[Snort-sigs] Parasite Rules

Matthew Jonkman matt at ...2436...
Wed Jul 28 08:20:40 EDT 2004


We've made some significant changes to the parasite rules put up 
yesterday. They've been changed to tcp only, and are using flow now. We 
hope that'll reduce the number of alerts to more meaningful numbers. 
Those changes are up now.

With this new ruleset please let us know about falses. I'm seeing a 
number of just ads being served up from a couple of these nets, the 
BargainBuddy rule in particular. Looking for ideas on how to eliminate 
that, or justify not using the rule if spyware isn't reporting there 
anymore.

I definitely have identified new pc's infected with otherwise undetected 
spyware with these. They're definitely worth running. Even see a couple 
that appear to be reporting via https. Traffic is coming out when the 
computer is idle, no browser open, etc. Definitely something covert.

Please let us know about nets that are giving you falses and we'll get 
them tweaked or disabled. And anyone that knows about new nets please 
send them in.

The current rules are on bleedingsnort.com

Thanks

Matt





More information about the Snort-sigs mailing list