158 lines
64 KiB
Plaintext
158 lines
64 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#---------------------
|
|
# MALWARE-TOOLS RULES
|
|
#---------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| YoudaoBot/1.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"youdao.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25927; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| YesupBot/1.0|3B| +http://www."; fast_pattern:31,20; http_header; content:!"yesup.net"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25926; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Yahoo! Slurp China|3B| http://misc."; fast_pattern:37,20; http_header; content:!"yahoo.com.cn"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25925; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| XTbot/1.0v|3B| +http://www."; fast_pattern:29,20; http_header; content:!"externaltest.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25924; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| worio bot heritrix/1.10.0 +http://"; fast_pattern:39,20; http_header; content:!"worio.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25923; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Webduniabot/1.0|3B| +http://search."; fast_pattern:37,20; http_header; content:!"webdunia.com"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25922; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Synoobot/0.9|3B| http://www."; fast_pattern:30,20; http_header; content:!"synoo.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25921; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| SummizeBot +http://www."; fast_pattern:28,20; http_header; content:!"summize.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25920; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| ShunixBot/1.x|3B| http://www."; fast_pattern:31,20; http_header; content:!"shunix.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25919; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Scrubby/2.2|3B| http://www."; fast_pattern:29,20; http_header; content:!"scrubtheweb.com"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25918; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| robtexbot/1.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"robtex.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25917; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PWeBot/3.1|3B| http://www."; fast_pattern:28,20; http_header; content:!"programacionweb.net"; within:19; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25916; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| pmoz.info ODP link checker|3B| +http://"; fast_pattern:41,20; http_header; content:!"pmoz.info"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25915; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PEAR HTTP_Request class|3B| http://feed."; fast_pattern:42,20; http_header; content:!"moo.jp"; within:6; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25914; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PagestackerBot|3B| http://www."; fast_pattern:32,20; http_header; content:!"pagestacker.com"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25913; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| MojeekBot/2.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"mojeek.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25912; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"mozilla/5.0 |28|compatible|3B| genevabot http://www."; fast_pattern:26,20; http_header; content:!"healthdash.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25911; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| egothor/8.0g|3B| +http://ego.ms."; fast_pattern:34,20; http_header; content:!"mff.cuni.cz"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25910; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| de/1.13.2 +http://www."; fast_pattern:27,20; http_header; content:!"de.com"; within:6; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25909; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| archive.org_bot/1.13.1x http://"; fast_pattern:36,20; http_header; content:!"crawler.archive.org"; within:19; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25908; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|+http://www."; http_header; content:!"eurekster.com"; within:13; nocase; http_header; content:"/mammoth|29| Mammoth/"; within:40; fast_pattern; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25906; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|compatible|3B| "; http_header; content:!"Webinator"; within:9; nocase; http_header; content:"/2.56|29 20 0D 0A|"; within:40; fast_pattern; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25905; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| Vagabondo/4.0Beta|3B| webcrawler at wise-guys dot nl|3B| http://"; fast_pattern:63,20; http_header; content:!"webagent.wise-guys.nl"; within:21; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25904; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| MSIE 6.0|3B| Podtech Network|3B| crawler_admin@"; fast_pattern:46,20; http_header; content:!"podtech.net"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25903; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| LinksManager.com_bot http://"; fast_pattern:33,20; http_header; content:!"linksmanager.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25902; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Charlotte/1.0b|3B| http://www."; fast_pattern:32,20; http_header; content:!"betaspider.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25901; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Hermit Search. Com|3B| +http://www."; fast_pattern:37,20; http_header; content:!"hermitsearch.