[Snort-sigs] More Bagle.AQ rules

Matthew Jonkman mjonkman at ...2436...
Mon Aug 16 07:52:11 EDT 2004


These are on bleeding as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bagle Variant Requesting 2.jpg"; 
reference:url,http.isc.sans.org/diary.php?date=2004-08-09; 
uricontent:"/2.jpg"; sid:2001061; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2480 (msg:"BLEEDING-EDGE 
Bagle.AQ Remote Control Connection Attempt Inbound TCP"; 
reference:url,vil.nai.com/vil/content/v_127423.htm; sid:2001062; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 2480 (msg:"BLEEDING-EDGE 
Bagle.AQ Remote Control Connection Attempt Inbound UDP"; 
reference:url,vil.nai.com/vil/content/v_127423.htm; sid:2001063; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bagle Variant Checking In"; 
reference:url,vil.nai.com/vil/content/v_127423.ht
m; uricontent:"/spyware.php"; sid:2001064; rev:1;)

Matt







More information about the Snort-sigs mailing list