[Snort-users] Adware/Malware Rules List

Jerry Shenk jshenk at ...514...
Sun Feb 29 12:38:04 EST 2004


I came here looking for exactly this.  That's a start....problem is
there are SO MANY of these stupid things!  I'd like to alert on Gator
and all the rest of 'em so we can keep our machines clean.
 
Here are a couple that I have set up...not many but maybe it will help
get things rolling:
alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates";
content:"Host\: updateserver.gator.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates";
content:"Host\: updates.installshield.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update";
content:"Host\: update.cc.cometsystems.com"; flags: PA;)

 
Here's a link to a rather old posting (Jan 2002) related to this issue.
There's a pretty good sized list here but many of them have probably
changed:
http://groups.google.com/groups?q=snort+adware+rules
<http://groups.google.com/groups?q=snort+adware+rules&hl=en&lr=&ie=UTF-8
&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum=
6>
&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.b
igpond.net.au&rnum=6
 
Here's another related site:
http://www.doxdesk.com/parasite/
 

-----Original Message----- 
 
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Darden,
Patrick S.
Sent: Friday, February 27, 2004 11:05 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Adware/Malware Rules List


I had a large number of requests for my ruleset for Ad/Malware, so I
have placed it on the web at:
 
https://www.armc.org/malware/
 
It ain't nothing special, but it works for us.  If you have any
additions, please email me so we can 
make this ruleset grow into something useful.
 
Thanks,
--Patrick Darden
--Internetworking Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040229/1f3450e0/attachment.html>


More information about the Snort-users mailing list