[Snort-sigs] rule to catch "Bargain Buddy" downloads
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at ...2476...
Thu Jul 22 09:31:25 EDT 2004
What a bargain!
I'm seeing requests in my web proxy log similar to:
These were detected by the ZIP file rule, but here is a more specific rule that I've just started to use. The ZIP rule is triggered by too many "acceptable" requests.
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Bargain Buddy"; uricontent:"/download/bargin_buddy/data"; nocase; classtype: policy-violation; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:1000002; rev:1;)
More information about the Snort-sigs