[Snort-sigs] warez site sigs

Chris Green cmg at ...26...
Thu Dec 21 13:07:02 EST 2000


just to help us figure out what is going to be causing our inet
connection to be maxxed out next.

1mb files get uploaded for speed testing

alert tcp any any -> $HOME_NET 21 (msg:"STOR 1MB - possible warez site"; flags:PA; content:"STOR 1MB"; nocase; depth: 8;)
alert tcp any any -> $HOME_NET 21 (msg:"STOR 1MB - possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;)
alert tcp any any -> $HOME_NET 21 (msg:"CWD /<space> - possible warez site"; flags:PA; content:"CWD / "; nocase; depth: 6;)
alert tcp any any -> $HOME_NET 21 (msg:"CWD <space> - possible warez site"; flags:PA; content:"CWD  "; nocase; depth: 5;) 
alert tcp any any -> $HOME_NET 21 (msg:"CWD ' ' - possible warez site"; flags:PA; content:"CWD  "; nocase; depth: 5;)
alert tcp any any -> $HOME_NET 21 (msg:"cd to /<space> - possible warez site"; flags:PA; content:"MKD / "; nocase; depth: 6;) 
alert tcp any any -> $HOME_NET 21 (msg:"MKD <space> - possible warez site"; flags:PA; content:"MKD  "; nocase; depth: 5;) 
alert tcp any any -> $HOME_NET 21 (msg:"MKD . - possible warez site"; flags:PA; content:"MKD ."; nocase; depth: 5;)
-- 
Chris Green <cmg at ...26...>
"When the going gets weird, the weird turn pro..."
                            -- Hunter S. Thompson




More information about the Snort-sigs mailing list