Generated by : ../snort_rule_urlchecker version Thu Dec 1 22:06:24 PST 2005

Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe

./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules Fri Dec 2 00:47:16 2005
Filename : line Rules
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 1 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 2 # $Id: bleeding-malware.rules,v 1.779 2005/11/30 00:14:20 bhartstein Exp $
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 3 # Bleeding Snort Malware rules.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 4 # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 5 # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 6 # This is for the bleeding edge junkies. Use at your own risk!!!
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 7 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 8 # SID's are 2000000+ to avoid conflicts
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 9 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 10 # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 11 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 12 # More information available at www.bleedingsnort.com
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 13 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 14 # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 15 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 16 #*************************************************************
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 17 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 18 # Copyright (c) 2005, Bleedingsnort.com
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 19 # All rights reserved.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 20 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 21 # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 22 # following conditions are met:
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 23 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 24 # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 25 # disclaimer.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 26 # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 27 # following disclaimer in the documentation and/or other materials provided with the distribution.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 28 # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 29 # from this software without specific prior written permission.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 30 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 31 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 32 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 33 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 34 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 35 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 36 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 37 # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 38 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 39 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 40 #Submitted by Jason Haar
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 41 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:"ping.180solutions.com"; within: 40; reference: url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 42 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001397; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 43 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001399; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 44 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?keyword="; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001400; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 45
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 46 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 47 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002001; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 48 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002003; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 49 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002048; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 50 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002099; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 51
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 52 #By M Shirk from Listening Post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 53 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002354; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 54
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 55 #Submitted by Joel Esler
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 56 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; sid: 2000327; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 57 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 58 #Submitted by Jason Haar
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 59 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference: url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; sid: 2000934; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 60
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 61 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 62 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; sid: 2001447; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 63
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 64 #Submitted by cooljay
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 65 alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; sid: 2001440; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 66 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; sid: 2001441; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 67
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 68 #By Mark Tombaugh
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 69 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference: url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; sid: 2001761; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 70
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 71 #by Matt Jonkman from Listening Post Data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 72 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; sid:2002353; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 73
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 74 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 75 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Agent"; flow: to_server,established; uricontent:"/pops=1/site="; nocase; uricontent:"/bnum="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001226; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 76 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001228; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 77 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001230; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 78 #From Listening Post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 79 #Hits on normal ads, not reporting data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 80 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2002304; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 81
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 82 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 83 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV2?ID={"; nocase; reference: url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001730; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 84 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference: url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001735; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 85
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 86 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 87 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001318; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 88
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 89 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 90 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001450; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 91
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 92 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 93 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Access, Likely Spyware"; flow: to_server,established; content:"Host\: app.desktop.ak-networks.com"; nocase; classtype: trojan-activity; sid: 2001528; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 94 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; sid: 2001529; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 95 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; sid: 2001530; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 96 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; sid: 2001737; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 97
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 98 #by Matt Jonkman from listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 99 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\://"; nocase; classtype:trojan-activity; sid:2002349; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 100
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 101 #Modified and added to by Matt Jonkman (Original author missing)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 102 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000906; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 103 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000598; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 104 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000907; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 105
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 106 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 107 # As yet unidentified agent, but here's how it came in
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 108 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Amex.Ipsrime.com Unknown Malware Download"; flow: to_server,established; uricontent:"/bpc/"; content:".zip"; reference: url,amex.isprime.com; reference: url,www.isprime.com; classtype: trojan-activity; sid: 2000904; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 108 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Amex.Ipsrime.com Unknown Malware Download"; flow: to_server,established; uricontent:"/bpc/"; content:".zip"; reference: url,amex.isprime.com; reference: url,www.isprime.com; classtype: trojan-activity; sid: 2000904; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 109
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 110 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 111 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference: url,www.avres.net; reference: url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; sid: 2000903; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 111 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference: url,www.avres.net; reference: url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; sid: 2000903; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 112
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 113 #Submitted by Jonathan Miner
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 114 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference: url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; sid: 2000574; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 115
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 116 #By John Stewart
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 117 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference: url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; sid: 2001885; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 118
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 119 #Submitted by Jonathan Miner
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 120 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000366; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 121 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000367; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 122 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000371; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 123 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000593; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 124
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 125 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 126 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference: url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001198; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 127 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference: url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001199; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 128 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference: url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001216; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 129 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001339; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 130 #Data from Allison Macfarland
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 131 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference: url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001576; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 132
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 133 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 134 # Disabling this rule, it needs work. It's hitting on legit ad referrals
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 135 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; sid: 2001398; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 136
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 137 #Matt Jonkman from Spyware listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 138 #disabling for now, seems only to be hitting on ad pulls, not a spyware infection
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 139 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bidclix.com Spyware"; flow:to_server,established; pcre:"/\/code\/\d+\/\?cb=\d+/Ui"; classtype: trojan-activity; sid:2002198; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 140
