首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

OSSIM/sagan-rules

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
proxy-malware.rules 21.57 KB
一键复制 编辑 原始数据 按行查看 历史
Champ Clark III 提交于 2020-05-19 11:48 . Date bump! New proofpoint rules!
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
# Sagan proxy-malware.rules

# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>

# All rights reserved.

#

# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list

#

#*************************************************************

#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

#  following conditions are met:

#

#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following

#    disclaimer.

#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

#    following disclaimer in the documentation and/or other materials provided with the distribution.

#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived

#    from this software without specific prior written permission.

#

#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,

#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#

#*************************************************************

# These rules can be used to detect malware connections from generic proxy devices.  For example, Squid, Apache, 

# Fortigate firewalls,  Bluecoat proxies,  etc.   They are generic rules meant to look for indications of malware

# within a network based on "access" type logs.

#*************************************************************



#alert any $HOME_NET any -> $EXTERNAL_NET $HTTP_PORT (msg: "[PROXY-MALWARE] Pony Trojan"; content: "ponyb/gate.php"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5001739; sid: 5001739; rev:1;)



# Rules create by Robert Nunley (rnunley@quadrantsec.com) - 01/08/2013



#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 1"; content: "/Gallery/IMAG0081.GIF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001882; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 2"; content: "/btn001/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001883; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 3"; content: "/bugzy/i.cfg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001884; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 4"; content: "/cfg2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001885; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 5"; content: "/cfg3.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001886; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 6"; content: "/cnf/trl.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001887; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 7"; content: "/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001888; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 8"; content: "/dzen/misc.inc.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001889; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 9"; content: "/film/video.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001890; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 10"; content: "/ftr/vosmoipoint.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001891; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 11"; content: "/ftr/vosmoipont.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001892; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 12"; content: "/gkt/gld44.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001893; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 13"; content: "/good/tlz/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001894; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 14"; content: "/gus/pool.doc"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001895; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 15"; content: "/ii1IGh.aeL8uf"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001896; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 16"; content: "/im/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001897; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 17"; content: "/img/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001898; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 18"; content: "/index_files/4jpg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001899; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 19"; content: "/inmake/lds/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001900; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 20"; content: "/kartos/kartos.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001901; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 21"; content: "/ldr/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001902; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 22"; content: "/n2.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001903; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 23"; content: "/norma/cf5.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001904; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 24"; content: "/ribbn.tar"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001905; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 25"; content: "/s2/non.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001906; rev:3;)





# Triggers to much on valid sites - 04/12/2014 - Champ Clark III

##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 26"; content: "/sell.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001907; rev:3;)



#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 27"; content: "/test/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001908; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 28"; content: "/ukk/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001909; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 29"; content: "/web/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001910; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 30"; content: "/z/config1.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001911; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 31"; content: "/z_bot/what.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001912; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 32"; content: "/zend/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001913; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 33"; content: "/zeus/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001914; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 34"; content: "/zs/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001915; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 35"; content: "/~am/szkolapanel/zs/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001916; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 36"; content: "/~update/serv/updtsys.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001917; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 1"; content: "/4vnrye74mugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001918; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 2"; content: "/4vnrye74vmugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001919; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 3"; content: "/DZ3LOrAFpl.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001920; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 4"; content: "/back11/stat1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001921; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 5"; content: "/btn001/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001922; rev:3;)



# Triggers to much on valid sites - 04/12/2014 - Champ Clark III

##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 6"; content: "/buy.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001923; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 7"; content: "/dd7ejr8ehd8jrf.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001924; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 8"; content: "/dzen/as9965767.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001925; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 9"; content: "/free/wthong.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001926; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 10"; content: "/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001927; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 11"; content: "/good/socialnetworks/all4love/peage.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001928; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 12"; content: "/iXeij7Ai.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001929; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 13"; content: "/im/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001930; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 14"; content: "/img/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001931; rev:3;)



# Triggers to much on valid sites - 04/12/2014 - Champ Clark III

##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 15"; content: "/index1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001932; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 16"; content: "/inmake/page/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001933; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 17"; content: "/kartos/youyou.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001934; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 18"; content: "/test/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001935; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 19"; content: "/trl/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001936; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 20"; content: "/vvn/ci_g.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001937; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 21"; content: "/web/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001938; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 22"; content: "/z/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001939; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 23"; content: "/z_bot/bot_adented.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001940; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 24"; content: "/zend/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001941; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 25"; content: "/zs/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001942; rev:3;) 



# Triggers on tor2web services - 06/09/2014 - Champ Clark III



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2www Request"; content: ".tor2www."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2www.com; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002061; rev:3;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2web Request"; content: ".tor2web."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2web.org; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002062; rev:3;)



# https://isc.sans.edu/forums/diary/PCRE+for+malware+audits/18949



#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Fiesta malware request"; pcre: "/(http:\/\/[^\x2f]+\/[a-z0-9]{6,}_[0-9]+_[a-f0-9]{32}\.html|\/[a-f0-9]{60,66}(?:\x3b\d+){1,4}|\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}|\/[0-9a-z]{32}.php\?[a-z]{1,3}=[0-9a-z]{32})/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wiki.quadrantsec.com/bin/view/Main/5002214; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002214; rev:3;)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化