200 lines
91 KiB
Plaintext
200 lines
91 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#--------------------
|
|
# PUA-TOOLBARS RULES
|
|
#--------------------
|
|
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS WidgiToolbar toolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| WidgiToolbar"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e5f7e540732bd71e64b22d29a5a1b7bb507be0364b65e31470612f03340a798f/analysis/; classtype:misc-activity; sid:44889; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop initial install - installer request"; flow:to_server,established; content:"/installer?"; fast_pattern; nocase; http_uri; content:"action=install"; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7859; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop search query"; flow:to_server,established; content:"/complete/search?"; fast_pattern; nocase; http_uri; content:"q="; http_uri; content:"output=desktop"; http_uri; content:"sourceid=gd"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7860; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop initial install - firstuse request"; flow:to_server,established; content:"/firstuse?"; fast_pattern; nocase; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7858; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchfast detection - track user activity & get 'relates links' of the toolbar"; flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat=nsa"; nocase; http_uri; content:"ver=visicom"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| xml.alexa.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5964; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker isearch runtime detection - toolbar information request"; flow:to_server,established; content:"/xml.php"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5861; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware hithopper runtime detection - click toolbar buttons"; flow:to_server,established; content:"/xml/toolbar/"; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fxml\x2Ftoolbar\x2F(sports|news|horoscope2|horoscope|weather2|weather)\.php/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5788; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - track"; flow:to_server,established; content:"/ctx/imptrack.php?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"action="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5941; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - pass info to server"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"metaresults.copernic.com"; nocase; http_header; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5886; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware wordiq toolbar runtime detection - get link info"; flow:to_server,established; content:"/toolbar/getlinks.php"; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; nocase; http_header; content:"Host|3A| www.wordiq.com"; nocase; http_header; metadata:service http; reference:url,www.softpedia.com/progReportSpyware/12-3-196; classtype:successful-recon-limited; sid:5892; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware wordiq toolbar runtime detection - search keyword"; flow:to_server,established; content:"/toolbar/search_log.php?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"se_id="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; fast_pattern:only; metadata:service http; reference:url,www.softpedia.com/progReportSpyware/12-3-196; classtype:successful-recon-limited; sid:5893; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler slinkyslate toolbar runtime detection"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"Host|3A| www.slinkyslate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1055; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082746; classtype:misc-activity; sid:6261; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - url hook"; flow:to_server,established; content:"/redirect.asp"; nocase; http_uri; content:"url="; nocase; http_uri; content:"linkid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"click.dotcomtoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6382; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker i-lookup runtime detection"; flow:to_server,established; content:"/bar/links.php?affid="; nocase; http_uri; content:"Host|3A| toolbar.i-lookup.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=518; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074914; classtype:misc-activity; sid:6230; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler navexcel search toolbar runtime detection - activate/update"; flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6278; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - log user ativity"; flow:to_server,established; content:"/log/log.cgi?"; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6253; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"tag="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"source="; nocase; http_uri; content:"User-Agent|3A| ToolBar"; nocase; http_header; content:"Host|3A| upgrade.qsrch.info"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6255; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - toolbar information retrieve"; flow:to_server,established; content:"/data.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.dotcomtoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6380; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker girafa toolbar - toolbar update"; flow:to_server,established; content:"/srv/c"; nocase; http_uri; content:"i="; nocase; http_uri; content:"t="; nocase; http_uri; content:"v="; nocase; http_uri; content:"s="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"GirafaClient"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6376; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker adbars runtime detection - search in toolbar"; flow:to_server,established; content:"/buscar.php?cadena="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.buscandoamigos.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1331; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049; classtype:misc-activity; sid:6379; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - smileys"; flow:to_server,established; content:"/pl/shared/smileys/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"files-pl.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7579; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/dns/?url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7528; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - collect information"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"as.starware.com/dp/search?x="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7577; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Snoopware 2-seek runtime detection - user info collection"; flow:to_server,established; content:"/go.php?"