RE: [Snort-users] Adware/Malware Rules List
This is a discussion on RE: [Snort-users] Adware/Malware Rules List within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C3FEC5.3A421E90 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-29-2004
|
|||
|
|||
RE: [Snort-users] Adware/Malware Rules List
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C3FEC5.3A421E90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I think it was Patrick Darden who posted this rule: alert ip any any -> any any (msg:"Malware flowgo"; content:"flowgo";nocase;) I would advise against any rule where the content=msg. If it ever triggers, and you are logging to a remote syslog server or database, a "snowball" effect will kick in and you will DOS the network and servers. The logging information alone will keep triggering the rule logarithmically. _____ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jerry Shenk Sent: Sunday, February 29, 2004 12:26 PM To: 'Darden, Patrick S.'; snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Adware/Malware Rules List I came here looking for exactly this. That's a start....problem is there are SO MANY of these stupid things! I'd like to alert on Gator and all the rest of 'em so we can keep our machines clean. Here are a couple that I have set up...not many but maybe it will help get things rolling: alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\: updateserver.gator.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates"; content:"Host\: updates.installshield.com"; flags: PA;) alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;) Here's a link to a rather old posting (Jan 2002) related to this issue. There's a pretty good sized list here but many of them have probably changed: http://groups.google.com/groups?q=snort+adware+rules <http://groups.google.com/groups?q=sn...=&ie=UTF-8&oe= UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum=6> &hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpo nd.net.au&rnum=6 Here's another related site: http://www.doxdesk.com/parasite/ -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Darden, Patrick S. Sent: Friday, February 27, 2004 11:05 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] Adware/Malware Rules List I had a large number of requests for my ruleset for Ad/Malware, so I have placed it on the web at: https://www.armc.org/malware/ It ain't nothing special, but it works for us. If you have any additions, please email me so we can make this ruleset grow into something useful. Thanks, --Patrick Darden --Internetworking Manager ------=_NextPart_000_0006_01C3FEC5.3A421E90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D125530221-29022004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I think it was Patrick Darden who posted this=20 rule:</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D125530221-29022004>alert ip = any any ->=20 any any (msg:"Malware flowgo"; content:"flowgo";nocase;)</SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN = class=3D125530221-29022004></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D125530221-29022004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I would advise against any rule where the=20 content=3Dmsg. If it ever triggers, and you are logging to a = remote syslog=20 server or database, a "snowball" effect will kick in and you will DOS = the=20 network and servers. The logging information alone will keep = triggering=20 the rule logarithmically.</FONT></SPAN></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of = </B>Jerry=20 Shenk<BR><B>Sent:</B> Sunday, February 29, 2004 12:26 PM<BR><B>To:</B> = 'Darden,=20 Patrick S.'; snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE:=20 [Snort-users] Adware/Malware Rules List<BR></FONT><BR></DIV> <DIV></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2>I came=20 here looking for exactly this. That's a start....problem is there = are SO=20 MANY of these stupid things! I'd like to alert on Gator and all = the rest=20 of 'em so we can keep our machines clean.</FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2>Here=20 are a couple that I have set up...not many but maybe it will help get = things=20 rolling:</FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2>alert=20 tcp any any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\:=20 updateserver.gator.com"; flags: PA;)<BR>alert tcp any any -> = $HOME_NET 8080=20 (msg:"Installshield updates"; content:"Host\: = updates.installshield.com"; flags:=20 PA;)<BR>alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems = update";=20 content:"Host\: update.cc.cometsystems.com"; flags: = PA;)<BR></FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2>Here's=20 a link to a rather old posting (Jan 2002) related to this issue. = There's a=20 pretty good sized list here but many of them have probably=20 changed:</FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2><A=20 href=3D"http://groups.google.com/groups?q=3Dsnort+adware+rules&hl=3De= n&lr=3D&ie=3DUTF-8&oe=3DUTF-8&selm=3DBbK18.8737%24gf1.491= 94%40news-server.bigpond.net.au&rnum=3D6">http://groups.google.com/gr= oups?q=3Dsnort+adware+rules&hl=3Den&lr=3D& amp;ie=3DUTF-8&oe=3D= UTF-8&selm=3DBbK18.8737%24gf1.49194%40news-server.bigpond.net.au&= rnum=3D6</A></FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2>Here's=20 another related site:</FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2><A=20 href=3D"http://www.doxdesk.com/parasite/">http://www.doxdesk.com/parasite= /</A></FONT></SPAN></DIV> <DIV><SPAN class=3D889180220-29022004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV></DIV> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft><FONT=20 face=3DTahoma size=3D2>-----Original Message-----<SPAN=20 class=3D889180220-29022004><FONT face=3DArial=20 color=3D#0000ff> </FONT></SPAN></FONT></DIV> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft><FONT=20 face=3DTahoma size=3D2><SPAN = class=3D889180220-29022004></SPAN><BR><B>From:</B>=20 snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of = </B>Darden,=20 Patrick S.<BR><B>Sent:</B> Friday, February 27, 2004 11:05 = AM<BR><B>To:</B>=20 snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users]=20 Adware/Malware Rules List<BR><BR></DIV></FONT> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff size=3D2>I=20 had a large number of requests for my ruleset for Ad/Malware, so I = have placed=20 it on the web at:</FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff size=3D2><A=20 = href=3D"https://www.armc.org/malware/">https://www.armc.org/malware/</A><= /FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff size=3D2>It=20 ain't nothing special, but it works for us. If you have any = additions,=20 please email me so we can </FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff size=3D2>make=20 this ruleset grow into something useful.</FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Thanks,</FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>--Patrick Darden</FONT></SPAN></DIV> <DIV><SPAN class=3D437270316-27022004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>--Internetworking = Manager</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0006_01C3FEC5.3A421E90-- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
