Traffic Management Mailing List: A mal-ware focused SNORT-rules

From: Les Yaw <yawles@luther.edu>
Date: 03/11/05
Message-ID: <4231F594.7020805@luther.edu>

We use TrafficServer's SNORT-like feature to do some intrusion
detection, but more to detect infected computers on the system than
anything else. Attached is a sanitized rules file that has relatively
few false positives for us. I do have one active rule detecting
"weather-bug" which I used more out of curiosity than policy violation
detection. (Amazing how many students and staff have it installed!!)

Enter in your IP addresses in the appropriate var spaces... I've
removed all the rules using pcre, flow-bits, etc, which T.S. can't use.
If someone has a more in-depth rule set for TrafficServer, or a
scripted/automated way of keeping the Snort-like feature updated, I'd be
very interested in a copy.

Enjoy!

-- Les Yaw
Luther College
Decorah, IA

# Configure your server lists. This allows snort to only look for
attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.

# WHEN DEFINING VAR's - NO SPACES AT ALL, and DO NOT USE $
# WHEN USING VAR's - MUST START WITH $

var HOME_NET [fill_in_your_own,192.168.1.1/32]

# THRESHOLD VAR GLOBAL SETTING
threshold type limit, track by_src, count 1, seconds 3600

# List of DNS servers on your network
var DNS_SERVERS [fill_in_your_own,192.168.1.1/32]

# List of DHCP servers on network
var DHCP [fill_in_your_own,192.168.1.1/32]

# List of SMTP servers on your network
var SMTP_SERVERS [fill_in_your_own,192.168.1.1/32]

# List of web servers on your network
var HTTP_SERVERS [fill_in_your_own,192.168.1.1/32]

# List of sql servers on your network
var SQL_SERVERS [fill_in_your_own,192.168.1.1/32]

# List of telnet servers on your network
var TELNET_SERVERS [fill_in_your_own,192.168.1.1/32]

# List of snmp servers on your network
var SNMP_SERVERS [fill_in_your_own,192.168.1.1/32]

# Configure your service ports. This allows snort to look for attacks
destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8081, set your HTTP_PORTS
variable
# like this:
#
# var HTTP_PORTS 8081

# Port lists must either be continuous [eg 80:8080], or a single port
[eg 80].
# We will adding support for a real list of ports in the future.

# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

alert tcp 192.203.196.0/24 any -> any 6667 (msg:"Server talking over IRC
channel port 6667"; sid:5000000)
alert tcp 192.203.196.0/24 any -> any 6668 (msg:"Server talking over IRC
channel port 6667"; sid:5000001)
alert tcp 192.203.196.0/24 any -> any 6669 (msg:"Server talking over IRC
channel port 6667"; sid:5000002)
alert tcp 192.203.196.0/24 any -> any 7000 (msg:"Server talking over IRC
channel port 6667"; sid:5000003)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Weatherbug Capture"; content:"GET"; content:"Host\:";
content:"weatherbug.com"; nocase; threshold:type limit, track by_src,
count 10, seconds 3600; flow:to_server,established;
classtype:misc-activity; sid:2001267; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Weatherbug"; uricontent:"WxAlertIsapi"; nocase; threshold:type limit,
track by_src, count 10, seconds 3600; flow:to_server,established;
classtype:misc-activity; sid:2001235; rev:5;)

alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH
Port Usage"; flags:AP+;content: "SSH-"; depth:8;
classtype:policy-violation; sid:2000354; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY
IRC connection"; content:"Welcome to the "; content:"IRC Network";
nocase; flow:established; classtype:misc-activity; sid:2000356; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY
IRC authorization message"; content:"NOTICE AUTH"; content:"Looking up
your hostname..."; nocase; flow: established; classtype:misc-activity;
sid:2000355; rev:2; )

alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel
Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0;
within:1024; content:"HTTP/1."; distance:-10; within:8; nocase;
content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase;
content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1.";
distance:-10; within:8; nocase; content:!"\:443"; distance:-12;
within:5; flow:to_server,established; classtype:misc-activity;
sid:2000560; rev:5; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Enhance My Search Spyware Activity"; content:"User-Agent\:
HelperH"; nocase; classtype:trojan-activity; sid:2001746; rev:2;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE
Pynix.dll BHO Activity"; uricontent:"ABETTERINTERNET.EXE"; nocase;
uricontent:"bho=PYNIX.DLL"; nocase; flow:established,to_server;
reference:url,www.pynix.com; classtype:trojan-activity; sid:2001748; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Enhance My Search Spyware Install";
uricontent:"/admin/getinfo.php"; nocase; content:"User-Agent\: HelperH";
nocase; classtype:trojan-activity; sid:2001745; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Searchmiracle.com Spyware Install"; uricontent:"/sideb.exe";
content:"Host\: install.searchmiracle.com"; nocase;
reference:url,www.searchmiracle.com; nocase; flow:to_server,established;
classtype:trojan-activity; sid:2001744; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware My-Stats.com Spyware Checkin";
uricontent:"/ad-partner/SelectConfirm.php?dummy="; nocase;
content:"Host\: www.my-stats.com"; nocase; sid:2001747; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit
Arkeia full remote access without password or authentication";
content:"|464F3A20596F75206861766520737563|";
content:"|6520636C69656E7420696E666F726D61|";
flow:from_server,established; classtype:attempted-admin;
reference:url,metasploit.com/research/arkeia_agent; sid:2001742; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Mastermind Related Downloading Daily Executable";
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase;
flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Medis-Motor Related Downloading ast_4_mm.exe";
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established;
classtype:trojan-activity; sid:2001413; rev:4;)
alert tcp $HOME_NET any -> any 11768 (msg:"BLEEDING-EDGE Virus Dipnet
infected host response";
content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123";
reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity;
sid:2001740; rev:1;)
alert tcp $HOME_NET any -> any 15118 (msg:"BLEEDING-EDGE Virus Dipnet
infected host response";
content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123";
reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity;
sid:2001739; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Policy
TOR1.0 nodes negotiation"; content: "TOR"; content: "<identity>";
within:30; reference:url,tor.eff.org; classtype:policy-violation;
sid:2001728; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
Virus Trojan-Spy.Win32.Bancos Download"; content:"[AspackDie!]";
content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72
ac 5f 3138 d0|"; classtype:trojan-activity; sid:2001726; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6891:6900 (msg:"BLEEDING-EDGE
Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6
D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|";
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF;
flow:established,to_server; classtype:misc-attack; sid:2001715; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware A-d-w-a-r-e.com Activity"; uricontent:"/app/VT00/ucmd.php?V=";
nocase; reference:url,www.a-d-w-a-r-e.com; classtype:trojan-activity;
sid:2001735; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware ak-networks.com Spyware Code Install"; uricontent:"/akcore.dl_";
nocase; flow:to_server,established; classtype:trojan-activity;
sid:2001737; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware A-d-w-a-r-e.com Activity"; uricontent:"/cgi-bin/PopupV2?ID={";
nocase; reference:url,www.a-d-w-a-r-e.com; classtype:trojan-activity;
sid:2001730; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware SurfSidekick Activity"; uricontent:"/Bundling/SskUpdater";
nocase; classtype:trojan-activity; sid:2001731; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Tibsystems Spyware Install"; uricontent:"/tb/loader2.ocx";
nocase; flow:to_server,established; classtype:trojan-activity;
sid:2001734; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware CrazyWinnings.com Activity";
uricontent:"/scripts/protect.php?promo=promo"; nocase;
classtype:trojan-activity; sid:2001733; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Top Converting Agent Activity"; content:"User-Agent\:
Topconvertingagent"; nocase; classtype:trojan-activity; sid:2001732; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Tibsystems Spyware Install";
uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; flow:to_server,established;
classtype:trojan-activity; sid:2001729; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware UCMore Spyware Activity"; content:"User-Agent\: UCmore";
flow:to_server,established; classtype:trojan-activity; sid:2001736; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Windupdates.com Spyware Loggin Data";
uricontent:"/logging.php?p="; nocase; content:"Host\:
public.windupdates.com"; nocase; flow:established,to_server;
classtype:trojan-activity; sid:2001701; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Context Plus Spyware Activity"; uricontent:"User-Agent\:
EnvoloAutoUpdater AutoLoader"; nocase; flow:established,to_server;
classtype:trojan-activity; sid:2001706; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Flingstone Spyware Install";
uricontent:"/softwares/SportsInteraction.exe"; nocase;
flow:established,to_server; classtype:trojan-activity; sid:2001705; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Shop at Home Select Spyware Activity"; content:"User-Agent\:
Bundle" nocase; flow:established,to_server; classtype:policy-violation;
sid:2001702; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: SAH
Agent" nocase; flow:established,to_server; classtype:policy-violation;
sid:2001707; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Context Plus Spyware Activity"; content:"User-Agent\:
AproposClient AutoLoader"; nocase; flow:established,to_server;
classtype:trojan-activity; sid:2001703; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Context Plus Spyware Install";
uricontent:"/AproposClientInstaller.exe"; nocase;
flow:established,to_server; classtype:trojan-activity; sid:2001704; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Shop at Home Select Spyware Heartbeat";
uricontent:"/s.dll?MfcISAPICommand=heartbeat&param=" nocase;
flow:established,to_server; classtype:policy-violation; sid:2001708; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Shop at Home Select Spyware Config Download";
uricontent:"/agentprefs.sah" nocase; flow:established,to_server;
classtype:policy-violation; sid:2001709; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/";
nocase; uricontent:".cab"; nocase; flow:established,to_server;
classtype:trojan-activity; sid:2001700; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Flingstone Spyware Install";
uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase;
flow:established,to_server; classtype:trojan-activity; sid:2001710; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Malware Search Relevancy Spyware";
uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase;
flow:established,to_server; classtype:trojan-activity; sid:2001696; rev:3;)

alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0\:";
flow:from_server,established; classtype:misc-attack; sid:2000568; rev:5;)
alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0\:";
flow:from_server,established; classtype:misc-attack; sid:2000563; rev:6;)

alert tcp any any -> any 4321 (msg:"BLEEDING-EDGE Akak trojan protocol
hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server;
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity;
sid:2001236; rev:1;)
alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Akak
trojan protocol response from infected host"; content:"|6f 17 00 00|";
dsize:4;flow:established,to_client;
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity;
sid:2001237; rev:1;)

#Matt Jonkman, additions by David Maciejak
alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM Bofra
Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET
/"; nocase; content:"reactor"; nocase;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
flow:from_client,established; sid:2001430; rev:4;)

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
IE Ilookup Trojan"; content:"#@~^/gAAAA==@#@&@#@&7lMP\:HVK^P{P[W1Ehn";
content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2";
reference:url,62.131.86.111/analysis.htm; classtype:misc-activity;
flow:from_server,established; sid:2001066; rev:2;)

#Submitted by Matt Jonkman
alert tcp any !$HTTP_PORTS -> any 1639:1640 (msg:"BLEEDING-EDGE WORM
MyDoom.AH Victim Accessing Infected Page"; classtype:trojan-activity;
flow:established,to_server; content:"/index.htm"; nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001428; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Inbound"; classtype:trojan-activity;
flow:established,to_server; content:"tracking number is A866DEC0";
nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001431; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Inbound"; classtype:trojan-activity;
flow:established,to_server; content:"Hi! I am looking for new friends. I
am from Miami, FL."; nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001435; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Outbound"; classtype:trojan-activity;
flow:established,to_server; content:"tracking number is A866DEC0";
nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001432; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Inbound"; classtype:trojan-activity;
flow:established,to_server; content:"My name is Jane, I am from Miami,
FL"; nocase; content:"with my weblog and last webcam photos!"; nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001433; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Outbound"; classtype:trojan-activity;
flow:established,to_server; content:"My name is Jane, I am from Miami,
FL"; nocase; content:"with my weblog and last webcam photos!"; nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001434; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
Potential MyDoom.AH Email Outbound"; classtype:trojan-activity;
flow:established,to_server; content:"Hi! I am looking for new friends. I
am from Miami, FL."; nocase;
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
sid:2001436; rev:1;)