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.2-seek.com/search/"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; metadata:service http; reference:url,www.2-seek.com/toolbar.php; classtype:successful-recon-limited; sid:7599; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Snoopware 2-seek runtime detection - search in toolbar"; flow:to_server,established; content:"/search/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; metadata:service http; reference:url,www.2-seek.com/toolbar.php; classtype:successful-recon-limited; sid:7598; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler maxsearch runtime detection - toolbar download"; flow:to_server,established; content:"/toolbar.exe"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"tb.freeprod.com"; nocase; http_header; content:"User-Agent|3A|"; nocase; http_header; content:"NSIS_DOWNLOAD"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7849; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker instafinder initial configuration detection"; flow:to_server,established; content:"/404/update/instafinktb0302.cfg"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Visicom"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1130; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786; classtype:misc-activity; sid:7840; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sogou runtime detection - search through sogou toolbar"; flow:to_server,established; content:"/web"; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380; classtype:misc-activity; sid:9646; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kuaiso toolbar runtime detection"; flow:to_server,established; content:"/gd_ad.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolsbar.kuaiso.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098930; classtype:misc-activity; sid:10093; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker snap toolbar runtime detection - cookie"; flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"www.snap.com"; nocase; http_header; content:"toolbar_domain_redirect"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:misc-activity; sid:11948; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - hijack ie search assistant"; flow:to_server,established; content:"/web/search.php"; nocase; content:"keywords="; distance:0; nocase; content:"username="; distance:0; nocase; content:"Host|3A|"; nocase; http_header; content:"www.lookster.net"; nocase; http_header; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12125; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware spynova runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Spynova"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/en/aa/enterprise/security_response/writeup.jsp?docid=2007-041614-3222-99; classtype:successful-recon-limited; sid:12122; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware snap ultrasearch/desktop toolbar runtime detection - cookie"; flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"source%3Dultrasearch136%26campaign%3Dsnap"; nocase; http_header; metadata:service http; reference:url,www.spynomore.com/toolbar-snap-ultrasearch.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:successful-recon-limited; sid:12228; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 3search runtime detection - counter"; flow:to_server,established; content:"/counter.php?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"do="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12294; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - hijack ie searches"; flow:to_server,established; content:"/ResultsExt.aspx?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"ctid="; nocase; http_uri; content:"SearchSource="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.conduit.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12288; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - get updates"; flow:to_server,established; content:"/update/update.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"scn.mystoretoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12289; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker proventactics 3.5 runtime detection - toolbar search function"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12366; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker imesh mediabar runtime detection - auto update"; flow:to_server,established; content:"/autoupdate/version.txt"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12370; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 411web toolbar runtime detection"; flow:to_server,established; content:"/code/engine.cgi?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.bleepingcomputer.com/uninstall/16/411web-Toolbar.html; reference:url,www.onetwo.ca/spyware.html; classtype:misc-activity; sid:12481; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker soso toolbar runtime detection - get weather information"; flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12486; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware extra toolbar 1.0 runtime detection - file download"; flow:to_server,established; content:"/_vti_bin/owssvr.dll"; nocase; http_uri; content:"Host|3A| www.onlinecasinoextra.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295; classtype:successful-recon-limited; sid:12622; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware extra toolbar 1.0 runtime detection"; flow:to_server,established; content:"/toolbarinfo.php?"; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295; classtype:successful-recon-limited; sid:12621; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar user-agent detection"; flow:to_server,established; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:12679; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware happytofind toolbar runtime detection"; flow:to_server,established; content:"/htftool.php?q="; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453100378; reference:url,www.pctools.com/mrc/infections/id/Adware.Happytofind_Toolbar; reference:url,www.spywareguide.com/spydet_3157_happytofind.html; classtype:successful-recon-limited; sid:12796; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker blue wave adult links toolbar runtime detection"; flow:to_server,established; content:"/cgi-bin/links/search.cgi"; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| www.bluewavelinks.