[Snort-sigs] snort-rules CURRENT update @ Sun Jun 8 03:34:04 2003

bmc at ...95... bmc at ...95...
Sun Jun 8 00:34:02 EDT 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> deleted.rules
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109; sid:743;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|"; reference:MCAFEE,10461; sid:778;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; content:"Suddlently"; sid:720;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myromeo.exe"; nocase; sid:723;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase; sid:737;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase; reference:MCAFEE,10540; sid:780;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase; reference:MCAFEE,10540; sid:785;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase; reference:MCAFEE,10540; sid:767;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|"; sid:790;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase; reference:MCAFEE,10540; sid:787;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|"; reference:MCAFEE,10109; sid:741;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase; reference:MCAFEE,10540; sid:786;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!"; reference:MCAFEE,10418; sid:775;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; content: "filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361; sid:752;  classtype:misc-activity; rev:5;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|"; reference:MCAFEE,10225; sid:746;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase; reference:MCAFEE,10540; sid:779;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase; sid:722;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase; reference:MCAFEE,10540; sid:753;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "I Love You"; sid:726;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "my picture from shake-beer"; sid:728;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase; reference:MCAFEE,10540; sid:764;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase; reference:MCAFEE,10540; sid:769;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "ble bla"; nocase; sid:725;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:731;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; content: "filename=\"KAK.HTA\""; nocase; reference:MCAFEE,10509; sid:751;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase; reference:MCAFEE,10540; sid:765;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase; reference:MCAFEE,10540; sid:766;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase; reference:MCAFEE,10540; sid:784;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|"; sid:774;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myjuliet.chm"; nocase; sid:724;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase; reference:MCAFEE,98661; sid:792;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase; reference:MCAFEE,10540; sid:768;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase; reference:MCAFEE,10540; sid:763;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:9;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase; reference:MCAFEE,10540; sid:770;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase; reference:MCAFEE,10540; sid:762;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"Explorer.doc\""; nocase; reference:MCAFEE,98661; sid:794;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; content: "filename=\"Toadie.exe\""; nocase; reference:MCAFEE,10540; sid:771;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; content: "Software provide by [MATRiX]"; nocase;  sid:734;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Sorry... Hey you !"; sid:727;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase; reference:MCAFEE,10389; sid:739;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase; reference:MCAFEE,10540; sid:761;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase; reference:MCAFEE,10540; sid:788;  classtype:misc-activity; rev:4;)
     alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon"; reference:MCAFEE,98696; sid:738;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase; reference:MCAFEE,10467; sid:760;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase; reference:MCAFEE,10540; sid:783;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase; reference:MCAFEE,10478; sid:758;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|"; reference:MCAFEE,10471; sid:749;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase; reference:MCAFEE,10540; sid:776;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase; reference:MCAFEE,1054; sid:789;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:10;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Matrix has you..."; sid:735;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; sid:772;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; content: "filename=\"Fix2001.exe\""; nocase; reference:MCAFEE,10355; sid:756;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; content: "filename=\"irok.exe\""; nocase; reference:MCAFEE,98552; sid:755;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|"; reference:MCAFEE,10467; sid:777;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes"; reference:MCAFEE,10144; sid:773;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase; reference:MCAFEE,10502; sid:759;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase; reference:MCAFEE,10502; sid:754;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799;  classtype:misc-activity; rev:4;)
     alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; content:"nongmin_cn"; reference:MCAFEE,98775; sid:733;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase; sid:747;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase; reference:MCAFEE,10505; sid:757;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase; reference:MCAFEE,10540; sid:782;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|"; reference:MCAFEE,10388; sid:748;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; content: "filename=\"XPASS.XLS\""; nocase; reference:MCAFEE,10145; sid:745;  classtype:misc-activity; rev:4;)
     alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; content: "funguscrack at ...12..."; nocase; sid:736;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase; reference:MCAFEE,10540; sid:791;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase; reference:MCAFEE,10540; sid:781;  classtype:misc-activity; rev:4;)

     file -> virus.rules
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".reg|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hsq|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".ini|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vxd|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".bat|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".com|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".dll|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hta|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".sys|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".cpp|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".chm|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".exe|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".diz|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:1;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\winreg|00|"; offset:85; nocase; classtype:attempted-recon; sid:2174; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"Documents and Settings\\All Users\\Start Menu\\Programs\\Startup|00|"; classtype:attempted-recon; sid:2176; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\|00|w|00|i|00|n|00|r|00|e|00|g|00|"; nocase; offset:85; classtype:attempted-recon; sid:2175; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"\\|00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00|\\|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|\\|00|S|00|t|00|a|00|r|00|t|00|u|00|p"; classtype:attempted-recon; sid:2177; rev:1;)

