[Snort-sigs] More rules

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jun 3 11:36:04 EDT 2002


The recent rules I submitted generated quite a number of positive hits for
us... And along with those we've found a fair amount of other matches that
are common among these types of sites. Unfortunately most of these are
porn... But there is one KLEZ rule (which we've found matches 100% of the
time).

We have SMTP and SMTP_PORT internally... 99.99% of the world probably uses
only 25... So no need to create the var for 25.

tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"VIRUS Klez Incoming;
flow:to_server,established; dsize:>120; content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity;) 

And the porn ones... 

tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish";
content:"fetish"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation";
content:"masturbat"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation";
content:"ejaculat"; nocase; flow:to_client,established;
classtype:kickass-porn;)

I think this next should be a replacement for the hardcore one... 
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN rape";
content:"rape"; nocase; flow:to_client,established; classtype:kickass-porn;)

For those who love olive oil...
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flow:to_client,established;
classtype:kickass-porn;)

tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM";
content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica";
content:"erotic"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting";
content:"fisting"; nocase; flow:to_client,established;
classtype:kickass-porn;)






More information about the Snort-sigs mailing list