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BlueWave%20Adult%20Links&threatid=95240; reference:url,www.bluewavelinks.com; classtype:misc-activity; sid:13239; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ditto toolbar runtime detection"; flow:to_server,established; content:"/searchResults.asp"; nocase; http_uri; content:"mainToolbar="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ss="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Ditto%20Toolbar&threatid=69488; reference:url,www.emsisoft.it/it/malware/?Adware.Win32.Ditto+Toolbar; classtype:misc-activity; sid:13342; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker direct toolbar runtime detection"; flow:to_server,established; content:"/search_total.asp"; nocase; http_uri; content:"recid=directtb"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Direct.Toolbar&threatid=133225; classtype:misc-activity; sid:13339; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker people pal toolbar runtime detection - automatic upgrade"; flow:to_server,established; content:"/peoplepal/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"PeoplePal Version Checker"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal; classtype:misc-activity; sid:13488; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - updates automatically"; flow:to_server,established; flowbits:isset,BaiduToolbar_detection; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13484; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dealio toolbar runtime detection user-agent detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Dealio Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113199; reference:url,www.fbmsoftware.com/spyware-net/application/Dealio_Toolbar; classtype:misc-activity; sid:13503; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kompass toolbar runtime detection - initial connection"; flow:to_server,established; content:"/toolbar/kompasst"; nocase; http_uri; content:".php"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kompass&threatid=70475; reference:url,spywaresignatures.com/details/kompasstoolbar.pdf; classtype:misc-activity; sid:13559; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker eclickz toolbar runtime detection - search traffic"; flow:to_server,established; content:"/search/?"; nocase; http_uri; content:"Terms="; nocase; http_uri; metadata:service http; reference:url,spywaresignatures.com/details.php?spyware=eclickztoolbar; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.eClickz+Toolbar; classtype:misc-activity; sid:13641; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker zztoolbar runtime detection - toolbar traffic"; flow:to_server,established; content:"/rank/Info.do?"; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.browserdefender.com/file/404730/site/chinarank.org.cn/; reference:url,www.spywareguide.com/spydet_5949_zztoolbar.html; classtype:misc-activity; sid:13643; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker zztoolbar runtime detection - search traffic"; flow:to_server,established; content:"/s?"; nocase; http_uri; content:"wd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Chinarank"; nocase; http_header; content:"Toolbar|29|"; nocase; http_header; metadata:service http; reference:url,www.browserdefender.com/file/404730/site/chinarank.org.cn/; reference:url,www.spywareguide.com/spydet_5949_zztoolbar.html; classtype:misc-activity; sid:13644; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locmag toolbar runtime detection - connection to toolbar"; flow:to_server,established; content:"/contents2.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.locmag.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Locmag%20Toolbar&threatid=48497; reference:url,www.360zd.com/spyware/433.html; classtype:misc-activity; sid:13639; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker find.fm toolbar runtime detection - automatic updates"; flow:to_server,established; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2360; reference:url,www.spywaresignatures.com/details.php?spyware=find.fmtoolbar; classtype:misc-activity; sid:13780; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rediff toolbar runtime detection - get news info"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"/news.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"server.toolbar.rediff.com"; nocase; http_header; metadata:service http; reference:url,secwatch.org/exploits/2007/03/Rediff.Toolbar_DoS.html.info; reference:url,www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/; classtype:misc-activity; sid:14056; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - weather request"; flow:to_server,established; content:"/dp/weather?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7575; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; content:"/tr.js?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"Host|3A| c4.myway.com"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware try2find detection"; flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1086; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392; classtype:successful-recon-limited; sid:6189; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker begin2search runtime detection - ico query"; flow:to_server,established; content:"/toolbar/ico/"; nocase; http_uri; content:".ico"; nocase; http_uri; pcre:"/\x2Ftoolbar\x2Fico\x2F[a-zA-Z0-9_%]*\.ico/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5765; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware trellian toolbarbrowser runtime detection"; flow:to_server,established; content:"/add.txt?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"rank.toolbarbrowser.com"; nocase; http_header; metadata:service http; reference:url,www.toolbarbrowser.com; classtype:successful-recon-limited; sid:7593; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - toolbar search"; flow:to_server,established; content:"/dir/"; nocase; http_uri; content:"Host|3A| www.locators.