├── Exploit-kits.rules ├── README.md ├── fake-browser-plugin-traffic.rules ├── juniper-screenOS.rules ├── malware.rules └── ssl.rules /Exploit-kits.rules: -------------------------------------------------------------------------------- 1 | //Sig to match Nuclear EK POST traffic 2 | 3 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Form POST From Client"; 4 | flow:established,to_server; content:"POST"; http_method; content:"{|22|g|22 3A 22|"; http_client_body; depth:6; 5 | content:"|22|,|22|p|22 3A 22|"; http_client_body; distance:0; content:"|22|,|22|A|22 3A 22|"; http_client_body; 6 | distance:0; pcre:"/\{\x22g\x22\x3A\x22[A-F0-9]{10,}\x22\x2C\x22p\x22\x3A\x22[A-F0-9]{10,}\x22\x2C\x22A\x22\x3A\x22[A-F0-9]{10,}\x22\}/m"; 7 | classtype:trojan-activity; sid:111111; rev:1;) 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Snort-Rules 2 | Collection of my test rules and Submissions to Emerging-Sig 3 | -------------------------------------------------------------------------------- /fake-browser-plugin-traffic.rules: -------------------------------------------------------------------------------- 1 | */ Following Snort rule was submitted to Emerging-Sigs on 13-Feb-2015 based on new findings to following blog post: 2 | http://blogs.cisco.com/security/talos/bad-browser-plug-ins */ 3 | 4 | 5 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/MultiPlug.Adware Adfraud Traffic 3"; 6 | flow:established,to_server; content:"GET"; http_method; content:"/sync2/?rmbs="; http_uri; depth:13; 7 | fast_pattern; content:"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"; 8 | http_header; content:!"Referer|3A|"; http_header; classtype:trojan-activity; 9 | reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; sid:1; rev:1;) 10 | 11 | */ Following rule detects W32/Jeefo Adware traffic */ 12 | 13 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Jeefo Adware CnC Beacon 3"; flow:established,to_server; 14 | content:"POST"; http_method; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; content:"&LUDT="; http_uri; 15 | content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; sid:1455993; rev:3;) 16 | 17 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Jeefo Adware CnC Beacon 2"; flow:established,to_server; 18 | content:"POST"; http_method; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; 19 | content:"&LSVRDT="; http_uri; content:"&ty="; http_uri; content:!"Referer|3A|"; http_header; 20 | content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; sid:1455992; rev:2;) 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /juniper-screenOS.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; 2 | flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; 3 | flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; 4 | sid:200000000; rev:1;) 5 | -------------------------------------------------------------------------------- /malware.rules: -------------------------------------------------------------------------------- 1 | */ProxyBack Malware Traffic - Posted on 2015/12/24 2 | */ 3 | 4 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/ProxyBack CnC Beacon"; flow:established,to_server; content:"GET"; 5 | http_method; content:"/ne.php"; http_uri; depth:7; content:"User-Agent|3A 20|pb|0d 0a|"; http_header; classtype:trojan-activity; 6 | reference:url,http://researchcenter.paloaltonetworks.com/2015/12/proxyback-malware-turns-user-systems-into-proxies-without-consent/; 7 | sid:100000; rev:1;) 8 | 9 | */Ghost RAT 10 | */ 11 | 12 | alert tcp $HOME_NET any -> $EXTERNAL_NET 201 (msg:"Gh0stRAT malware v3.6 June 2015 check-in "; flow:to_server,established; 13 | content:"|63 6c 61 72 6b 63 6c 61 72 31|"; depth:10; sid:1; rev:1;) 14 | 15 | */Submitted September 6 2015 16 | */ 17 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Boaxxe.Downloader CnC Beacon"; flow:established, 18 | to_server; content:"|7C|CM01|7C|CM02|7C|CM03|7C|CM03."; depth:40; classtype:trojan-activity; 19 | reference:md5,fd2598e843d7c4d3d45f3038c06d8715; 20 | reference:http://myonlinesecurity.co.uk/notice-of-appearance-in-court-js-malware/; sid:0101010; rev:1;) 21 | 22 | */ Submitted on 13 Aug 2015 23 | */ 24 | 25 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EXE Download Request To Wordpress Folder - Potentially 26 | Compromised Server Being Used For Malware Distribution"; flow:established,to_server; 27 | content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; 28 | pcre:/\/wp\-(content\/|admin\/|includes\/).*\.exe$/U"; classtype:trojan-activity; sid:145661; rev:1;) 29 | 30 | 31 | */ 32 | Submitted to EmergingSigs on 22-July-2015 33 | Rule to detect APT campaign targetting Aerospace industry and dropping IsSpace Backdoor 34 | */ 35 | 36 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET W32 Backdoor.IsSpace CnC”; flow:established,to_server; 37 | content:”POST”; http_method; content:”//SNews.asp?HostID=“; http_uri; depth:19; fast_pattern; 38 | pre:”\?HostID=[0-9]{2}\-[0-9]{2}\-[0-9]{2}\-[0-9]{2}\-[0-9]{2}\-[0-9]{2}$”; classtype:backdoor-activity; 39 | reference:url,http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/; sid:1; rev:1;) 40 | 41 | 42 | 43 | */ 44 | Submitted 14-April-2014 to EmergingSigs 45 | */ 46 | 47 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SeaDuke User-Agent"; 48 | flow:established,to_server; content:"GET"; 49 | http_method; content:"User-Agent|3A| SiteBar/3.3.8 (Bookmark Server|3B| http|3A|//sitebar.org/|0D 0A|)"; 50 | http_header; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; 51 | reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; 52 | classtype:trojan-activity; sid:99999999; rev:1;) 53 | 54 | 55 | */ 56 | Submitted on 10-Aug-2015 57 | Rule to detect the new Download pattern seen in Dridex malware 58 | */ 59 | alert http $HOME_NET any -> $EXTERNAL_NET any 60 | (msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; 61 | content:"GET"; http_method; content:".exe"; http_uri; depth:20; content:!"Referer|3A|"; http_header; 62 | pcre:"/^\/[a-z0-9]{1,7}\/ [a-z0-9]{1,7}\.exe$/U"; 63 | reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; 64 | classtype:trojan-activity; sid:13082015; rev:1;) 65 | 66 | */ Signature to detect DiamondFOX bot pattern */ 67 | 68 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DiamondFox GET Plugin request "; flow:to_server,established; 69 | content:"|2f 77 65 62 73 69 74 6f 2f 70 6c 75 67 69 6e 73 2f|"; within:50; sid:1; rev:1;) 70 | 71 | 72 | -------------------------------------------------------------------------------- /ssl.rules: -------------------------------------------------------------------------------- 1 | */ Zeus MiTM detection rule */ 2 | 3 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; 4 | flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; 5 | reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021553; rev:1;) 6 | --------------------------------------------------------------------------------