Snort rules

Nick Nelson nick at lunarpages.com
Sat Jun 28 02:04:06 GMT 2003


Greetings folks..

I had mentioned a few months back from snort irc rules and had asked 
some of you to beta test them before we submitted them to the snort 
developers..

A few of you (very few) gave me responses on these rules, but thanks 
to Berkeley and the few others we have come up with a good set of 
rules which do not produce false positives (or not many at all.) and 
are also very effective, for those of you interested the rules will 
be at the end of this email.

Basically the first rules I sent you were more like the alpha series, 
now this is the beta/near-ready-for-release rules, any of you running 
Snort if you could please give them a shot and if nothing else, use 
them to clean your network ,but if you would be as kind as to give me 
feedback, I'd also appreciate that, here are the rules...


##########################################IRC alert

alert tcp any any ->  any 6666:7000 (msg:"Total Offered"; flags: A+; 
content: "Total Offered"; classtype:irc;)
alert tcp any any ->  any 6666:7000 (msg:"Just type the Trigger 
content"; 
flags: A+; content: "Just type the Trigger";classtype:irc;)
alert tcp $HOME_NET any -> any 6666:6668 (msg:"Incoming XDCC Send 
Request 
Detected-BIG-rule"; flow:to_server,established; content:"XDCC" ; 
nocase; 
classtype:irc;)
alert tcp any any ->  $HOME_NET any (msg:"JAcheck.ini "; flags: A+; 
content: "JAcheck.ini";nocase; classtype:warez;)
alert tcp any any ->  $HOME_NET any (msg:"hidden32.exei "; flags: A+; 

content: "hidden32.exe";nocase; classtype:warez;)
alert tcp any any ->  $HOME_NET any (msg:"BugSlayerYtil.dll "; flags: 
A+; 
content: "BugSlayerYtil.dll";nocase; classtype:warez;)
alert tcp any any ->  $HOME_NET any (msg:"clearlogs.exe "; flags: A+; 

content: "clearlogs.exe";nocase; classtype:warez;)
alert tcp any any ->  $HOME_NET any (msg:"ssleay32.dll "; flags: A+; 
content: "ssleay32.dll";nocase; classtype:warez;)
alert tcp any any ->  $HOME_NET any (msg:"Irofferi "; flags: A+; 
content: 
"Iroffer";nocase; classtype:warez;)
alert tcp any any -> any any (msg: "IR.EXE";  flags: A+; content:" 
ir.exe";nocase; classtype:warez;)
alert tcp any any -> any any (msg: "criten warez IRC server";  flags: 
A+; 
content:"criten";nocase; classtype:warez;)
alert tcp any any -> any any (msg: "SPM2000$";  flags: A+; 
content:"SPM2000$";nocase; classtype:warez;)
alert tcp any any -> any any (msg: "crc.bat";  flags: A+; 
content:"crc.bat";nocase; classtype:warez;)
alert tcp any any -> any any (msg: "servustartuplog.txt";  flags: A+; 

content:"servustartuplog.txt";nocase; classtype:warez;)
alert tcp $EXTERNAL_NET any ->  $HOME_NET any 
(msg:"L33CHeR";  content:"L33CHeR"; nocase;classtype:misc-activity;)
alert tcp  any any -> any any (msg:"HOT DarkIRC trojan retrieval 
dll32nos.exe";  content:"dll32nos.exe";nocase;classtype:irc;)
alert tcp any any -> any any (content:"Gr33tz";nocase;msg:"HOT IN 
DarkIRC 
on Gr33tz";classtype:irc;)
alert tcp  any any -> any any (msg:" Root.bat content darkIRC"; 
flags: A+; 
content: "Root.bat";nocase;classtype:irc;)
alert tcp  any any -> any any (msg:"recycler"; flags: A+; content: 
"recycler";nocase;classtype:irc;)
alert tcp any any ->  any any (msg:"Min Speed Requirement"; flags: 
A+; 
content: "Min Speed Requirement"; classtype:irc;)


######################################################################
###########################
#alert tcp $EXTERNAL_NET any ->  $HOME_NET any (msg:""; 
flow:to_server,established; content:""; nocase;classtype:misc-
activity;)


######################################
#new from nic

alert tcp any 6660:7000 -> any any \
(content: " |3a 01|XDCC "; \
msg: "Possible Incoming XDCC Send Request Detected.";\
classtype: misc-activity; \
)

#####################################################

Enjoy :)


cheers,
nick
--
Nick Nelson                    //   USA: 1-877-Lunarpages
nick at lunarpages.com    //    UK: 0800 0729150
Lunarpages.com           //     INTL: 1-714-521-8150



More information about the unisog mailing list