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5917; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware praizetoolbar runtime detection"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"Host|3A| www.praize.com"; fast_pattern:only; pcre:"/\x2Ftoolbar\x2F((version\x2Etxt)|(notifytoolbar\x2Ehtml))/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1812; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079048; classtype:misc-activity; sid:5858; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Adware.MyWebSearch Toolbar funwebproducts variant outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"FunWebProducts"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094235; classtype:successful-recon-limited; sid:7567; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - redirect"; flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"upartner="; nocase; http_uri; content:"ps="; nocase; http_uri; content:"bidpart="; nocase; http_uri; content:"rank="; nocase; http_uri; content:"query="; nocase; http_uri; content:"redir="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6254; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - get up-to-date news info"; flow:to_server,established; content:"/ta/NEWS/"; nocase; http_uri; content:"/rss"; nocase; http_uri; pcre:"/\x2Fta\x2FNEWS\x2F[^\r\n]*\x2Frss/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"AsyncHTTP"; fast_pattern; nocase; http_header; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7518; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler hmtoolbar runtime detection"; flow:to_server,established; content:"/update"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"tool.world2.cn"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096408; classtype:misc-activity; sid:7516; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware anwb toolbar runtime detection - track user ip address"; flow:to_server,established; content:"/nieuws.dtd"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1139; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342; classtype:successful-recon-limited; sid:5979; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - get info"; flow:to_server,established; content:"/get/"; nocase; http_uri; content:"pv="; nocase; http_uri; content:"iv="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A| toolbarplace.com"; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6482; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker flashbar runtime detection - user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Flashbar"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"X"; nocase; http_header; metadata:service http; reference:url,data.icxo.com/htmlnews/2006/07/10/875297.htm; classtype:misc-activity; sid:7581; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker couponbar runtime detection - download new coupon offers and links"; flow:to_server,established; content:"/CBXml.asp?"; nocase; http_uri; content:"tc="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5866; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:successful-recon-limited; sid:5943; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware anwb toolbar runtime detection - display advertisement"; flow:to_server,established; content:"/weer.xml"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1139; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342; classtype:successful-recon-limited; sid:5980; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - search"; flow:to_server,established; content:"said="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.makemesearch.com"; nocase; http_header; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6484; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker customtoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"YOUR CUSTOM TOOLBAR"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1182; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074937; classtype:misc-activity; sid:6282; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - search request"; flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"prt="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6252; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware searchnugget toolbar runtime detection - redirect mistyped urls"; flow:to_server,established; content:"/error.php"; nocase; http_uri; content:"type="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnugget"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.searchnugget.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349; classtype:misc-activity; sid:6488; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 2"; flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmsc="; nocase; http_uri; content:"utmul="; nocase; http_uri; content:"utmhn="; nocase; http_uri; content:"utmp="; nocase; http_uri; content:"Host|3A| utm.trk.myway.com"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5802; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware searchingall toolbar runtime detection - send user url request"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.searchingall.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2581; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097487; classtype:successful-recon-limited; sid:6478; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - hijack ie browser"; flow:to_server,established; content:"/dp/search?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7576; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware alexa runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Alexa Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075454; classtype:successful-recon-limited; sid:5749; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker netguide runtime detection"; flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"Keywords="; nocase; content:"Host|3A|"; nocase; http_header; content:"netguide.grip.com"; nocase; http_header; metadata:service http; reference:url,castlecops.com/tk17754-CursorZone_Grip_Toolbar.html; classtype:misc-activity; sid:7848; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - search request"; flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| supremetoolbar.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5940; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware onetoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Adw.OneToolbar&threatid=43856; reference:url,www.spywareguide.com/product_show.php?id=2746; classtype:successful-recon-limited; sid:6191; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - pass information to its controlling server"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:successful-recon-limited; sid:5942; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - home page hijacker"; flow:to_server,established; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.vip-se.com"; nocase; http_header; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6483; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker wishbone runtime detection"; flow:to_server,established; content:"/updates/check_img.