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25900; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| FatBot 2.0|3B| http://www."; fast_pattern:28,20; http_header; content:!"thefind.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25899; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| EARTHCOM.info/2.01|3B| http://www."; fast_pattern:36,20; http_header; content:!"earthcom.info"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25898; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| DNS-Digger-Explorer/1.0|3B| +http://www."; fast_pattern:42,20; http_header; content:!"dnsdigger.com"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25897; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Crawling jpeg|3B| http://www."; fast_pattern:31,20; http_header; content:!"yama.info.waseda.ac.jp"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25896; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeJPBot/2.3|3B| MSIE 6.0 compatible|3B| +http://www."; fast_pattern:55,20; http_header; content:!"become.co.jp"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25895; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeBot/1.23|3B| http://"; fast_pattern:28,20; http_header; content:!"www.become.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25894; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeBot/2.0beta|3B| http://"; fast_pattern:31,20; http_header; content:!"www.become.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25893; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Ask Jeeves/Teoma|3B| http://"; fast_pattern:30,20; http_header; content:!"about.ask.com"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25892; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| AnsearchBot/1.x|3B| +http://www."; fast_pattern:34,20; http_header; content:!"ansearch.com.au"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25891; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Abonti/0.8 - http://www."; fast_pattern:29,20; http_header; content:!"abonti.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25890; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|Slurp/cat|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:34,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25889; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|Clustered-Search-Bot/1.0|3B| clsupport@"; fast_pattern:29,20; http_header; content:!"clush.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25888; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.7 |28|compatible|3B| WhizBang|3B| http://www."; fast_pattern:26,20; http_header; content:!"whizbang.com/crawler"; within:20; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25887; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker |28|wn.zyborg@looksmart.net|3B| http://www."; fast_pattern:69,20; http_header; content:!"WISEnutbot.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25886; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| crawlx, crawler@"; fast_pattern:21,20; http_header; content:!"trd.overture.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25885; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE enviable|3B| DAUMOA 2.0|3B| DAUM Web Robot|3B| Daum Communications Corp., Korea|3B| +http://ws."; fast_pattern:93,20; http_header; content:!"daum.net"; within:8; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25884; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.0|3B| ODP entries t_st|3B| http://"; fast_pattern:56,20; http_header; content:!"tuezilla.de/t_st-odp-entries-agent.html"; within:39; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25883; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows 98|3B| support@illumit.com|3B| http://www."; fast_pattern:59,20; http_header; content:!"illumit.com/Products/weblight/"; within:30; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25882; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.5|3B| AOL 4.0|3B| Windows 98|3B| GoBeez |28|www."; fast_pattern:48,20; http_header; content:!"gobeez.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25881; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| www.galaxy.com|3B| www.psychedelix.com/|3B| http://www."; fast_pattern:64,20; http_header; content:!"galaxy.com/info/crawler.html"; within:28; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25880; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT|3B| Girafabot|3B| girafabot at girafa dot com|3B| http://www."; fast_pattern:78,20; http_header; content:!"girafa.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25879; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows ME|3B| Link Checker 2.x.xx http://www."; fast_pattern:58,20; http_header; content:!"kyosoft.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25878; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| GPU p2p crawler http://gpu."; fast_pattern:32,20; http_header; content:!"sourceforge.net"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25877; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| FastCrawler3 support-fastcrawler3@"; fast_pattern:39,20; http_header; content:!"fast.no"; within:7; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25876; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| DepSpid/5.0x|3B| +http://about."; fast_pattern:33,20; http_header; content:!"depspid.net"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25875; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|agadine3.0|29| www."; fast_pattern:9,20; http_header; content:!"agada.de"; within:8; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25874; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|compatible|3B| ScollSpider|3B| http://www."; fast_pattern:29,20; http_header; content:!"webwobot.com"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25873; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Vagabondo/2.0 