  [---]          Removed:          [---]

     file -> virus.rules
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109; sid:743;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|"; reference:MCAFEE,10461; sid:778;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; content:"Suddlently"; sid:720;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myromeo.exe"; nocase; sid:723;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase; sid:737;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase; reference:MCAFEE,10540; sid:785;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase; reference:MCAFEE,10540; sid:780;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase; reference:MCAFEE,10540; sid:767;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|"; sid:790;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase; reference:MCAFEE,10540; sid:787;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|"; reference:MCAFEE,10109; sid:741;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase; reference:MCAFEE,10540; sid:786;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!"; reference:MCAFEE,10418; sid:775;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; content: "filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361; sid:752;  classtype:misc-activity; rev:4;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|"; reference:MCAFEE,10225; sid:746;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase; reference:MCAFEE,10540; sid:779;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase; sid:722;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase; reference:MCAFEE,10540; sid:753;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "I Love You"; sid:726;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "my picture from shake-beer"; sid:728;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase; reference:MCAFEE,10540; sid:764;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase; reference:MCAFEE,10540; sid:769;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "ble bla"; nocase; sid:725;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:731;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; content: "filename=\"KAK.HTA\""; nocase; reference:MCAFEE,10509; sid:751;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase; reference:MCAFEE,10540; sid:765;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase; reference:MCAFEE,10540; sid:784;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase; reference:MCAFEE,10540; sid:766;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myjuliet.chm"; nocase; sid:724;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|"; sid:774;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase; reference:MCAFEE,98661; sid:792;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase; reference:MCAFEE,10540; sid:768;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase; reference:MCAFEE,10540; sid:763;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase; reference:MCAFEE,10540; sid:770;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase; reference:MCAFEE,10540; sid:762;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"Explorer.doc\""; nocase; reference:MCAFEE,98661; sid:794;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; content: "filename=\"Toadie.exe\""; nocase; reference:MCAFEE,10540; sid:771;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; content: "Software provide by [MATRiX]"; nocase;  sid:734;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Sorry... Hey you !"; sid:727;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase; reference:MCAFEE,10389; sid:739;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase; reference:MCAFEE,10540; sid:761;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase; reference:MCAFEE,10540; sid:788;  classtype:misc-activity; rev:3;)
     alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon"; reference:MCAFEE,98696; sid:738;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase; reference:MCAFEE,10467; sid:760;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|"; reference:MCAFEE,10471; sid:749;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase; reference:MCAFEE,10478; sid:758;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase; reference:MCAFEE,10540; sid:783;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase; reference:MCAFEE,10540; sid:776;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase; reference:MCAFEE,1054; sid:789;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Matrix has you..."; sid:735;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; sid:772;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; content: "filename=\"Fix2001.exe\""; nocase; reference:MCAFEE,10355; sid:756;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; content: "filename=\"irok.exe\""; nocase; reference:MCAFEE,98552; sid:755;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|"; reference:MCAFEE,10467; sid:777;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes"; reference:MCAFEE,10144; sid:773;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase; reference:MCAFEE,10502; sid:759;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase; reference:MCAFEE,10502; sid:754;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase; sid:747;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase; reference:MCAFEE,10540; sid:782;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase; reference:MCAFEE,10505; sid:757;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|"; reference:MCAFEE,10388; sid:748;  classtype:misc-activity; rev:3;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;)
     alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; content: "filename=\"XPASS.XLS\""; nocase; reference:MCAFEE,10145; sid:745;  classtype:misc-activity; rev:3;)
     alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; content: "funguscrack at ...12..."; nocase; sid:736;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase; reference:MCAFEE,10540; sid:791;  classtype:misc-activity; rev:3;)
     alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase; reference:MCAFEE,10540; sid:781;  classtype:misc-activity; rev:3;)

  [///]       Modified active:     [///]

     file -> virus.rules
     old: alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase; sid:793;  classtype:misc-activity; rev:3;)
     new: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vbs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:4;)
     old: alert tcp any 110 -> any any (msg:"Virus - Possible pif Worm"; content: ".pif"; nocase; sid:721;  classtype:misc-activity; rev:3;)
     new: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .pif file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".pif|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:721; rev:4;)
     old: alert tcp any 110 -> any any (msg:"Virus - Possible shs Worm"; content: ".shs"; nocase; sid:730;  classtype:misc-activity; rev:3;)
     new: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".shs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:4;)
     old: alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)
     new: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".scr|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:4;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # dup of 588
       # dup of 1274
       # these virus rules suck.
    -> File "virus.rules":
       # These rules are going away.  We don't care about virus rules anymore.

  [---]      Removed lines:      [---]
    -> File "virus.rules":
       # These rules are going away.  We don't care about virus rules anymore. 





More information about the Snort-sigs mailing list