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"i="; nocase; http_uri; content:"now="; nocase; http_uri; content:"Host|3A| toolbar.wishbone.com"; fast_pattern:only; metadata:service http; reference:url,toolbar.wishbone.com; reference:url,www.spywareguide.com/product_show.php?id=1784; classtype:misc-activity; sid:5987; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware fftoolbar toolbar runtime detection - display advertisement news"; flow:to_server,established; content:"/downloads/toolbar/ticker.xml"; fast_pattern; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5922; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware zango toolbar runtime detection"; flow:to_server,established; content:"/smartoffers/so.aspx"; fast_pattern; nocase; http_uri; content:"svc="; nocase; http_uri; content:"opener=rm_zango"; nocase; http_uri; content:"kw="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"resultsmaster.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2298; classtype:misc-activity; sid:8073; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #2"; flow:to_server,established; content:"/dosearch/search.html?"; fast_pattern; nocase; http_uri; content:"EngineID=musicoffaith"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"refer=mof_toolbar"; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13772; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker seeqtoolbar runtime detection - autosearch hijack or search in toolbar"; flow:to_server,established; content:"/results.jsp"; nocase; http_uri; content:"portal_id="; nocase; http_uri; content:"domain=seeq.com"; fast_pattern; nocase; http_uri; content:"tag=toolbar"; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5981; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware proofile toolbar runtime detection"; flow:to_server,established; content:"/xml_toolbar.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Proofile%20Toolbar&threatid=127931; classtype:successful-recon-limited; sid:13779; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - search in toolbar"; flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"group=searchbar-web"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6381; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - discloses information"; flow:to_server,established; content:"/bdinfo.txt?"; fast_pattern; nocase; http_uri; content:"userip="; nocase; http_uri; content:"url="; nocase; http_uri; content:"navigate="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13482; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - toolbar find function"; flow:to_server,established; content:"/custom?"; nocase; http_uri; content:"sourceid=toolbar.hotblox.com"; fast_pattern; nocase; http_uri; content:"client="; nocase; http_uri; content:"forid="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"cof="; nocase; http_uri; content:"hl="; nocase; http_uri; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7527; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker proventactics 3.5 runtime detection - get cfg information"; flow:to_server,established; content:"/toolbaradmin/simt32.shq"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12364; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware push toolbar installtime detection - user information collect"; flow:to_server,established; content:"/stats/stats.cgi"; fast_pattern; nocase; http_uri; content:"userFile="; nocase; content:"Host|3A| "; nocase; content:"push.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5984; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware iggsey toolbar detection - simpleticker.htm request"; flow:to_server,established; content:"/Browser/CT48638/1_Simpleticker.htm"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5949; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware 6sq toolbar runtime detection"; flow:to_server,established; content:"/data.aspx?"; nocase; http_uri; content:"pn=sixsigmaToolbar"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Asynchronous"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"CLASS"; nocase; http_header; metadata:service http; reference:url,ca.com/fi/securityadvisor/pest/pest.aspx?id=453130697; reference:url,www.spycheck.es/genera.php?processfile=6sqtoolbar.dll&dir=otros&pag=165; classtype:successful-recon-limited; sid:16120; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - ebrss request"; flow:to_server,established; content:"/ebrss.aspx?"; nocase; http_uri; content:"eb_ct_id="; nocase; http_uri; content:"eb_rss_index="; fast_pattern; nocase; http_uri; content:"eb_preview="; nocase; http_uri; content:"eb_color="; nocase; http_uri; content:"eb_forecolor="; nocase; http_uri; content:"eb_speed="; nocase; http_uri; content:"eb_random="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12287; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; content:"/copern.light/redirs_all.htm?"; fast_pattern; nocase; http_uri; content:"pgtarg="; nocase; http_uri; content:"qcat="; nocase; http_uri; content:"qkw="; nocase; http_uri; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/sw/ietb/3/0/rd103.html?"; fast_pattern; nocase; http_uri; content:"d=error_earthlink"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7520; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - barad.asp request"; flow:to_server,established; content:"/searchapp/barad.asp?"; fast_pattern; nocase; http_uri; content:"searchkey="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7525; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware snap ultrasearch/desktop toolbar runtime detection - search"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"source=ultrasearch136"; fast_pattern; nocase; http_uri; content:"campaign=snap"; nocase; http_uri; metadata:service http; reference:url,www.spynomore.com/toolbar-snap-ultrasearch.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:successful-recon-limited; sid:12227; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sofa toolbar runtime detection - records search information"; flow:to_server,established; content:"/cm?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"010.eqiso.com"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"w="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13486; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker soso toolbar runtime detection - hijack ie auto searches / soso toolbar searches requests"; flow:to_server,established; content:"/q?"; http_uri; content:"w="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"cin="; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid=tb\x2e(addr|sb)/Ui"; metadata:service http; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12487; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - hijack/search"; flow:to_server,established; content:"/jsp/AJmain.jsp?