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 141 #Submitted by Allison MacFarlan
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 142 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; sid: 2001345; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 143
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 144 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 145 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference: url,www.browseraid.com; classtype: trojan-activity; sid: 2001266; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 146 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference: url,www.browseraid.com; classtype: trojan-activity; sid: 2001304; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 147
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 148 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 149 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference: url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 149 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference: url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 150
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 151 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 152 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; sid: 2001501; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 153
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 154 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 155 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; sid: 2001451; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 156 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; sid: 2001452; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 157 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; sid: 2001458; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 158
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 159 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 160 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:10; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2001531; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 161 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2002088; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 162
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 163 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 164 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; sid: 2001521; rev:8; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 165
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 166 #By Matt Jonkman from Spyware listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 167 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1"; flow: to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype: trojan-activity; sid:2002195; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 168 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2"; flow: to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype: trojan-activity; sid:2002196; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 169
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 170 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 171 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference: url,www.888casino.net; classtype: trojan-activity; sid: 2001041; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 172 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference: url,www.888casino.net; classtype: trojan-activity; sid: 2001031; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 173 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference: url,www.888casino.net; classtype: trojan-activity; sid: 2001032; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 174 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference: url,www.888casino.net; classtype: trojan-activity; sid: 2001033; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 175
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 176 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 177 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001494; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 178 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001500; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 179
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 180 #Submitted by Jason Haar, modified
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 181 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; sid: 2000931; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 182
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 183 #Submitted by Jonathan Miner
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 184 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; sid: 2001050; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 185
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 186 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 187 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; sid: 2001655; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 188 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; sid: 2001658; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 189 #from Listening Post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 190 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; sid: 2002351; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 191 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; sid: 2002352; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 192
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 193 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 194 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; sid: 2001456; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 195
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 196 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 197 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; sid: 2001704; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 198
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 199 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 200 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; sid: 2001479; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 201
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 202 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 203 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001453; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 204 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001454; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 205 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001455; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 206
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 207 #From Vernon Stark
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 208 #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; sid: 2001683; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 209 alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; sid: 2001684; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 210 alert tcp any !20 -> $HOME_NET !25 (msg: "BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; within: 12; classtype: trojan-activity; sid: 2001685; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 211
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 212 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 213 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; sid: 2001733; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 214
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 215 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 216 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002089; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 217 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002095; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 218
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 219 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 220 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference: url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; sid: 2001222; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 221
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 222 #submitted by John Stewart
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 223 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference: url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; sid: 2001884; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 224
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 225 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 226 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference: url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; sid: 2001038; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 227
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 228 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 229 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002009; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 230 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002010; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 231
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 232 #Submitted by Jason Haar
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 233 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware EUniverse-thunderdownloads Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"mgmt.svr HTTP"; within: 50; content:"|0d0a|Host|3a|update.thunderdownloads.com"; nocase; within: 300; reference: url,www.pestpatrol.com/pestinfo/e/euniverse.asp; classtype: policy-violation; sid: 2000935; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 234
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 235 #By Matt Jonkman, From spyware listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 236 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; sid:2002317; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 237 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; sid:2002318; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 238 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; sid:2002319; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 239
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 240 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; sid: 2000585; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 242 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; sid: 2000582; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 243 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; sid: 2001221; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 244
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 245 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 246 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference: url,www.featured-results.com; classtype: trojan-activity; sid: 2001293; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 247
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 248 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 249 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference: url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000905; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 250 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference: url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000936; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 251
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 252 #matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 253 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001710; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 254 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001705; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 255
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 256 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 257 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2000599; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 258 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2001013; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 259 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2001034; rev:13; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 260 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2001043; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 261 #From Listening Post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 262 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2002305; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 263 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference: url,www.funwebproducts.com; classtype:policy-violation; sid:2002310; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 264 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2002306; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 265 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference: url,www.funwebproducts.com; classtype: policy-violation; sid: 2002307; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 266
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 267 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 268 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000025; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 269 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000595; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 270 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000597; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 271
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 272 #Matt Jonkman Rule (depth added by bobkberg)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 273 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Claria Data Submission"; flow: to_server,established; content:"gs_trickler"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/gs_trickler/i"; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000596; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 274
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 275 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 276
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 277 #These are for common names of malcode files as seen in common places.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 278 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 279 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; sid: 2001850; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 280 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; sid: 2002093; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 281