#Submitted by colforbin5
alert tcp any any ->
[194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248]
6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity";
threshold: type limit, track by_src, count 1, seconds 1800;
classtype:trojan-activity; sid:2001439; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download";
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html;
uricontent:"/download/IEService215.chm"; nocase;
flow:to_server,established; classtype:trojan-activity; sid:2000365; rev:5;)

#
alert tcp any any -> any any (msg:"BLEEDING-EDGE VIRUS Agobot/Phatbot
Infection Successful"; flow:established; content:"221 Goodbye, have a
good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;
reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)

#From the Netsquid Rules
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Sober.F Outbound"; content:"Content-Disposition\: attachment\;
filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase;
within:1280; flow:established,to_server; classtype:trojan-activity;
sid:2001284; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Sober.F Outbound"; content:"Content-Disposition\: attachment\;
filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase;
within:1280; flow:established,to_server; classtype:trojan-activity;
sid:2001285; rev:3; )
#From David Maciejak
#Disabling, too many falses. Run this if you don't have any time
services on port 37
#alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE Virus
Possible Sober.j Outbound";
reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm;
classtype:trojan-activity; flow:established; sid:2001542; rev:3;)

#added 11/19/2004 Sober.I - created by Mark Scott
alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm -
incoming";
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
nocase; classtype:misc-activity; flow:established; sid:2001577; rev:2;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm
outbound detected";
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
threshold: type limit, track by_src, count 10 , seconds 60; nocase;
classtype:misc-activity; flow:established; sid:2001578; rev:2;)

# Sobig E-F downloading goodies
alert udp $HOME_NET any -> any 8998 (msg:"BLEEDING-EDGE VIRUS Sobig.E-F
Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|";
dsize:8; classtype:trojan-activity; sid:2001547; rev:1;)
#Submitted by Michael Sconzo
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Webber/Berbew Trojan keystroke log upload"; flow:established;
content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity;
reference:url,www.lurhq.com/berbew.html; sid:2001303; rev:2;)

# Zafi.D
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS Probable
Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG";
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6;
flow:to_server; classtype:misc-activity; sid:2000310; rev:4;)

#added by Mark Scott, Mark.Scott@mtgroup.com, 6/13/2004 for incoming Zafi.B
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Zafi Worm - incoming ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
nocase; classtype:misc-activity; flow:established; sid:2001572; rev:5;)
#added by Mark Scott, Mark.Scott@mtgroup.com, 6/13/2004 for outgoing Zafi.B
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi Worm
outgoing detected ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase;
flow:established; classtype:misc-activity; sid:2001573; rev:5;)

#by Chris Harrington
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus
Zafi.d P2P Infection Attempt"; content:"WINAMP 5.7 NEW!.EXE"; nocase;
flow:established;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D;
classtype:trojan-activity; sid:2001592; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus
Zafi.d P2P Infection Attempt"; content:"ICQ 2005A NEW!.EXE"; nocase;
flow:established;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D;
classtype:trojan-activity; sid:2001593; rev:2;)
alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus Zafi.d
a.exe file upload"; content:"a.exe"; nocase; flow:established;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D;
classtype:trojan-activity; sid:2001594; rev:2;)

#added by Mark Scott 12/14/2004 for Zafi.D, variant .zip attachment
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Zafi.D Worm [.zip] - incoming detected ";
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ";
nocase; reference:url,secunia.com/virus_information/13874/;
classtype:misc-activity; flow:established; sid:2001598; rev:2;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm
[.zip] - outgoing detected ";
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ";
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase;
reference:url,secunia.com/virus_information/13874/;
classtype:misc-activity; flow:established; sid:2001599; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected ";
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase;
reference:url,secunia.com/virus_information/13874/;
classtype:misc-activity; flow:established; sid:2001600; rev:2;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm
[.cmd, .com, .pif or .bat] - outgoing detected ";
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold:
type limit, track by_src, count 10 , seconds 60 ; nocase;
reference:url,secunia.com/virus_information/13874/;
classtype:misc-activity; flow:established; sid:2001601; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
VIRUS Bagle Variant Checking In";
reference:url,vil.nai.com/vil/content/v_127423.htm;
uricontent:"/spyware.php"; flow:established; classtype:trojan-activity;
sid:2001064; rev:4;)

