[Snort-sigs] Scob Updates

Matthew Jonkman matt at ...2436...
Thu Jul 8 17:29:32 EDT 2004


Joseph's scob rules inspired me to update the existing bleeding rules 
and remove the redundant ones. These will be posted shortly:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Scob Code in Transit"; content:"function gc099"; 
classtype:trojan-activity; sid:2000312; rev:3;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Client Downloading Scob Code From Compromised Web Server"; 
content:"qxco7=document"; content:"qxco7.indexOf"; 
classtype:trojan-activity; sid:2000316; rev:3;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Scob Exploit Javascript Detected"; content:"var qxco7=document.cookie"; 
sid:2000317; rev:2; )

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE msits.exe Download Detected"; content:"|BA AC C7 AD C7 48 83 D1 CA 68 
81 26 8B 6C F3 29 00 28 A3 2E 00 38 A3 36 02 6E 3F 25 8B 6C 87 E5 D8 3A 
D0 AD CF 48 97 76 E1 92 EF 26 9B 2C 87 42|"; sid:2000318; rev:2; )

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Scob Exploit in Transit (Encoded)"; content:"%6D"; nocase; 
content:"%53%74%72%65%61%6D"; nocase; content:"%41%44%4F%44%42%2E"; 
nocase; classtype: trojan-activity; sid:2000319; rev:2;)

alert tcp $HOME_NET any -> 217.107.218.147 any (msg:"BLEEDING-EDGE 
Infected Client contacting 217.107.218.147"; classtype: trojan-activity; 
sid:200032
2; rev:1;)

Matt







More information about the Snort-sigs mailing list