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 282 #Submitted by Joseph Gama
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 283 alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference: url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; sid: 2000514; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 284 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference: url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000519; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 285 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference: url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000520; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 286
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 287 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 288 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; sid: 2001656; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 289 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; sid: 2001657; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 290 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001659; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 291 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001660; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 292
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 293 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 294 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; sid: 2002012; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 295 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; sid: 2002013; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 296
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 297 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 298 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000920; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 299 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000921; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 300 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000922; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 301 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000923; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 302 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000924; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 303 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference: url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; sid: 2000929; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 304 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference: url,www.hotbar.com; classtype: trojan-activity; sid: 2000925; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 305
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 306 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 307 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; sid: 2001490; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 308
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 309 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 310 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware Installer"; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002090; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 311 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware checkin"; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002096; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 312
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 313 # Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 314 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001793; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 315 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001794; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 316
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 317 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 318 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; sid: 2002015; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 319
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 320 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 321 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001308; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 322 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Agent Upload"; flow: to_server,established; uricontent:"/conf/xml/"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001336; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 323 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001396; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 324
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 325 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 326 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Install"; flow: to_server,established; uricontent:"/ist/softwares/v"; nocase; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2000926; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 327 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2000927; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 328 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2000928; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 329 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2001395; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 330 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2001697; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 331
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 332 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 333 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; sid: 2002019; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 334 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; sid: 2002016; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 335
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 336 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 337 alert udp $HOME_NET 3531 - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 337 alert udp $HOME_NET 3531 - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 337 alert udp $HOME_NET 3531 - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 338 #alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 338 #alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 338 #alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 339 alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 339 alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 339 alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 340 alert tcp $HOME_NET any - > any any (msg: "BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001679; rev:8; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 341 alert tcp $HOME_NET any < > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001654; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 341 alert tcp $HOME_NET any < > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001654; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 342
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 343 #Submitted by Jason Haar
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 344 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference: url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; sid: 2000932; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 345
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 346 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 347 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference: url,www.localnrd.com; classtype: trojan-activity; sid: 2001340; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 348
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 349
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 350 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 351 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001499; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 352 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (2)"; flow: to_server,established; uricontent:"/cgi-bin/BW.exe"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001502; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 353
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 354 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 355 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2000902; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 355 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2000902; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 356 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001359; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 356 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001359; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 357 alert tcp $HOME_NET any - > $EXTERNAL_NET 443 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001563; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 357 alert tcp $HOME_NET any - > $EXTERNAL_NET 443 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001563; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 358 alert tcp $HOME_NET any - > $EXTERNAL_NET 8000 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; content:"X-OSSProxy-Person-ID\: "; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001564; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 358 alert tcp $HOME_NET any - > $EXTERNAL_NET 8000 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; content:"X-OSSProxy-Person-ID\: "; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001564; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 359
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 360 #Info from sgtocanada
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 361 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001586; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 361 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001586; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 362 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001587; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 362 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001587; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 363 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001588; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 363 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001588; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 364 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001589; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 364 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001589; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 365
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 366 #Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 367 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; sid: 2001409; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 368 alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; sid: 2001410; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 369 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; sid: 2001411; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 370 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; flow: to_server,established; content:"/soft/loads/"; nocase; within: 5; content:".exe"; nocase; classtype: trojan-activity; sid: 2001412; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 371 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; sid: 2001413; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 372 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; sid: 2001414; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 373 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; classtype: trojan-activity; sid: 2001415; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 374 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; classtype: trojan-activity; sid: 2001416; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 375 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype: trojan-activity; sid: 2001417; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 376 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype: trojan-activity; sid: 2001418; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 377 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; sid: 2001419; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 378 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; sid: 2001420; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 379 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; sid: 2001421; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 380 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; sid: 2001422; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 381 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype: trojan-activity; sid: 2001423; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 382
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 383 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 384 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001503; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 385 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001508; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 386 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001509; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 387 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; sid: 2001507; rev:7;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 388
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 389 #Mark Tombaugh
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 390 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference: url,www.benedelman.org/news/010205-1.html; reference: url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; sid: 2001783; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 390 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference: url,www.benedelman.org/news/010205-1.html; reference: url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; sid: 2001783; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 391
