[Snort-sigs] New Malware/Spyware rules

Matthew Jonkman matt at ...2436...
Sun Jul 25 16:29:13 EDT 2004


Good question. My aim with each new package I found was to get the 
install, the submission of data, and the regular download of data or code.

That way if a machine (laptop) gets infected at home but comes into a 
corporate net we cover we'll see the updates. I went after the data 
submissions mostly out of curiosity, just in case they might submit 
something sensitive that's readable.

Thanks

Matt

Jason Haar wrote:

> On Sun, Jul 25, 2004 at 04:36:04PM -0500, Matthew Jonkman wrote:
> 
>>Here's the load of malware rules for today. It's absolutely shocking 
>>what will happen if you browse with IE. Many of these came in on a 
>>patched version, many more unpatched. And there are exploits as we all 
>>...
> 
> 
> I haven't looked into these rules in detail, but are you logging
> spyware-related events, or are you trying for nice clean rules?
> 
> By that I mean that an infected PC can easily "do" 100 different
> spyware-related URL calls in one session. Are you trying to log those 100
> calls, or just one? I'd say the latter is the best option as otherwise you
> are going to have SQL databases/etc full of tens or thousands of entries
> against one infected PC, where one would do.
> 




More information about the Snort-sigs mailing list