[Snort-sigs] Binet Malware Rules

Matthew Jonkman matt at ...2436...
Fri Aug 6 14:48:01 EDT 2004


You're right, that is just hitting on a banner ad url. It seems to end at:

http://download.abetterinternet.com/download/cabs/OPTI0500/download_complete.htm

I'm altering the rule to sense that url. Like so:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Binet"; uricontent:"/download/cabs/"; nocase; 
uricontent:"download_complete.htm"; nocase; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
sid:2000366; rev:5;)

Try that one out for accuracy please.

Thanks

Matt

Miner, Jonathan W (CSC) (US SSA) wrote:

> Is anyone else using the "Binet" malware rules from BleedingSnort?  If so, I'm trying to debug a possible false positive condition with sid:2000366
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware Binet";
> uricontent:"/bi/servlet"; nocase; content:"abetterinternet.com"; nocase; classtype: policy-violation; reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; sid:2000366; rev:3;)
> 
> This rule correctly matches HTTP requests like this...
> 
> GET http://download.abetterinternet.com/bi/servlet/Banner?d=LOT64106 HTTP/1.0




More information about the Snort-sigs mailing list