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 392 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 393 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001448; rev:7;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 394 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001481; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 395
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 396 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 397 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; sid: 2001666; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 398 #From listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 399 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; sid: 2002309; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 400
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 401 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 402 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; sid: 2001641; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 403 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; sid: 2001643; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 404 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; sid: 2001644; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 405 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; sid: 2001645; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 406
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 407 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 408 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference: url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000583; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 409 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference: url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000584; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 410 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference: url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000594; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 411
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 412 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 413 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; sid:2002094; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 414
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 415 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 416 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference: url,www.2-spyware.com/parasite-my-search-bar.html; classtype: policy-violation; sid: 2001040; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 417
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 418 #Matt Jonkman 2/22/05
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 419 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; sid: 2001747; rev:5;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 420
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 421
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 422 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 423 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype: policy-violation; sid: 2000600; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 424 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host)"; flow: to_server,established; pcre:"/Host\:[^\n]*[\.\s]myway.com/i"; classtype: policy-violation; threshold:type limit, track by_src, count 2, seconds 360; sid: 2001663; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 425 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:"Compatible\; MyWay"; nocase; classtype: policy-violation; sid: 2001662; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 426
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 427 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 428 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; sid: 2001538; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 429 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; sid: 2001539; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 430
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 431 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 432 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference: url,www.offeroptimizer.com; classtype: policy-violation; sid: 2001341; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 433
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 434 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 435 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; sid: 2002044; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 436
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 437 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 438 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001495; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 439 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001496; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 440 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001497; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 441
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 442 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 443 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference: url,www.wildarcade.com; classtype: trojan-activity; sid: 2001444; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 444
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 445 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 446 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2001459; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 447 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2002017; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 448
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 449 #Matt Jonkman from Spyware Listening Post Data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 450 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; sid:2002083; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 451 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; sid: 2002194; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 452
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 453 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 454 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference: url,www.peopleonpage.com; reference: url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001445; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 454 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference: url,www.peopleonpage.com; reference: url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001445; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 455 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference: url,www.peopleonpage.com; reference: url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001446; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 455 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference: url,www.peopleonpage.com; reference: url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001446; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 456
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 457 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 458 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference: url,popuptraffic.com; classtype: policy-violation; sid: 2000577; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 459
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 460 #By Joel Esler
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 461 #alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; flow: established; content:"PrintMe"; classtype: bad-unknown; sid: 2001665; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 462
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 463 # Submitted by John Stewart, 2/23/2005
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 464
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 465 alert tcp $HOME_NET any - > any $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference: url,www.pynix.com; classtype: trojan-activity; sid: 2001748; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 466
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 467 #Updated by Jonathan Miner
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 468 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference: url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; sid: 2000024; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 469
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 470 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 471 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; sid: 2001311; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 472 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; sid: 2001312; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 473
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 474 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 475 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference: url,www.regnow.com; classtype: trojan-activity; sid: 2001223; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 476 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference: url,www.gamehouse.com; classtype: trojan-activity; sid: 2001224; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 477
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 478 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 479 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; sid: 2000601; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 480
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 481 #By Matt Jonkman from Listening Post Data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 482 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002296; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 483 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002297; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 484 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002298; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 485 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002299; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 486 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002300; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 487 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002301; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 488 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002302; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 489 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference: url,www.searchfeed.com; classtype: trojan-activity; sid: 2002303; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 490
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 491 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 492 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; sid: 2001473; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 493 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; sid: 2001474; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 494 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; sid: 2001475; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 495 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato)"; flow: to_server,established; uricontent:"http\://pizdato.biz"; nocase; classtype: trojan-activity; sid: 2001476; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 496 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch)"; flow: to_server,established; uricontent:"http\://www.coolsearch.biz"; nocase; classtype: trojan-activity; sid: 2001477; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 497 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe)"; flow: to_server,established; uricontent:"http\://newiframe.biz"; nocase; classtype: trojan-activity; sid: 2001478; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 498 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; sid: 2001480; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 499 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; sid: 2001483; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 500 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; sid: 2001484; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 501
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 502 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 503 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference: url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001540; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 504 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.elitebar.html; sid: 2001532; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 505 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference: url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; sid: 2001533; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 506 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference: url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001534; rev:8; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 507 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference: url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001535; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 508 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference: url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001744; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 509 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install -- silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference: url,www.searchmiracle.com; classtype: trojan-activity; sid: 2002091; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 510
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 511 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 512 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; sid: 2001696; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 513
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 514 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 515 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001650; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 516 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001653; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 517
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 518 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 519 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; sid: 2001460; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 520
