[unisog] Snort rules

Nick Nelson snelson at valdosta.edu
Mon Jun 30 16:14:00 GMT 2003


Sorry about the new classtypes, I had not taken into consideration 
whether it would be worthwhile (and known how too..) add new 
classtypes, I have changed the classtypes to misc-activity which with 
the current classtype structure, fits in well for Snort.

Any questions, please feel free to drop me an email. Check these over 
quickly going live for them, mainly for carriage returns or spacing 
in the wrong place, I've seen stranger things happen.

Enjoy.

##########################################IRC alert

alert tcp any any ->  any 6666:7000 (msg:"Total Offered"; flags: A+; 
content: "Total Offered"; classtype:misc-activity;)

alert tcp any any ->  any 6666:7000 (msg:"Just type the Trigger 
content";flags: A+; content: "Just type the Trigger";classtype:misc-
activity;)

alert tcp $HOME_NET any -> any 6666:6668 (msg:"Incoming XDCC Send 
Request Detected-BIG-rule"; flow:to_server,established; 
content:"XDCC" ; nocase; classtype:misc-activity;)

alert tcp any any ->  $HOME_NET any (msg:"JAcheck.ini "; flags: A+; 
content: "JAcheck.ini";nocase; classtype:warez;)

alert tcp any any ->  $HOME_NET any (msg:"hidden32.exei "; flags: A+; 
content: "hidden32.exe";nocase; classtype:warez;)

alert tcp any any ->  $HOME_NET any (msg:"BugSlayerYtil.dll "; flags: 
A+; content: "BugSlayerYtil.dll";nocase; classtype:warez;)

alert tcp any any ->  $HOME_NET any (msg:"clearlogs.exe "; flags: A+;
content: "clearlogs.exe";nocase; classtype:warez;)

alert tcp any any ->  $HOME_NET any (msg:"ssleay32.dll "; flags: A+; 
content: "ssleay32.dll";nocase; classtype:warez;)

alert tcp any any ->  $HOME_NET any (msg:"Irofferi "; flags: A+; 
content:"Iroffer";nocase; classtype:warez;)

alert tcp any any -> any any (msg: "IR.EXE";  flags: A+; 
content:"ir.exe";nocase; classtype:warez;)

alert tcp any any -> any any (msg: "criten warez IRC server";  flags: 
A+;content:"criten";nocase; classtype:misc-activity;)

alert tcp any any -> any any (msg: "SPM2000$";  flags: A+; 
content:"SPM2000$";nocase; classtype:misc-activity;)

alert tcp any any -> any any (msg: "crc.bat";  flags: A+; 
content:"crc.bat";nocase; classtype:misc-activity;)

alert tcp any any -> any any (msg: "servustartuplog.txt";  flags: A+;
content:"servustartuplog.txt";nocase; classtype:misc-activity;)

alert tcp $EXTERNAL_NET any ->  $HOME_NET any 
(msg:"L33CHeR";  content:"L33CHeR"; nocase;classtype:misc-activity;)

alert tcp  any any -> any any (msg:"HOT DarkIRC trojan retrieval 
dll32nos.exe";  content:"dll32nos.exe";nocase;classtype:misc-
activity;)

alert tcp any any -> any any (content:"Gr33tz";nocase;msg:"HOT IN 
DarkIRC on Gr33tz";classtype:misc-activity;)

alert tcp  any any -> any any (msg:" Root.bat content darkIRC"; 
flags: A+; content: "Root.bat";nocase;classtype:misc-activity;)

alert tcp  any any -> any any (msg:"recycler"; flags: A+; content: 
"recycler";nocase;classtype:misc-activity;)

alert tcp any any ->  any any (msg:"Min Speed Requirement"; flags: 
A+; content: "Min Speed Requirement"; classtype:misc-activity;)

alert tcp any 6660:7000 -> any any \
(content: " |3a 01|XDCC "; \
msg: "Possible Incoming XDCC Send Request Detected.";\
classtype: misc-activity; \
)




More information about the unisog mailing list