[Snort-sigs] rule to catch "Bargain Buddy" downloads

Matthew Jonkman matt at ...2436...
Thu Jul 22 13:49:08 EDT 2004


Thanks. I hate adware, I love to see these rules.

It's posted on bleedingsnort.com, I'm already getting hits on it. THanks 
Jonathan.

Matt

Miner, Jonathan W (CSC) (US SSA) wrote:

> What a bargain!
> 
> I'm seeing requests in my web proxy log similar to:
> 
> GET http://download2.us4.outblaze.com/download/bargain_buddy/data/IEPLUG_GLO/CB/2004_07_22.data.zip
> GET http://download2.us4.outblaze.com/download/bargain_buddy/data/MEDIAMOTOR/2004_07_22.patch.zip
> 
> These were detected by the ZIP file rule, but here is a more specific rule that I've just started to use.  The ZIP rule is triggered by too many "acceptable" requests.
> 
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Bargain Buddy"; uricontent:"/download/bargin_buddy/data"; nocase; classtype: policy-violation; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:1000002; rev:1;)
> 
> 
> 




More information about the Snort-sigs mailing list