[Dshield] Snort-Ruleset for Sobig

Porter, Richard USA rwporter at nps.navy.mil
Sat Aug 23 21:06:06 GMT 2003


I will post set again. It was attached and probably got stripped. The site I refered to was just were I got the ip addresse from.
 
<begin_ruleset>
# $Id$

# ----------------

# LOCAL RULES

# ----------------

# This file intentionally does not come with signatures. Put your local

# additions here.

#alert tcp $HOME_NET 8998 -> any any (msg:"Possible SoBig Probe';)

alert tcp $EXTERNAL_NET 8998 -> any any (msg:"Possible Sobig Probe from Outside HomeNet";)

alert tcp $HOME_NET 995:999 -> any any (msg:"Possible Sobig Activity on ports 995-999"";)

alert tcp 12.158.102.205 any -> $EXTERNAL_NET any (msg:"12.158.102.205 Activity TCP";) 

alert tcp 12.232.104.221 any -> $EXTERNAL_NET any (msg:"12.232.104.221 Activity TCP";)

alert tcp 24.33.66.38 any -> $EXTERNAL_NET any (msg:"24.33.66.38 Activity TCP";)

alert tcp 24.197.143.132 any -> $EXTERNAL_NET any (msg:"24.197.143.132 Activity TCP";)

alert tcp 24.202.91.43 any -> $EXTERNAL_NET any (msg:"24.202.91.43 Activity TCP";)

alert tcp 24.206.75.137 any -> $EXTERNAL_NET any (msg:"24.206.75.137 Activity TCP";)

alert tcp 24.210.182.156 any -> $EXTERNAL_NET any (msg:"24.210.182.156 Activity TCP";)

alert tcp 61.38.187.59 any -> $EXTERNAL_NET any (msg:"61.38.187.59 Activity TCP";)

alert tcp 63.250.82.87 any -> $EXTERNAL_NET any (msg:"63.250.82.87 Activity TCP";)

alert tcp 65.92.80.218 any -> $EXTERNAL_NET any (msg:"65.92.80.218 Activity TCP";)

alert tcp 65.92.186.145 any -> $EXTERNAL_NET any (msg:"65.92.186.145 Activity TCP";)

alert tcp 65.95.193.138 any -> $EXTERNAL_NET any (msg:"65.95.193.138 Activity TCP";)

alert tcp 65.93.81.59 any -> $EXTERNAL_NET any (msg:"65.93.81.59 Activity TCP";)

alert tcp 65.177.240.194 any -> $EXTERNAL_NET any (msg:"65.177.240.194 Activity TCP";)

alert tcp 66.131.207.81 any -> $EXTERNAL_NET any (msg:"66.131.207.81 Activity TCP";)

alert tcp 67.9.241.67 any -> $EXTERNAL_NET any (msg:"67.9.241.67 Activity TCP";)

alert tcp 67.73.21.6 any -> $EXTERNAL_NET any (msg:"67.73.21.6 Activity TCP";)

alert tcp 68.38.159.161 any -> $EXTERNAL_NET any (msg:"68.38.159.161 Activity TCP";)

alert tcp 68.50.208.96 any -> $EXTERNAL_NET any (msg:"68.50.208.96 Activity TCP";)

alert tcp 218.147.164.29 any -> $EXTERNAL_NET any (msg:"218.147.164.29 Activity TCP";)

alert udp 12.158.102.205 any -> $EXTERNAL_NET any (msg:"12.158.102.205 Activity udp";) 

alert udp 12.232.104.221 any -> $EXTERNAL_NET any (msg:"12.232.104.221 Activity udp";)

alert udp 24.33.66.38 any -> $EXTERNAL_NET any (msg:"24.33.66.38 Activity udp";)

alert udp 24.197.143.132 any -> $EXTERNAL_NET any (msg:"24.197.143.132 Activity udp";)

alert udp 24.202.91.43 any -> $EXTERNAL_NET any (msg:"24.202.91.43 Activity udp";)

alert udp 24.206.75.137 any -> $EXTERNAL_NET any (msg:"24.206.75.137 Activity udp";)

alert udp 24.210.182.156 any -> $EXTERNAL_NET any (msg:"24.210.182.156 Activity udp";)

alert udp 61.38.187.59 any -> $EXTERNAL_NET any (msg:"61.38.187.59 Activity udp";)

alert udp 63.250.82.87 any -> $EXTERNAL_NET any (msg:"63.250.82.87 Activity udp";)

alert udp 65.92.80.218 any -> $EXTERNAL_NET any (msg:"65.92.80.218 Activity udp";)

alert udp 65.92.186.145 any -> $EXTERNAL_NET any (msg:"65.92.186.145 Activity udp";)

alert udp 65.95.193.138 any -> $EXTERNAL_NET any (msg:"65.95.193.138 Activity udp";)

alert udp 65.93.81.59 any -> $EXTERNAL_NET any (msg:"65.93.81.59 Activity udp";)

alert udp 65.177.240.194 any -> $EXTERNAL_NET any (msg:"65.177.240.194 Activity udp";)

alert udp 66.131.207.81 any -> $EXTERNAL_NET any (msg:"66.131.207.81 Activity udp";)

alert udp 67.9.241.67 any -> $EXTERNAL_NET any (msg:"67.9.241.67 Activity udp";)

alert udp 67.73.21.6 any -> $EXTERNAL_NET any (msg:"67.73.21.6 Activity udp";)

alert udp 68.38.159.161 any -> $EXTERNAL_NET any (msg:"68.38.159.161 Activity udp";)

alert udp 68.50.208.96 any -> $EXTERNAL_NET any (msg:"68.50.208.96 Activity udp";)

alert udp 218.147.164.29 any -> $EXTERNAL_NET any (msg:"218.147.164.29 Activity udp";)

</end_ruleset>

	-----Original Message----- 
	From: John D. [mailto:lists at webcrunchers.com] 
	Sent: Fri 8/22/2003 9:17 PM 
	To: General DShield Discussion List 
	Cc: 
	Subject: Re: [Dshield] Snort-Ruleset for Sobig
	
	

	>All,
	>
	>This is a rule-set I whipped up to monitor internal traffic. It is by
	>known sobig ports and the decrypted list of IPs posted on
	
	>http://www.sophos.com/virusinfo/articles/sobigiplist.html
	
	Where is this ruleset?    I looked for it in the enclosed URL,  but just
	saw the original article.
	
	John
	
	
	_______________________________________________
	list mailing list
	list at dshield.org
	To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
	



More information about the list mailing list