#From the Netsquid Rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (content:"User-Agent\:
beagle_beagle"; flow:to_server,established; dsize:< 150;
msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity;
sid:2001269; rev:6; )
alert tcp $HOME_NET any -> any 25
(content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh";
msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity;
flow:established; sid:2001270; rev:3; )

#Submitted by Mark Mcdonagh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"W32/Bagle.z@MM Requesting 5.php"; content:"GET /5.php";
reference:mcafee,122415; classtype:trojan-activity;
flow:to_server,established; sid:2001556; rev:2;)

#Submitted by Mark Scott
alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel -
outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase;
flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA";
nocase; classtype:trojan-activity; flow:established; sid:2001568; rev:4;)

# Bagle Trojan - W32/Bagle.dldr from Mark Scott
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
W32/Bagle.dldr Trojan - download attempt"; content:"GET /zoo.jpg";
nocase; reference:url,secunia.com/virus_information/13085/;
classtype:misc-activity; flow:established; sid: 2001638; rev:3;)

#added by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005
alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ
[alias .AY, .BC] - download attempt"; content:"GET /error.jpg"; nocase;
reference:url,secunia.com/virus_information/14877/;
classtype:trojan-activity; flow:established; sid: 2001695; rev:1;)
alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] worm
[.com, exe extensions] - outbound";
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
nocase; flow:established;
reference:url,secunia.com/virus_information/14902/;
classtype:trojan-activity; sid:2001691; rev:3;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY,
.BC] worm [.com, .exe extensions] - incoming";
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
nocase; flow:established;
reference:url,secunia.com/virus_information/14902/;
classtype:trojan-activity; sid:2001692; rev:3;)
alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound";
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
nocase; flow:established;
reference:url,secunia.com/virus_information/14902/;
classtype:trojan-activity; sid:2001693; rev:4;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY,
.BC] worm [.cpl extension] - incoming";
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
nocase; flow:established;
reference:url,secunia.com/virus_information/14902/;
classtype:trojan-activity; sid:2001694; rev:2;)

#Written by Chris Norton
alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA
download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|";
classtype:trojan-activity; sid:2001233; rev:2;)

#Submitted by Matt Jonkman
#alert tcp any any -> any any (msg:"BLEEDING-EDGE GDI Exploit - Worm 1
Successful Execution"; content:"USER bawz"; nocase;
reference:url,www.easynews.com/virus.txt; classtype:trojan-activity;
flow:established; sid:2001332; rev:3;)

#Submitted by Nick Hatch
alert tcp $HOME_NET any -> any 445 (msg:"BLEEDING-EDGE Korgo.P offering
executable"; content:"|FF|SMB"; flow:to_server,established; depth:10;
content:"|58|http"; content:".exe"; nocase; within:36;
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:2;
classtype:trojan-activity; sid:2001337;)
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE Korgo.P binary
upload"; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|";
reference:url,www.f-secure.com/v-descs/korgo_p.shtml;
flow:to_server,established; classtype:trojan-activity; sid:2001338; rev:3;)

#From Michael Sconzo and Netsquid
alert udp $HOME_NET 53 -> 212.5.86.163 any (msg:"BLEEDING-EDGE VIRUS
MiMail.P Worm - DNS Query"; classtype:trojan-activity; sid:2001271; rev:2; )
alert tcp $HOME_NET any -> any 25 (content:"pp-app.zip";
msg:"BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment";
classtype:trojan-activity; flow:to_server,established; sid:2001272; rev:3;)

