[Snort-sigs] New Malware/Spyware rules
matt at ...2436...
Sun Jul 25 16:29:13 EDT 2004
Good question. My aim with each new package I found was to get the
install, the submission of data, and the regular download of data or code.
That way if a machine (laptop) gets infected at home but comes into a
corporate net we cover we'll see the updates. I went after the data
submissions mostly out of curiosity, just in case they might submit
something sensitive that's readable.
Jason Haar wrote:
> On Sun, Jul 25, 2004 at 04:36:04PM -0500, Matthew Jonkman wrote:
>>Here's the load of malware rules for today. It's absolutely shocking
>>what will happen if you browse with IE. Many of these came in on a
>>patched version, many more unpatched. And there are exploits as we all
> I haven't looked into these rules in detail, but are you logging
> spyware-related events, or are you trying for nice clean rules?
> By that I mean that an infected PC can easily "do" 100 different
> spyware-related URL calls in one session. Are you trying to log those 100
> calls, or just one? I'd say the latter is the best option as otherwise you
> are going to have SQL databases/etc full of tens or thousands of entries
> against one infected PC, where one would do.
More information about the Snort-sigs