[Snort-sigs] rule to catch "Bargain Buddy" downloads

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Thu Jul 22 09:31:25 EDT 2004

What a bargain!

I'm seeing requests in my web proxy log similar to:

GET http://download2.us4.outblaze.com/download/bargain_buddy/data/IEPLUG_GLO/CB/2004_07_22.data.zip
GET http://download2.us4.outblaze.com/download/bargain_buddy/data/MEDIAMOTOR/2004_07_22.patch.zip

These were detected by the ZIP file rule, but here is a more specific rule that I've just started to use.  The ZIP rule is triggered by too many "acceptable" requests.

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Bargain Buddy"; uricontent:"/download/bargin_buddy/data"; nocase; classtype: policy-violation; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:1000002; rev:1;)

More information about the Snort-sigs mailing list