Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-VRT_PR-2.4/rules/virus.rules Fri Dec 2 01:26:40 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 1 | # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 2 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 3 | # This file may contain proprietary rules that were created, tested and
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 4 | # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 5 | # rules that were created by Sourcefire and other third parties and
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 6 | # distributed under the GNU General Public License (the "GPL Rules"). The
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 7 | # VRT Certified Rules contained in this file are the property of
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 8 | # Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 9 | # The GPL Rules created by Sourcefire, Inc. are the property of
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 10 | # Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 11 | # Reserved. All other GPL Rules are owned and copyrighted by their
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 12 | # respective owners (please see www.snort.org/contributors for a list of
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 13 | # owners and their respective copyrights). In order to determine what
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 14 | # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 15 | # Certified Rules License Agreement.
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 16 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 17 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 18 | # $Id: virus.rules,v 1.28.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 19 | #------------
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 20 | # VIRUS RULES
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 21 | #------------
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 22 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 23 | # We don't care about virus rules anymore. BUT, you people won't stop asking
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 24 | # us for virus rules. So... here ya go.
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 25 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 26 | # There is now one rule that looks for any of the following attachment types:
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 27 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 28 | # ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 29 | # eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 30 | # nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 31 | # vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 32 | # xlt, xlw
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 33 | #
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 34 |
|
| ./snortrules-VRT_PR-2.4/rules/virus.rules : 35 | alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:8;)
|