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 521 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 522 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference: url,www.spywareguide.com/product_show.php?id=700; reference: url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000580; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 522 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference: url,www.spywareguide.com/product_show.php?id=700; reference: url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000580; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 523 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference: url,www.spywareguide.com/product_show.php?id=700; reference: url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000581; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 523 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference: url,www.spywareguide.com/product_show.php?id=700; reference: url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000581; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 524 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001708; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 525 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download (agentprefs)"; flow: established,to_server; uricontent:"/agentprefs"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001709; rev:8; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 526 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002037; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 527 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; flow: established,to_server; uricontent:"/agent"; nocase; uricontent:"/validate"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002043; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 528
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 529 #matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 530 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; sid: 2002000; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 531
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 532 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 533 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet6/servlet/sbinstservlet"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001016; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 533 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet6/servlet/sbinstservlet"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001016; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 534 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet6/servlet/sblogservlet"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001017; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 534 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet6/servlet/sblogservlet"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001017; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 535 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Activity"; flow: to_server,established; uricontent:"/servlet6/jsp/mvc"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001018; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 535 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Activity"; flow: to_server,established; uricontent:"/servlet6/jsp/mvc"; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001018; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 536 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Autoupdate"; flow: to_server,established; uricontent:"/autoupd/rel"; nocase; pcre:"/Host\:/sstart\d+.sidestep.com/i"; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001019; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 536 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Autoupdate"; flow: to_server,established; uricontent:"/autoupd/rel"; nocase; pcre:"/Host\:/sstart\d+.sidestep.com/i"; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001019; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 537 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Update Reporting"; flow: to_server,established; uricontent:"/wutrack.bin?PUID="; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001020; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 537 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Update Reporting"; flow: to_server,established; uricontent:"/wutrack.bin?PUID="; nocase; reference: url,www.sidestep.com; reference: url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001020; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 538
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 539 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 540 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001505; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 541 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001516; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 542 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001513; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 543
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 544 #By Michael Ligh
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 545 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1"; flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase; uricontent:"&uId="; nocase; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002675; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 546 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2"; flow: to_server,established; content:"sonymusic.com"; nocase; pcre:"User-Agent\:[^\n]+SecureNet[^\n]+Xtra/i"; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002674; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 547
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 548 #by Blake Hartstein
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 549 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0; reference:url,www.frsirt.com/english/advisories/2005/2454; reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack; sid:2002679; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 549 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0; reference:url,www.frsirt.com/english/advisories/2005/2454; reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack; sid:2002679; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 550 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM -- Uninstaller CLSID"; flow:from_server,established; content:"CLSID"; nocase; content:"1F1EB85B-0FE9-401D-BC53-10803CF880A7"; nocase; distance:0; reference:url,www.freedom-to-tinker.com/?p=931; reference:url,www.frsirt.com/english/advisories/2005/2493; classtype:web-application-attack; sid:2002680; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 550 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM -- Uninstaller CLSID"; flow:from_server,established; content:"CLSID"; nocase; content:"1F1EB85B-0FE9-401D-BC53-10803CF880A7"; nocase; distance:0; reference:url,www.freedom-to-tinker.com/?p=931; reference:url,www.frsirt.com/english/advisories/2005/2493; classtype:web-application-attack; sid:2002680; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 551
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 552 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 553 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; sid: 2001711; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 554
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 555 # Submitted by William Salusky
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 556 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 557 # The following rule has proven useful in detecting unidentified spammer nodes.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 558 # You should tweak the rule header according to your network architecture.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 559 # Thresholding is optional, but without it in my network this sig would
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 560 # overwhelm my sensors.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 561
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 562 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 563
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 564 # The following rule assists in the identification of spam when SMTP 220
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 565 # responses are seen egressing your network from unusual src ports.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 566 # You may want to consider tagging a number of following packets.
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 567
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 568 #alert tcp $HOME_NET !21:587 -> any any (msg: "BLEEDING-EDGE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; sid: 2001815; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 569
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 570 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 571 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; sid: 2001320; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 572 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; sid: 2001321; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 573
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 574 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 575 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; sid: 2001489; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 576
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 577 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 578 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; sid: 2001536; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 579 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; flow: to_server,established; pcre:"/Host\:[^\n]+spyspotter.com/i"; classtype: trojan-activity; sid: 2001537; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 580
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 581 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 582 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; sid: 2000587; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 583 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; sid: 2001522; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 584
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 585 #by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 586 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference: url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001570; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 587 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference: url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001571; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 588
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 589 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 590 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001225; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 591 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001523; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 592 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001524; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 593
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 594 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 595 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference: url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; sid: 2001442; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 596
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 597 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 598 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001510; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 599 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001514; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 600
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 601 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 602 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001731; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 603 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001992; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 604 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Dictionary Download"; flow: established,to_server; uricontent:"/Dictionaries"; nocase; content:".dll"; nocase; within: 10; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001993; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 605 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001994; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 606
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 607 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 608 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference: url,www.targetnetworks.com; classtype: trojan-activity; sid: 2001997; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 609 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference: url,www.targetnetworks.com; classtype: trojan-activity; sid: 2002046; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 610
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 611 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 612 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; sid: 2001482; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 613 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; sid: 2001485; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 614 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; sid: 2001486; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 615
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 616 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 617 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Activity"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; sid: 2001488; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 618 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; sid: 2001729; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 619 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; sid: 2001734; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 620
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 621 #By Matt Jonkman from Spyware listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 622 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Tickle.com Spyware"; flow: to_server,established; uricontent:"/forward?sid="; classtype: trojan-activity; reference:url,www.spywareremove.com/removeTickle.html; sid:2002197; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 623