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"ptnrs="; nocase; http_uri; content:"PG="; nocase; http_uri; content:"SEC="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/st=(kwd|dns)/Ui"; metadata:service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12292; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kompass toolbar runtime detection - search traffic"; flow:to_server,established; content:"/kinl/static/index_kitoolbar.php?"; fast_pattern; nocase; http_uri; content:"_Choix="; nocase; http_uri; content:"_Lang="; nocase; http_uri; content:"_Zone="; nocase; http_uri; content:"Kprov=Toolbar"; nocase; http_uri; content:"_Keyword="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kompass&threatid=70475; reference:url,spywaresignatures.com/details/kompasstoolbar.pdf; classtype:misc-activity; sid:13560; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - update"; flow:to_server,established; content:"/dp/simpleupdate?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7580; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker couponbar runtime detection - get updates to toolbar buttons"; flow:to_server,established; content:"/CouponBar/CBXmlFiles/"; fast_pattern; nocase; http_uri; content:".bmp"; nocase; http_uri; content:"User-Agent|3A| Toolbar"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5867; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware jily ie toolbar runtime detection"; flow:to_server,established; content:"/123bar/search.php?"; fast_pattern; nocase; http_uri; content:"sengine="; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=123Bar&threatid=89993; reference:url,www.www.spywareguide.com/product_show.php?id=2425; classtype:misc-activity; sid:13282; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware zango2007 toolbar runtime detection"; flow:to_server,established; content:"/smartoffers/SmartOffers.aspx"; fast_pattern; nocase; http_uri; content:"HBHintSVC="; nocase; http_uri; content:"SG="; nocase; http_uri; content:"COUNTRY="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"partner=zango"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2298_zango_toolbar.html; classtype:misc-activity; sid:12225; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker mxs toolbar runtime detection"; flow:to_server,established; content:"/toolbar/search.php?"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.mxs.co.kr"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MXS.Toolbar&threatid=97487; classtype:misc-activity; sid:13645; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-greets toolbar runtime detection"; flow:to_server,established; content:"/toolbar/ezg_serverside.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ez-greets.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Greets%20Toolbar&threatid=47475; classtype:misc-activity; sid:12050; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - stat counter"; flow:to_server,established; content:"/t.php?"; nocase; http_uri; content:"sc_project="; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"toolbar.hotblox.com/searchapp/barad.asp"; fast_pattern; nocase; http_uri; content:"t=barad"; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7526; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker cramtoolbar runtime detection - hijack"; flow:to_server,established; content:"/style/style1_21.css"; fast_pattern; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.fuck-portal.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16114; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware fftoolbar toolbar runtime detection - send user url request"; flow:to_server,established; content:"/downloads/toolbar/related.asp"; fast_pattern; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5921; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchnine toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/response.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnine.cn"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13769; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - search toolbar request 2"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7522; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker swbar runtime detection"; flow:to_server,established; content:"/toolbar/swbartb0110.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchwords.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077852; classtype:misc-activity; sid:7590; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"dt="; nocase; http_uri; content:"lmt="; nocase; http_uri; content:"format="; nocase; http_uri; content:"output="; nocase; http_uri; content:"correlator="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"www.lookster.net"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12127; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker freecruise toolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| FCTB1"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:7050; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; content:"/desktop/"; nocase; http_uri; content:"/toolbar/supremetb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker deepdo toolbar runtime detection - redirects search engine"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"word="; nocase; http_uri; content:"tn=deepbar"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13492; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - initial traffic 2"; flow:to_server,established; content:"/ezt/toolbar/"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13496; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchnine toolbar runtime detection - redirects search function"; flow:to_server,established; content:"/s?"; nocase; http_uri; content:"tn=searchnine_dg"; fast_pattern; nocase; http_uri; content:"wd="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13770; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker alot toolbar runtime detection - weather request"; flow:to_server,established; content:"/widgets/weather/tb"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"widget.alot.com"; nocase; http_header; metadata:service http; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13853; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; content:"/images/nocache/tr/gca/m.gif?"; fast_pattern; nocase; http_uri; content:"rand="; nocase; http_uri; content:"a="; nocase; http_uri; content:"u="; nocase; http_uri; content:"r="; nocase; http_uri; content:"w="; nocase; http_uri; content:"myway.com"; nocase; http_uri; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5803; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker people pal toolbar runtime detection - traffic for searching"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area="; nocase; http_uri; content:"cgid="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"peoplepal"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal; classtype:misc-activity; sid:13489; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker find.fm toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/search.php?"; fast_pattern; nocase; http_uri; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2360; reference:url,www.spywaresignatures.com/details.php?spyware=find.fmtoolbar; classtype:misc-activity; sid:13781; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locmag toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/multi_search/"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.locmag.