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MyDoom.P Query"; content:"/py/psSearch.py|3f|"; nocase;
content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM"; flow:to_server,established;
classtype:trojan-activity; sid:2001045; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
MyDoom.S Outbound"; content:"LOL!\;)"; nocase;
content:"filename=photos_arc.exe"; nocase;
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml;
reference:url,isc.sans.org/diary.php?date=2004-08-16;
flow:to_server,established; classtype:trojan-activity; sid:2001196; rev:4;)

#From the Netsquid Rules
alert tcp $HOME_NET any -> any 25 (content:"represented in 7-bit ASCII";
nocase; content:"Content-Type\: application/octet-stream"; nocase;
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE
VIRUS MyDoom/MIMAIL.R Outbound 1"; classtype:trojan-activity;
flow:to_server,established; sid:2001274; rev:3; )
alert tcp $HOME_NET any -> any 25 (content:"Mail transaction failed";
nocase; content:"Content-Type\: application/octet-stream"; nocase;
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE
VIRUS MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity;
flow:to_server,established; sid:2001275; rev:4; )
alert tcp $HOME_NET any -> any 25 (content:"The message contains Unicode
characters"; nocase; content:"Content-Type\: application/octet-stream";
nocase; content:"Content-Transfer-Encoding\: base64"; nocase;
msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3";
classtype:trojan-activity; flow:to_server,established; sid:2001276; rev:3; )
alert tcp $HOME_NET any -> any 25 (content:"We are sorry your UTF-8
encoding is not supported by the server"; nocase; msg:"BLEEDING-EDGE
VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity;
flow:to_server,established; sid:2001277; rev:3; )
alert tcp $HOME_NET any -> any any (content:"gICAgICAgICAgICAgICAgICAg";
content:"|57 69 6E 64 6F 77 73 2D 31 32 35 32|"; msg:"BLEEDING-EDGE
VIRUS MyDoom.F Worm"; classtype:trojan-activity;
flow:to_server,established; sid:2001279; rev:3; )

# MyDoom.I created by Mark Scott, 1/5/2005
alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I
worm - outbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc";
nocase; reference:url,secunia.com/virus_information/8818/;
classtype:misc-activity; flow:established; sid:2001672; rev:1;)
alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I
worm - inbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc";
nocase; reference:url,secunia.com/virus_information/8818/;
classtype:misc-activity; flow:established; sid:2001673; rev:1;)

# Very crude first draft of rule to detect MySQL worm
alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
lookup"; content:"landingzone"; nocase; classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001687; rev:3;)
alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
lookup"; content:"|06|zmoker|06|dns2go|03|com"; nocase;
classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001688; rev:3;)
alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"BLEEDING-EDGE
Potential MySQL bot scanning for SQL server"; flags:S,12;
classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001689; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5002:5003 (msg:"BLEEDING-EDGE
Potential MySQL bot connecting to IRC server"; flags:S,12;
classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001690; rev:2;)

#From the Netsquid Rules
alert tcp $HOME_NET any -> any 139 (content:"|60 00 00 E0 2E 70 65 74 69
74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00
00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS
Netsky message.zip HEX port 139"; classtype:trojan-activity;
flow:to_server,established; sid:2001280; rev:5; )
alert tcp $HOME_NET any -> any 445 (content:"|60 00 00 E0 2E 70 65 74 69
74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00
00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS
Netsky message.zip HEX port 445"; classtype:trojan-activity;
flow:to_server,established; sid:2001281; rev:5; )
alert tcp $HOME_NET any -> any 1352
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz";
msg:"BLEEDING-EDGE VIRUS Netsky base64 port 1352";
classtype:trojan-activity; flow:to_server,established; sid:2001282; rev:4; )
alert tcp $HOME_NET any -> any 25
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz";
msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25";
classtype:trojan-activity; flow:established,to_server; sid:2001283; rev:4;)