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 624 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 625 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Install"; flow: established,to_server; uricontent:"/popengine/POP.CHM"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001886; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 626 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (1)"; flow: established,to_server; uricontent:"/adverts/zergio/"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001887; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 627 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (2)"; flow: established,to_server; content:"Host\: toolbarpartner.com"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001888; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 628 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Jeemp Trojan Download"; flow: established,to_server; uricontent:"/proxyrnd.exe"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001889; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 629 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001890; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 630 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 631 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Reporting Install"; flow: established,to_server; uricontent:"/installed.php?wm=Zergio"; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001893; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 632 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Partner Install"; flow: established,to_server; uricontent:"/inst.php?id="; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001894; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 633 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference: url,toolbarpartner.com; classtype: trojan-activity; sid: 2001895; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 634
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 635 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 636 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; sid: 2001520; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 637
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 638 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 639 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002004; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 640 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; classtype: trojan-activity; sid: 2002040; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 641
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 642 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 643 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference: url,www.topmoxie.com; classtype: trojan-activity; sid: 2000588; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 644 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference: url,www.topmoxie.com; classtype: trojan-activity; sid: 2000589; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 645 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference: url,www.topmoxie.com; classtype: trojan-activity; sid: 2000590; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 646
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 647 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 648 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001646; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 649 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001647; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 650 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001648; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 651
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 652 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 653 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference: url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001334; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 653 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference: url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001334; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 654 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference: url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001335; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 654 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference: url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001335; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 655
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 656 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 657 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; sid: 2001313; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 658 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001315; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 659 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001316; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 660
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 661 #by Matt Jonkman, data from the Spyware Listening Post
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 662 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; sid:2002320; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 663
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 664 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 665 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001995; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 666 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001998; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 667
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 668
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 669 # These are user agent string from the user agents project:
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 670 # http://www.bleedingsnort.com/article.php?story=20050303190103553
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 671 # These will hit on traffic generated by spyware agents and installers
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 672 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 673 # The user agent sigs from all types of spyware are consolidated here
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 674 #
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 675 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE User-Agent String"; flow:established,to_server; flowbits:isnotset,http.UserAgent; flowbits:noalert; flowbits:set,http.UserAgent; content:"User-Agent\:"; nocase; classtype:string-detect; sid: 2002311; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 676 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent -- Potential Spyware"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:".exe"; within:20; nocase; classtype: trojan-activity; sid: 2002153; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 677 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 404Search Spyware User Agent"; flow:established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+404search/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001852; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 678 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ESB\(/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001853; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 679 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EZULA Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ezula/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001854; rev:10; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 680 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+FunWebProducts/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; threshold: type limit, count 1, seconds 360, track by_src; sid: 2001855; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 681 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Hotbar/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001858; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 682 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iefeatsl/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001859; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 683 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Kontiki Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Kontiki/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001860; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 684 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MGS-Internal-Web-Manager/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001861; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 685 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\: ML"; nocase; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001862; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 686 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyTotalSearch/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001863; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 687 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001864; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 688 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWebSearch/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001865; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 689 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+NSISDL/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001866; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 690 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+searchengine2000.com/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001867; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 691 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+sureseeker.com/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001868; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 692 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Sidesearch/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001869; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 693 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001870; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 694 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Target Saver Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TSA/i"; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001871; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 695 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Visicom Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Visicom Toolbar/i"; threshold: type limit, count 1, seconds 360, track by_src; reference: url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001872; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 696 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Peer Points Manager/i"; classtype: policy-violation; sid: 2001640; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 697 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Browser Adv/i"; reference: url,www.browseraid.com; classtype: trojan-activity; sid: 2001295; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 698 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Apropos/i"; classtype: trojan-activity; sid: 2001703; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 699 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Envolo/i"; classtype: trojan-activity; sid: 2001706; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 700 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Enhance My Search Spyware Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+HelperH/i"; classtype: trojan-activity; sid: 2001746; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 701 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Agent Traffic"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Gator/i"; classtype: policy-violation; sid: 2000026; rev:10;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 702 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOKernel/i"; classtype: trojan-activity; sid: 2001498; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 703 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyApp/i"; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2001492; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 704 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IST/"; reference: url,www.isearchtech.com; classtype: trojan-activity; sid: 2001493; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 705 alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent New Code Download"; flow: established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PeerEnabler/i"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001652; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 705 alert tcp $HOME_NET any - > $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent New Code Download"; flow: established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PeerEnabler/i"; reference: url,www.joltid.com; reference: url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001652; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 706 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware User Configuration and Setup Access"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OSSProxy/i"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001562; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 706 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware User Configuration and Setup Access"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OSSProxy/i"; reference: url,www.marketscore.com; reference: url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001562; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 707 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"medialoads.com"; nocase; pcre:"/User-Agent\:[^\n]+NSISDL/i"; classtype: trojan-activity; sid: 2001504; rev:12;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 708 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (Bundle)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Bundle/i"; classtype: policy-violation; sid: 2001702; rev:14;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 709 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (SAH)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAH Agent/i"; classtype: policy-violation; sid: 2001707; rev:13;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 710 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TIBS/i"; classtype: trojan-activity; sid: 2001487; rev:11;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 711 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Top Converting Agent Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Topconvertingagent/i"; classtype: trojan-activity; sid: 2001732; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 712 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula Related Calling Home"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+mez/i"; reference:url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2000586; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 712 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula Related Calling Home"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+mez/i"; reference:url,www.ezula.com; reference: url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2000586; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 713 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UCmore/i"; classtype: trojan-activity; sid: 2001736; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 714 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity User Agent String"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: EI"; classtype: trojan-activity; sid: 2001996; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 715 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wildtangent Kernel/i"; classtype: trojan-activity; sid: 2001639; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 716 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+istsvc/i"; reference: url,www.ysbweb.com; classtype: trojan-activity; sid: 2001699; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 717 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: agent"; nocase; classtype: trojan-activity; sid: 2001891; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 718 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thnall)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; classtype: trojan-activity; sid: 2002002; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 719 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware User Agent Activity (merong)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MERONG/i"; classtype: trojan-activity; sid: 2002020; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 720 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (poller)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: Poller"; nocase; classtype: trojan-activity; sid: 2002005; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 721 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (aurareco)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+aurareco\.exe/i"; classtype: trojan-activity; sid: 2002039; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 722 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wildmedia Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: update "; nocase; content:!"Antivirus"; within: 9; classtype: trojan-activity; sid: 2002007; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 723 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleonPage Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OCSLab AutoUpdater/i"; classtype: trojan-activity; sid: 2002011; rev:9;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 724 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (1)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: IEP"; nocase; classtype: trojan-activity; sid: 2002021; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 725 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+wupdsnff\.exe/i"; classtype: trojan-activity; sid: 2002014; rev:8;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 726 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thin)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: thin"; nocase; classtype: trojan-activity; sid: 2002035; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 727 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shopathomeselect.com Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WebDownloader/i"; classtype: trojan-activity; sid: 2002038; rev:7;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 728 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware XupiterToolbar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; classtype: trojan-activity; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; sid: 2002071; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 729 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware General Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+thnall1ac\.exe/i"; classtype: trojan-activity; sid: 2002073; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 730 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Win32.Stubby Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Stubby/i"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088437; sid: 2002074; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 731 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware New.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+New\.net/i"; classtype: trojan-activity; reference:url,www.newdotnet.com; reference:url,www.pcsympathy.com/printout74.html; sid: 2002076; rev:5;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 731 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware New.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+New\.net/i"; classtype: trojan-activity; reference:url,www.newdotnet.com; reference:url,www.pcsympathy.com/printout74.html; sid: 2002076; rev:5;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 732 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEBar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iebar/i"; threshold: type limit, track by_src, count 1, seconds 360; classtype: trojan-activity; reference:url,castlecops.com/tk1463-IEBAR_DLL.html; sid: 2002077; rev:5;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 733 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SideStep/i"; classtype: trojan-activity; sid: 2002078; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 734 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWaySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; classtype: trojan-activity; sid: 2002079; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 735 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MySearch/i"; classtype: trojan-activity; sid: 2002080; rev:6;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 736 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEHelp.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+firestarter/i"; classtype: trojan-activity; sid: 2002097; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 737
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 738 #New from Chris Taylor and the User agents project
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 739 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Alexa Search Toolbar"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Alexa Toolbar/i"; reference: url,www.spywareguide.com/product_show.php?id=418; classtype:trojan-activity; sid:2002166; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 740 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat Ext/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002160; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 740 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat Ext/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002160; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 740 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat Ext/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002160; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 741 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat2/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002161; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 741 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat2/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002161; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 741 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat2/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002161; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 742 #Disabling, Hits on regular windows update type traffic to sa.windows.com
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 743 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SCAgent/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002162; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 743 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SCAgent/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002162; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 743 #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SCAgent/i"; reference: url,www.spywareguide.com/product_show.php?id=599; reference: url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference: url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002162; rev:4;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 744 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Ezula Update Engine"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: 3a"; nocase; reference:url,www.spywareguide.com/product_show.php?id=9; classtype:trojan-activity; sid:2002163; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 745 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; reference: url,www.doxdesk.com/parasite/Hotbar.html; reference: url,www.pchell.com/support/hotbar.shtml; classtype:trojan-activity; sid:2002164; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 745 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; reference: url,www.doxdesk.com/parasite/Hotbar.html; reference: url,www.pchell.com/support/hotbar.shtml; classtype:trojan-activity; sid:2002164; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 746 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE IESearch Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Windows SR 2\.0/i"; reference:url,www.spywareguide.com/product_show.php?id=982; classtype:trojan-activity; sid:2002165; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 747 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE iWon Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iWonSearchAssistant/i"; reference:url,www.spywareguide.com/product_show.php?id=461; classtype:trojan-activity; sid:2002169; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 748 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware -- Wise User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:5;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 749 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Svcmm Parasite"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+svcmm32\.exe/i"; reference:url,castlecops.com/startuplist-5862.html; reference: url,doxdesk.com/parasite/SvcMM.html; classtype:trojan-activity; sid:2002168; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 749 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Svcmm Parasite"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+svcmm32\.exe/i"; reference:url,castlecops.com/startuplist-5862.html; reference: url,doxdesk.com/parasite/SvcMM.html; classtype:trojan-activity; sid:2002168; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 750
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 751 #by bgallia
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 752 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave/MarketScore User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WTA_/i"; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; classtype:trojan-activity; sid:2002394; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 752 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave/MarketScore User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WTA_/i"; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; classtype:trojan-activity; sid:2002394; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 753 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TPSystem/i"; reference:url,www.miva.com; reference:url,www.findwhat.com; classtype:trojan-activity; sid:2002395; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 753 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TPSystem/i"; reference:url,www.miva.com; reference:url,www.findwhat.com; classtype:trojan-activity; sid:2002395; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 754 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Travel Update/i"; reference:url,www.miva.com; classtype:trojan-activity; sid:2002396; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 755 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Precision Targeting User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XC_/i"; reference:url,www.precisiontargeting.com; classtype:trojan-activity; sid:2002397; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 756 #Extra content check for snort <2.4.3 doesn't support pure not rules
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 757 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:!"iTunes/"; pcre:"/User-Agent\:[^\n]+Dpi/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002398; rev:3;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 758 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PromulGate/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002399; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 759 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TopInstalls User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 760 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ST3PS/i"; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002401; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 761 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 3"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UtilMind HTTPGet/i"; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002402; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 762 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Context Plus User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PTS/i"; reference:url,www.contextplus.net; classtype:trojan-activity; sid:2002403; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 763 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Movies etc User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOInstall/i"; reference:url,www.movies-etc.com; classtype:trojan-activity; sid:2002404; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 764 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Internet Optimizer User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ROGUE/i"; reference:url,www.internet-optimizer.com; classtype:trojan-activity; sid:2002405; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 765