MT|3B| webcrawler@"; fast_pattern:22,20; http_header; content:!"NOSPAMexperimental.net"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25872; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Vagabondo/1.x MT|3B| webagent@wise-guys.nl|3B| http://"; fast_pattern:41,20; http_header; content:!"webagent.wise-guys.nl"; within:21; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25871; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Slurp/si|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:33,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25870; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Slurp.so/Goo|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:37,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25869; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Tors Hammer slow post flood attempt"; flow:to_server,established; content:"POST / HTTP/1.1|0D 0A|"; depth:17; content:"Keep-Alive: 900|0D 0A|Content-Length: 10000|0D 0A|"; fast_pattern:only; metadata:service http; classtype:denial-of-service; sid:23952; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-TOOLS Hulk denial of service attempt"; flow:established,to_server,only_stream; content:"q=0.7|2C 2A 3B|q=0.7"; fast_pattern; http_header; content:"Cache-Control: no-cache"; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*?[A-Z]{5,10}\x0d\x0a/H"; pcre:"/(\x3f|\x26)[A-Z]{3,10}\x3d[A-Z]{3,10}/U"; detection_filter:track by_dst, count 30, seconds 1; metadata:service http; reference:url,sectorix.com/2012/05/17/hulk-web-server-dos-tool/; classtype:attempted-dos; sid:22953; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS HOIC http denial of service attack"; flow:to_server,established,only_stream; content:"HTTP/1.0"; depth:500; content:"Host:"; http_header; content:"User-Agent|3A 20 20|Mozilla"; fast_pattern:only; http_header; detection_filter:track by_src, count 17, seconds 10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:denial-of-service; sid:21513; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Havij advanced SQL injection tool user-agent string"; flow:to_server, established; content:"Havij"; http_header; pcre:"/User-Agent\:[^\x0a\x0d]+?Havij/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,itsecteam.com/en/projects/project1.htm; classtype:attempted-user; sid:21459; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS slowhttptest DoS tool"; flow:to_server,established; content:"Referer|3A| http|3A 2F 2F|code.google.com|2F|p|2F|slowhttptest"; fast_pattern:only; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,code.google.com/p/slowhttptest/; classtype:attempted-dos; sid:21104; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS JavaScript LOIC attack"; flow:to_server,established,only_stream; content:"/?id="; nocase; http_uri; content:"&msg="; within:5; distance:13; nocase; http_uri; detection_filter:track by_src, count 100, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; classtype:attempted-dos; sid:21092; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 03|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20439; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 02|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20438; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 01|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20437; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 00|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20436; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Anonymous Perl RefRef DoS tool"; flow:established,to_server; content:" and |28|select benchmark|28|99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f|29 29|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.refref.org/p/refref.html; classtype:attempted-dos; sid:19870; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Anonymous PHP RefRef DoS tool"; flow:established,to_server,only_stream; content:"Keep-Alive|3A| 900"; fast_pattern:only; http_header; content:"/-"; http_uri; pcre:"/^\/-\d{9}/U"; detection_filter:track by_dst, count 100, seconds 5; metadata:service http; reference:url,pastebin.com/eG8sLaWc; classtype:attempted-dos; sid:19869; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool 0desa msn pass stealer 8.5 runtime detection"; flow:to_server,established; content:"sendmail.php?"; nocase; http_uri; content:"mail="; nocase; http_uri; content:"subject="; nocase; http_uri; content:"Odesa mpsteal form"; fast_pattern; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:16138; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Slowloris http DoS tool"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| .NET CLR 2.0.503l3|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| MSOffice 12|29 0D 0A|"; content:"Content-Length|3A| 42"; detection_filter:track by_src, count 10, seconds 300; metadata:service http; reference:cve,2007-0086; classtype:attempted-dos; sid:15578; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool hippynotify 2.0 runtime detection"; flow:to_server,established; content:"/wwp/msg/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"Send=yes"; nocase; http_uri; pcre:"/Uin=\d+\x26Name=.*?IP-.*?USER-.*?TROJAN-.*?PORT-.*?PASSWORD-.*?OS-.