#Submitted by Mark Scott, Mark.Scott@mtgroup.com, created 3/22/2004
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Netsky.P Worm - incoming ";
content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA";
nocase; flow:established; classtype:misc-activity; sid:2001565; rev:4;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.P
Worm detected
";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA";
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase;
classtype:misc-activity; flow:established; sid:2001566; rev:4;)
#added by Mark Scott 3/11/2004 for NetSky.C, updated 3/23/2003
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
NetSky.C Worm - incoming";
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp";
nocase; reference:url,secunia.com/virus_information/557/;
classtype:misc-activity; flow:established; sid:2001590; rev:2;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C
Worm - outgoing detected";
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp";
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase;
reference:url,secunia.com/virus_information/557/;classtype:misc-activity;
flow:established; sid:2001591; rev:2;)

#Submitted by Mark Scott 5/18/2004 for Netsky.Z
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
Netsky.Z Worm - incoming detected";
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
nocase; reference:url,secunia.com/virus_information/8911/;
classtype:misc-activity; flow:established; sid:2001602; rev:2;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.Z
Worm - outgoing detected";
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
threshold: type limit, track by_src, count 10 , seconds 60; nocase;
reference:url,secunia.com/virus_information/8911/;classtype:misc-activity;
flow:established; sid:2001603; rev:2;)

#From the Netsquid Rules
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Outbound W32.Novarg.A worm"; content:"TVqQAAMAAAAEAAAA";
content:"8AALgAAAAAAAAAQ"; distance:2; within:20;
content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16;
within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA";
content:"ACAAADg"; distance:16; within:30; classtype:trojan-activity;
flow:established; sid:2001273; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
VIRUS W32.Novarg.A SCO DOS"; content:"GET HTTP/1.1|0d0a|Host\:
www.sco.com|0d0a0d0a|"; offset:0; dsize:37; classtype:trojan-activity;
flow:to_server,established; sid:2001278; rev:5;)

#Matt Jonkman phpinclude.worm
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Virus PHPInclude.Worm Inbound Attack";
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase;
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php;
flow:to_server,established; classtype:trojan-activity; id:2001614;
sid:2222222 rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--";
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase;
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php;
flow:to_server,established; classtype:trojan-activity; sid:2001615; rev:9;)

#Submitted by Christopher Harrington
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT
Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase;
classtype:trojan-activity; reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
flow:established;sid:2001220; rev: 2;)
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE RXBOT / RBOT
Vulnerability Scan";content:"|2E|advscan|20|"; nocase; classtype:
trojan-activity; reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning;
flow:established; sid:2001184; rev: 2;)

#Submitted by Jason Alexander
alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"BLEEDING-EDGE WORM
RBOT inbound Bestfriends.scr"; content:"http"; nocase;
content:"bestfriends.scr"; within:80; nocase; classtype:trojan-activity;
flow:established; sid:2001367; rev:2;)

# Investigating Rbot activity - created by Mark Scott, 12/27/2004
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg: "BLEEDING-EDGE Virus
Rbot DNS Lookup - giuse.ns0.it"; content:"giuse.ns0.it";
reference:url,secunia.com/virus_information/11709/; classtype:
misc-activity; sid:2001629; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE Virus
Rbot IRC OUTGOING activity - Trying to join IRC";
content:"##r00tGiuSe##";
reference:url,secunia.com/virus_information/11709/; flow:established;
classtype: misc-activity; sid:2001630; rev:2;)
alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot
IRC INCOMING activity - Trying to join IRC"; content:"##r00tGiuSe##";
reference:url,secunia.com/virus_information/11709/; flow:established;
classtype: misc-activity; sid:2001631; rev:2;)
alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot
IRC activity - ReDirectMe hosts"; content:"ReDiReCtMe.NeT";
reference:url,secunia.com/virus_information/11709/; flow:established;
classtype: misc-activity; sid:2001632; rev:1;)

#From Dshield
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:
"BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This
site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm
generation X"; nocase;
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html;
flow:from_server,established; classtype:trojan-activity; sid:2001607;
rev:3;)