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 766 #Bob Grabowsky
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 767 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE surfaccuracy Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAcc/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfaccuracy.html; classtype:trojan-activity; sid:2002047; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 768
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 769 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 770 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference: url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000306; rev:11; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 771 alert tcp $HOME_NET any - > $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference: url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000307; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 772 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference: url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000308; rev:8; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 773 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference: url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2001525; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 774 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference: url,www.lurhq.com/iframeads.html; classtype: trojan-activity; sid: 2001526; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 775
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 776 #by Matt Jonkman from Listening Post Data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 777 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 778 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; sid:2002350; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 779
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 780 # Weatherbug - Dale Handy, PE
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 781 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001235; rev:9; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 782 #Submitted by Joel Esler
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 783 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001267; rev:12; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 784 #by M Shirk
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 785 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2002364; rev:2;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 786
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 787 #Submitted by Matt Jonkman, Tweaks by Bob Grabowsky
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 788 alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE Malware Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001317; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 789 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001677; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 790 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001678; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 791
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 792 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 793 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:McAfee,131461; sid: 2001325; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 794 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:McAfee,131461; sid: 2001517; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 795
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 796 #Matt Jonkman from spyware listening post data
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 797 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Websponsors.com Spyware"; flow:to_server,established; pcre:"/\/v\/s=\d+\/p=\d+\/j=\d+\//Ui"; classtype:trojan-activity; sid:2002204; rev:1;)
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 798
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 799 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 800 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002036; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 801 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference: url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002041; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 802
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 803 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 804 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; flow: to_server,established; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; classtype: trojan-activity; sid: 2001512; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 805 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Updates"; flow: to_server,established; uricontent:"/vcgi/new01"; nocase; classtype: trojan-activity; sid: 2001897; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 806
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 807 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 808 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000908; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 808 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000908; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 809 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000909; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 809 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000909; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 810 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=clock"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000910; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 810 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=clock"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000910; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 811 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=weather"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000911; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 811 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=weather"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000911; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 812 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000912; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 812 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000912; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 813 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000913; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 813 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000913; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 814 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000914; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 814 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000914; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 815 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000915; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 815 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000915; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 816 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=whenusave"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000916; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 816 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=whenusave"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000916; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 817 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000917; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 817 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000917; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 818 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000918; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 818 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000918; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 819 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000919; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 819 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000919; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 820 #Submitted by Chris Norton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 821 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=desktop"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2001443; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 821 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=desktop"; nocase; reference: url,www.whenusearch.com; reference: url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2001443; rev:3; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 822
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 823 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 824 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:McAfee,122249; sid: 2002008; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 825
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 826 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 827 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001307; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 827 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001307; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 828 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001309; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 828 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001309; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 829 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001310; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 829 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001310; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 830 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001314; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 830 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001314; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 831 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001322; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 831 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001322; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 832
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 833 #Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 834 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; sid: 2001700; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 835 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; sid: 2001701; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 836
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 837 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 838 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; sid: 2001461; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 839 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; sid: 2001462; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 840 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; sid: 2001463; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 841 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; sid: 2001464; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 842 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; sid: 2001466; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 843 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; sid: 2001467; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; sid: 2001468; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 845 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; sid: 2001469; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 846 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; sid: 2001470; rev:5; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 847 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; sid: 2001471; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 848 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; sid: 2001472; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 849 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; sid: 2001491; rev:4; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 850 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; sid: 2001541; rev:7; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 851
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 852 #Thanks James Ashton
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 853 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference: url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000336; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 854 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference: url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000337; rev:6; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 855
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 856 #Submitted by Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 857 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference: url,www.ysbweb.com; classtype: trojan-activity; sid: 2001698; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 858
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 859 #By Matt Jonkman
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 860 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference: url,www.yupsearch.com; classtype: trojan-activity; sid: 2002092; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 861 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference: url,www.yupsearch.com; classtype: trojan-activity; sid: 2002098; rev:1; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 862
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 863 #John Stewart
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 864 alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference: url,www.zenotecnico.com; classtype: policy-violation; sid: 2001947; rev:2; )
./snortrules-BLEEDING-2.4/rules/bleeding-malware.rules : 865