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Locmag%20Toolbar&threatid=48497; reference:url,www.360zd.com/spyware/433.html; classtype:misc-activity; sid:13640; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchfast detection - get toolbar cfg"; flow:to_server,established; content:"/searchfast/"; nocase; http_uri; content:"/communicatortb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5965; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker isearch runtime detection - search in toolbar"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"qry_str="; fast_pattern; nocase; http_uri; content:"src=tbi"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5864; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - sidebar search"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"sidebar=method"; fast_pattern; nocase; http_uri; content:"que="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5916; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - initial traffic 1"; flow:to_server,established; content:"/toolbar/ezt_serverside.xml"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13495; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; content:"/ms162cfg.jsp?"; nocase; http_uri; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/iU"; metadata:service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - collect user information"; flow:to_server,established; content:"/toolbar/googlerank/get_googlerank.php"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"act="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12126; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #1"; flow:to_server,established; content:"/search.html?"; fast_pattern; nocase; http_uri; content:"catch="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"musicoffaith"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13771; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - updates automatically"; flow:to_server,established; content:"/update/barcab/"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"id="; nocase; http_uri; content:"version="; nocase; http_uri; pcre:"/update\/barcab\/.*?tn=.*id=.*version=/smi"; flowbits:set,BaiduToolbar_detection; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13483; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware eqiso runtime detection"; flow:to_server,established; content:"/cm"; http_uri; content:"toolbar.eqiso.com"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Eqiso&threatid=88999; classtype:misc-activity; sid:10180; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker girafa toolbar - browser hijack"; flow:to_server,established; content:"/srv/i?i="; fast_pattern; nocase; http_uri; content:"r=http"; nocase; http_uri; content:"m=srch"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6377; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - configuration download"; flow:to_server,established; content:"/download/toolbar/locatorstoolbar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5914; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; content:"/software/meta/Update/VersionCheckInfo.ini?c="; nocase; http_uri; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ezcybersearch runtime detection - check toolbar setting"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk_bar.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk_bar\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5757; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware push toolbar runtime detection - toolbar information request"; flow:to_server,established; content:"/searchv2tb0200.php"; fast_pattern; nocase; http_uri; content:"barid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5985; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware gophoria toolbar runtime detection"; flow:to_server,established; content:"/application/app_counter/?gopver="; nocase; http_uri; metadata:service http; reference:url,spywaresignatures.com/details.php?spyware=gophoria; reference:url,www.360zd.com/spyware/518.html; reference:url,www.spywareguide.com/spydet_3093_gophoria_toolbar.html; classtype:misc-activity; sid:12791; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rx toolbar runtime detection"; flow:to_server,established; content:"RX Bar"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*RX Bar\s+(ver=)?/miH"; metadata:service http; reference:url,sarc.com/avcenter/venc/data/adware.rxtoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094367; classtype:misc-activity; sid:7839; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 3search runtime detection - update"; flow:to_server,established; content:"/toolbar/cab/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12296; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware vmn toolbar runtime detection"; flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"ver=visicom-vmntoolbar"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.download.com/3000-12777_4-10693292.html; classtype:successful-recon-limited; sid:12291; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sofa toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/search.htm?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"dir="; nocase; http_uri; content:"wd="; nocase; http_uri; content:"wid="; nocase; http_uri; content:"sofa"; nocase; http_uri; content:"version="; nocase; http_uri; content:"soft"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13485; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker cramtoolbar runtime detection - search"; flow:to_server,established; content:"/n4.g?"; nocase; http_uri; content:"login=craxam"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"pv="; nocase; http_uri; content:"jv="; nocase; http_uri; content:"j="; nocase; http_uri; content:"srw="; nocase; http_uri; content:"srb="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16115; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker alot toolbar runtime detection - auto update"; flow:to_server,established; content:"/update/update_configs/update_config_11077_0.xml?"; fast_pattern; nocase; http_uri; content:"src_id="; nocase; http_uri; content:"camp_id="; nocase; http_uri; content:"tb_version="; nocase; http_uri; content:"pr=tbar"; nocase; http_uri; content:"client_id="; nocase; http_uri; content:"install_time="; nocase; http_uri; metadata:service http; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13854; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker linkspider search bar runtime detection - toolbar search"; flow:to_server,established; content:"/cgi-bin/cgsearch/cgsearch.cgi?"; fast_pattern; nocase; http_uri; content:"vid="; nocase; http_uri; content:"category="; nocase; http_uri; content:"lout="; nocase; http_uri; content:"sel="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"query="; nocase; http_uri; content:"match="; nocase; http_uri; content:"where="; nocase; http_uri; content:"sd="; nocase; http_uri; content:"pp="; nocase; http_uri; content:"to="; nocase; http_uri; metadata:service http; reference:url,linkspider.co.uk; classtype:misc-activity; sid:7571; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker deepdo toolbar runtime detection - automatic update"; flow:to_server,established; content:"/download/toolbar.