*?WEBCAM-/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078296; classtype:misc-activity; sid:12230; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4973 (msg:"MALWARE-TOOLS Hacker-Tool statwin runtime detection"; flow:to_server,established; content:"|F9 14|"; depth:2; isdataat:110,relative; content:"|B3 B3 84 86 83 83 F5 B3 B3 B3|"; within:10; distance:110; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098082; classtype:misc-activity; sid:10441; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool spylply.a runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"|B0 AE B6 F9 CD F8 B5 C1|"; distance:0; nocase; pcre:"/^X-Mailer\x3a\s+\xb0\xae\xb6\xf9\xcd\xf8\xb5\xc1/smi"; metadata:service smtp; reference:url,db.kingsoft.com/virus/forecast/2005/06/08/43198.shtml; classtype:misc-activity; sid:10091; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool davps runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"dialup_vpn@hermangroup.org"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"dialupvpn_pwd"; distance:0; nocase; content:"name="; nocase; content:"reaction.txt"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*dialup\x5fvpn\x40hermangroup\x2Eorg.*Subject\x3a[^\r\n]*dialupvpn\x5fpwd.*name\x3d[^\r\n]*\x22reaction\x2Etxt\x22/smi"; metadata:service smtp; reference:url,www.megasecurity.org/trojans/d/davps/Davps1.0.html; classtype:misc-activity; sid:7842; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report send through email"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"NetTracker"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*NetTracker/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7836; rev:6;)
|
|
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report browsing"; flow:to_client,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7835; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report browsing"; flow:to_server,established; content:"/NetTracker/"; nocase; http_uri; flowbits:set,NetTrack_Spy_ReportBrowsing; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:7834; rev:10;)
|
|
# alert tcp $HOME_NET 4563 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - image transferred"; flow:to_client,established; flowbits:isset,Clandestine_STC1; content:"<<DONE"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7586; rev:6;)
|
|
# alert tcp $HOME_NET 4563 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set image"; flow:to_client,established; flowbits:isset,Clandestine_CTS1; content:">>IMAGE|FF D8 FF E0 00 10|JFIF"; flowbits:set,Clandestine_STC1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7585; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4563 (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open"; flow:to_server,established; content:"open"; depth:4; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7584; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4563 (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big"; flow:to_server,established; content:"big"; depth:3; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7583; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool mini oblivion runtime detection - successful init connection"; flow:to_client,established; content:"OVN|01 00 01 00 1A 00 00 00|"; depth:11; content:"Mini"; distance:0; content:"Oblivion"; distance:0; content:"Ready"; distance:0; pcre:"/^OVN.*Mini\s+Oblivion.*Ready/"; reference:url,www.spywareguide.com/product_show.php?id=1599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26770; classtype:misc-activity; sid:7542; rev:6;)
|
|
# alert tcp $HOME_NET 10607 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - ping"; flow:to_client,established; flowbits:isset,coma.2; content:"Pong"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=1490; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795; classtype:misc-activity; sid:7509; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10607 (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - ping - flowbit set"; flow:to_server,established; content:"Ping"; depth:4; flowbits:set,coma.2; flowbits:noalert; classtype:misc-activity; sid:7508; rev:4;)
|
|
# alert tcp $HOME_NET 10607 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection"; flow:to_client,established; flowbits:isset,coma.1; content:"COMA Server Version"; depth:19; reference:url,www.spywareguide.com/product_show.php?id=1490; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795; classtype:misc-activity; sid:7507; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10607 (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection - flowbit set"; flow:to_server,established; content:"Hello"; depth:5; flowbits:set,coma.1; flowbits:noalert; classtype:misc-activity; sid:7506; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool sars notifier runtime detection - cgi notification"; flow:to_server,established; content:"/?action=log"; fast_pattern; nocase; http_uri; content:"port="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7148; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool sars notifier runtime detection - sin notification"; flow:to_server,established; content:"Days"; nocase; content:"Hours"; distance:0; nocase; content:"Minutes"; distance:0; nocase; content:"Seconds"; distance:0; nocase; pcre:"/^0[^\r\n]*Days[^\r\n]*Hours[^\r\n]*Minutes[^\r\n]*Seconds\-[^\r\n]*\|\d+\-[^\r\n]*\-\|/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7146; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool beee runtime detection - smtp"; flow:to_server,established; content:"X-OEM|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; content:"X-Sender|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; pcre:"/^X-OEM\x3A[^\r\n]*iOpus\s+Software\s+GmbH.*X-Sender\x3A[^\r\n]*iOpus\s+Software\s+GmbH/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=1729; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060657; classtype:misc-activity; sid:6477; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 42 (msg:"MALWARE-TOOLS Hacker-Tool sin stealer 1.1 runtime detection"; flow:to_server,established; content:"|07|MESSAGE|00 00 00 00|"; depth:12; reference:url,www.megasecurity.org/trojans/s/sinstealer/Sinstealer1.1.html; classtype:misc-activity; sid:6206; rev:7;)
|
|