#Submitted by Lin Zhong
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09
85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
classtype:misc-activity; flow:established; sid:2001057; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64
6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
classtype:misc-activity; flow:established; sid:2001056; rev:2;)
alert tcp any any -> any 5554 ( msg: "BLEEDING-EDGE Sasser FTP Traffic";
content: "up.exe"; flow:to_server,established; classtype: misc-activity;
sid: 2000040; rev: 2;)
alert tcp any any -> any 9996 ( msg: "BLEEDING-EDGE Sasser Transfer
up.exe"; content: "|5F75702E657865|"; depth: 250;
flow:established,to_server; classtype: misc-activity; sid: 2000047; rev: 2;)

# as posted by Joe Stewart
alert tcp any any -> any 5554 (msg:"BLEEDING-EDGE Sasser FTP exploit
attempt"; flow:to_server,established; content:"PORT "; depth:5;
dsize:>150; classtype:attempted-admin;
reference:url,www.lurhq.com/dabber.html; sid:2001548; rev:1;)
#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE
Win32/Small.AR outbound activity"; uricontent:"/zosman/cia/index.php";
classtype:trojan-activity; flow:to_server,established; sid:2001234; rev:4;)

#From the Netsquid Rules
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS
W32/Stdbot.worm.a"; content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72
C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|";
classtype:trojan-activity; sid:2001287; rev:5;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS
W32/Stdbot.worm.b"; content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05
0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|";
classtype:trojan-activity; sid:2001288; rev:5;)

#Snort.org rule 721 scaled back a bit by Matt Jonkman to not hit on xls,
vcf, ppt, rtf, dot, or pdf.
#If you use this rule disable 721 in the snort sets. This rule will hit
on the following:
#
# ade, adp, asd, asf, asx, bat, bas, chm, cli, cmd, com, crt, cpl,
cpp, diz, dll, ebs, emf, eml, exe, fol, folder, hlp, hsq, hta, ini, inf,
ins,
# isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc,
msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, rar,
# reg, scr, sct, shs, swf, sys, url, vb, vbe, vbs, vxd, wmd, wmf, wms,
wmz, wpm, wps, wpz, wsc, wsf, wsh, xlt, xlw, zip
#

#From the Netsquid rules
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
SWEN.A Worm detected"; content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA";
classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:4;)

#Matt Jonkman
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus
VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please
help!"; nocase; content:"Please help us with your donation and view the
attachment below!"; nocase; content:"filename="; nocase;
content:"tsunami.exe"; nocase; classtype:trojan-activity;
reference:url,www.sophos.com/virusinfo/articles/vbsuna.html;
flow:established,to_server; sid:2001680; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus
VBSun.A Tsunami Scam Worm OUTBOUND"; content:"Tsunami Donation! Please
help!"; nocase; content:"Please help us with your donation and view the
attachment below!"; nocase; content:"filename="; nocase;
content:"tsunami.exe"; nocase; classtype:trojan-activity;
reference:url,www.sophos.com/virusinfo/articles/vbsuna.html;
flow:established,to_server; sid:2001681; rev:2;)

#Submitted by Matt Jonkman
#Too many falses, needs improvement
#alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm
Zincite Probing port 1034";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html;
flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type
threshold, track by_src, count 30,seconds 60; rev:6;)
#
#From Lurhq
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Mailto domain search possible MyDoom.M,O";
uricontent:"/search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+"; depth:45;
content:"Host\: www.google.com";
reference:url,www.lurhq.com/zindos.html; classtype:trojan-activity;
flow:to_server,established; sid:2001012; rev:3;)

alert udp any any -> any any (msg:"BLEEDING-EDGE P2P Overnet Server
Announce"; content:"|00000203006c6f63|"; offset:36;
content:"|006263703a2f2f|"; distance:1; classtype:policy-violation;
rev:2; sid:2000335;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE P2P
Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|";
offset:0; depth:6; classtype:policy-violation;threshold: type limit,
track by_dst, count 1 , seconds 600;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf;
sid:2000340; rev:3;)
Received on Fri Mar 11 11:54:15 2005

A mal-ware focused SNORT-rules file