to servers that process a
lot of internet traffic.
#  This is a rather broad definitions of a proxy.  Things that should go
here are:
#  Mail servers and scanners - they kindof proxy mail;)
#  Web proxies, cache servers, etc.

var INTERNET_PROXIES [10.1.1.201, 10.1.1.202]

alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Gator updates";
content:"Host\: updateserver.gator.com"; flags: PA;)
alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Installshield
updates"; content:"Host\: updates.installshield.com"; flags: PA;)
alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Comet Systems
update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;)

alert ip $INTERNET_PROXIES any -> any any (msg:"Malware Keenvalue";
content:"Keenvalue";nocase;)
alert ip $INTERNET_PROXIES any -> any any (msg:"Malware flowgo";
content:"flowgo";nocase;)
alert ip $INTERNET_PROXIES any -> any any (msg:"Malware 2020search";
content:"2020search";nocase;)
alert ip $INTERNET_PROXIES any -> any any (msg:"Malware rcprograms";
content:"rcprograms";nocase;)
alert ip $INTERNET_PROXIES any -> any any (msg:"Malware gator";
content:"webpdpcookie";nocase;)




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Adware/Malware Rules List Darden, Patrick S. (Feb 27)
- RE: Adware/Malware Rules List Jerry Shenk (Feb 29)
  - RE: Adware/Malware Rules List Mark E. Donaldson (Feb 29)
- Re: Adware/Malware Rules List Max Valdez (Mar 01)
  - Re: Adware/Malware Rules List Bryan Irvine (Mar 02)
- <Possible follow-ups>
- Re: Adware/Malware Rules List James Nonya (Mar 02)
  - RE: Adware/Malware Rules List Jerry Shenk (Mar 04)