[Snort-sigs] rule to catch "Bargain Buddy" downloads
matt at ...2436...
Thu Jul 22 13:49:08 EDT 2004
Thanks. I hate adware, I love to see these rules.
It's posted on bleedingsnort.com, I'm already getting hits on it. THanks
Miner, Jonathan W (CSC) (US SSA) wrote:
> What a bargain!
> I'm seeing requests in my web proxy log similar to:
> GET http://download2.us4.outblaze.com/download/bargain_buddy/data/IEPLUG_GLO/CB/2004_07_22.data.zip
> GET http://download2.us4.outblaze.com/download/bargain_buddy/data/MEDIAMOTOR/2004_07_22.patch.zip
> These were detected by the ZIP file rule, but here is a more specific rule that I've just started to use. The ZIP rule is triggered by too many "acceptable" requests.
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Bargain Buddy"; uricontent:"/download/bargin_buddy/data"; nocase; classtype: policy-violation; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:1000002; rev:1;)
More information about the Snort-sigs