# alert tcp $HOME_NET 7001 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool freak 88 das runtime detection"; flow:to_client,established; content:"hello>WELCOMEwho do u want to phuk today>"; depth:41; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2181; classtype:misc-activity; sid:6205; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 runtime detection - init connection with password requirement"; flow:to_server,established; flowbits:isset,GhostVoice_InitConnection_withpassword; content:"request|3A|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=1970; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224; classtype:misc-activity; sid:5958; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 runtime detection"; flow:to_client,established; content:"!Request!"; depth:9; flowbits:set,GhostVoice_InitConnection_withpassword; flowbits:noalert; classtype:misc-activity; sid:5957; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 icq notification of server installation"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=GhostVoiceServer"; nocase; content:"fromemail="; distance:0; nocase; content:"subject=GhostVoice"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"body="; distance:0; nocase; content:"to="; distance:0; nocase; content:"Send="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1970; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224; classtype:misc-activity; sid:5956; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407"; flow:to_server; content:"|00|%|00 22|"; depth:4; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5897; rev:8;)
|
|
# alert tcp $HOME_NET 407 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - tcp port 407"; flow:to_client,established; flowbits:isset,Timbuktu_Pro_TCPPort_407; content:"|01 01|"; depth:2; content:"|00 8E 00|%"; offset:4; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5896; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - tcp port 407"; flow:to_server,established; content:"|00 01|"; depth:2; content:"|00|R|00|%"; offset:4; flowbits:set,Timbuktu_Pro_TCPPort_407; flowbits:noalert; classtype:misc-activity; sid:5895; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - smb"; flow:to_server,established; content:"|5C 00|T|00|B|00|2|00|"; content:!"|2E|"; within:1; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5894; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 871 (msg:"MALWARE-TOOLS Hacker-Tool eraser runtime detection - disinfect"; flow:to_server,established; content:"Disinfect"; depth:9; nocase; reference:url,vil.nai.com/vil/content/v_109495.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642; classtype:misc-activity; sid:5876; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 871 (msg:"MALWARE-TOOLS Hacker-Tool eraser runtime detection - detonate"; flow:to_server,established; content:"Detonate"; depth:8; nocase; reference:url,vil.nai.com/vil/content/v_109495.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642; classtype:misc-activity; sid:5875; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - view netstat"; flow:to_client,established; flowbits:isset,StealthRedirector_ViewNetstat; content:"Proto Local IP"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5823; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - view netstat"; flow:to_server,established; content:"/NETS"; fast_pattern:only; flowbits:set,StealthRedirector_ViewNetstat; flowbits:noalert; classtype:misc-activity; sid:5822; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory log"; flow:to_client,established; flowbits:isset,StealthRedirector_DestoryLog; content:"Deleting "; depth:9; nocase; content:"ATTENTION|3A|"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5821; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory log"; flow:to_server,established; content:"/LOGD"; depth:5; nocase; flowbits:set,StealthRedirector_DestoryLog; flowbits:noalert; classtype:misc-activity; sid:5820; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_client,established; flowbits:isset,StealthRedirector_StatusCheck4; content:"FTP Redirection is"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5819; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_client,established; flowbits:isset,StealthRedirector_StatusCheck3; content:"TCP Redirection is"; fast_pattern:only; flowbits:set,StealthRedirector_StatusCheck4; flowbits:noalert; classtype:misc-activity; sid:5818; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_server,established; content:"/STAT"; depth:5; nocase; flowbits:set,StealthRedirector_StatusCheck3; flowbits:noalert; classtype:misc-activity; sid:5817; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory redirection"; flow:to_client,established; flowbits:isset,StealthRedirector_DestoryRedirection; content:"Redirection"; nocase; content:"destroyed"; distance:0; nocase; pcre:"/^(TC|FT)P\s+Redirections?\s+destroyed\x21/smi"; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5816; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory redirection"; flow:to_server,established; content:"DISC"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+DISC/smi"; flowbits:set,StealthRedirector_DestoryRedirection; flowbits:noalert; classtype:misc-activity; sid:5815; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - create redirection"; flow:to_client,established; flowbits:isset,StealthRedirector_CreateRedirection; content:"Created a connection redirect"; depth:29; nocase; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5814; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - create redirection"; flow:to_server,established; content:"CONN"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+CONN/smi"; flowbits:set,StealthRedirector_CreateRedirection; flowbits:noalert; classtype:misc-activity; sid:5813; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - email notification"; flow:to_server,established; content:"From|3A| |22|Stealth Redirector|22|"; fast_pattern:only; content:"Subject|3A| My IP address"; nocase; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5812; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS PyLoris http DoS tool"; flow:to_server,established,only_stream; content:"User-Agent|3A| pylor"; fast_pattern:only; http_header; detection_filter:track by_src, count 10, seconds 300; metadata:service http; reference:cve,2012-5568; classtype:attempted-dos; sid:28532; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-TOOLS Browser Password Decryptor - Password List sent via FTP"; flow:to_client,established; content:"Browser Password Recovery Report|0D 0A|"; nocase; content:"Password List|20 0D 0A|"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,www.virustotal.com/en/file/7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57/analysis/; classtype:trojan-activity; sid:29096; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt"; flow:to_server,established; content:"/ali.txt"; http_uri; urilen:8; content:"PUT"; http_method; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/3b0e2ab93a43db122bc9ba4448cb21c8ae01f18068b15a6e0a71db61fb943ed1/analysis/; classtype:misc-activity; sid:32875; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:1;)
|
|
# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data; content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/; classtype:trojan-activity; sid:34945; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt"; flow:to_server,established; urilen:20<>35; content:"Range: bytes="; fast_pattern; http_header; content:"-|0D 0A|"; within:8; http_header; content:".jpg?"; http_uri; content:"="; within:5; distance:10; http_uri; pcre:"/^\x2f[a-z-]+\.jpg\?[a-z0-9]+=\d{1,2}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37651; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS TorStresser http DoS tool"; flow:to_server,established; content:"Window-Size|3A|"; fast_pattern:only; http_header; content:"User-Agent|3A|"; nocase; http_header; metadata:service http; reference:url,github.com/m4s0/torshammer666; classtype:attempted-dos; sid:38989; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ConfusedByAttribute"; content:"ConfuserEx"; distance:0; fast_pattern; pcre:"/^\s+v[01]\.\d+\.\d+/R"; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b3fd732050d9b0b0f32fafb0c5d3eb2652fd6463e0ec91233b7a72a48522f71a/analysis/; classtype:trojan-activity; sid:39638; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Response.Write%28%22-%3E%7C%22%29%3Bvar+Err%3AException%3B"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39773; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Response.Write%28%5C%22wscript.shell%5C%22%28.exec("; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39772; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"User-Agent: Java/"; http_header; content:"=1&action="; depth:20; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39771; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Execute(|22|Execute(|22 22|On+Error+Resume+Next:Function"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39744; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS slowhttptest DoS tool "; flow:to_server,established; content:"Referer|3A| https|3A 2F 2F|github.com|2F|shekyan|2F|slowhttptest|2F|"; fast_pattern:only; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.github.com/shekyan/slowhttptest; classtype:attempted-dos; sid:41771; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Request to service that provices external IP address detected"; flow:to_server,established; urilen:10; content:"Host|3A| iplogger.info"; fast_pattern:only; content:!"User-Agent|3A|"; http_header; pcre:"/^\/[A-Z0-9]{5}\.(gif|jpg|png|txt)$/Ui"; metadata:service http; reference:url,virustotal.com/#/file/3b350ab5894259e843594f00151c5df5762d7225927093ad60514034348d164b/detection; classtype:trojan-activity; sid:44096; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; within:1; distance:3; content:"|03|"; within:1; distance:3; content:"|60 B4 20 BB 38 51 D9 D4 7A CB 93 3D BE 70 39 9B F6 C9 2D A3 3A F0 1D 4F B7 70 E9 8C|"; within:28; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,github.com/RUB-NDS/TLS-Attacker; classtype:network-scan; sid:45831; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Tool.Delete variant download detected"; flow:to_server,established; file_data; content:"/|00|q|00 20 00|&|00|&|00 20 00|s|00|h|00|u|00|t|00|d|00|o|00|w|00|n|00 20 00|/|00|r|00 20 00|/|00|f|00 20 00|/|00|t|00 20 00|0|00|0|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1107/; classtype:attempted-user; sid:48502; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Tool.Delete variant download detected"; flow:to_client,established; file_data; content:"/|00|q|00 20 00|&|00|&|00 20 00|s|00|h|00|u|00|t|00|d|00|o|00|w|00|n|00 20 00|/|00|r|00 20 00|/|00|f|00 20 00|/|00|t|00 20 00|0|00|0|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1107/; classtype:attempted-user; sid:48501; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"MALWARE-TOOLS JexBoss User-Agent detected"; flow:established,to_server; content:"User-Agent|3A 20|jexboss"; fast_pattern:only; http_header; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48571; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers"; flow:established,to_server; content:"X-JEX"; fast_pattern:only; http_header; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48570; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS JexBoss webshell download"; flow:established,to_server; content:"/rnp/jexws"; fast_pattern; http_uri; content:".war"; distance:0; http_uri; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48569; rev:1;)
|