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DeepdoUpdate"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13493; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware searchnugget toolbar runtime detection - check updates"; flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"acez"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.searchnugget.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349; classtype:misc-activity; sid:6487; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker seeqtoolbar runtime detection - email login page"; flow:to_server,established; content:"/lander.jsp"; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"domain=seeqmail.com"; fast_pattern; nocase; http_uri; content:"cm_mmc="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5982; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - autosearch hijack"; flow:to_server,established; content:"/download/toolbar/dnserror.php?"; fast_pattern; nocase; http_uri; content:"type=dns"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5915; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware searchmiracle elitebar runtime detection - get ads"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:".php?"; nocase; http_uri; content:"acc="; nocase; http_uri; content:"country="; nocase; http_uri; content:"city="; nocase; http_uri; content:"state="; nocase; http_uri; content:"uninstalled="; nocase; http_uri; content:"User-Agent"; nocase; http_header; content:"iebar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12672; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - tracking traffic"; flow:to_server,established; content:"/TBTracking/TrackLinkClicks.cfm?"; fast_pattern; nocase; http_uri; content:"linkID="; nocase; http_uri; content:"ToolBarID="; nocase; http_uri; content:"TBSearch="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13497; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware iggsey toolbar detection - search request"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A| www.iggsey.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5951; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - search toolbar request 1"; flow:to_server,established; content:"/sw/toolbar/4/2/rd601.html?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7521; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/baidu?"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"word="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13481; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rediff toolbar runtime detection - hijack ie auto search"; flow:to_server,established; content:"/dirsrch/default.asp?"; fast_pattern; nocase; http_uri; content:"MT="; nocase; http_uri; content:"mode=toolbar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.rediff.com"; nocase; http_header; metadata:service http; reference:url,secwatch.org/exploits/2007/03/Rediff.Toolbar_DoS.html.info; reference:url,www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/; classtype:misc-activity; sid:14055; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - reference"; flow:to_server,established; content:"/dp/reference?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7578; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Runtime Detection"; flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/ccc3258541762de91147d8c4d51321f7a36a17162bfb9caae986417a1e13a1fb/analysis/; classtype:misc-activity; sid:19897; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS 6SQ Toolbar runtime detection"; flow:to_server, established; content:"/data.aspx?pn=sixsigmaToolbar&ver="; fast_pattern:only; http_uri; content:"User-Agent|3A| Asynchronous WinInet CLASS"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/909ed43dfe0dae19d10ae63d348af5f3480d68ae4b51689994409c352f77d638/analysis/; classtype:misc-activity; sid:19906; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Babylon toolbar outbound connection"; flow:to_server,established; content:"User-Agent|3A| Babylon|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/10eb3a1f0c7f71246e7b938262e1ebc8a2f9358ab9b0fd3a68ec80bf8fd7a2b9/analysis/; classtype:misc-activity; sid:28530; rev:4;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS Babylon toolbar outbound connection"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|stpui|07|babylon|03|com|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/file/E7191CF365D04BFE5C00D0BECF7E1C976DD6A5972449044BE0AA50BCA115D1B0/analysis/; classtype:misc-activity; sid:30038; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Inbox Public Transport Toolbar outbound connection"; flow:to_server,established; content:"/cr_confirm.asmx/GetXMLLog?"; fast_pattern:only; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1/analysis/1322189076/; classtype:misc-activity; sid:30765; rev:1;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|stat|0B|info-stream|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/stat.info-stream.net/information/; classtype:misc-activity; sid:31076; rev:1;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mmi|07|explabs|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/mmi.explabs.net/information/; classtype:misc-activity; sid:31075; rev:1;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|download-toolbar|03|avg|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/download-toolbar.avg.com/information/; classtype:misc-activity; sid:31074; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri; content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?report="; http_uri; content:"&f="; distance:0; http_uri; content:"&n="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/77ecc830641bd5a733a7e49bf132aaa8b1090fd2881df13d2e8f1c1fd69ba3ab/analysis/; classtype:trojan-activity; sid:39189; rev:1;)
|