[Emerging-Sigs] [Fwd: [Bleeding-sigs] Sigs without classtype]

CunningPike cunningpike at gmail.com
Mon Jan 26 00:02:11 EST 2009


-------- Forwarded Message --------
> From: Zultan <zultan at mad.scientist.com>
> Reply-To: Bleeding Sigs <bleeding-sigs at bleedingthreats.net>
> To: bleeding-sigs <bleeding-sigs at bleedingthreats.net>
> Subject: [Bleeding-sigs] Sigs without classtype
> Date: Mon, 26 Jan 2009 03:25:48 +0000
> 
> The rules do not have a classtype.
> 
> Z...
> 
> /etc/snort/rules/em-threat/emerging-policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE under 128)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,<,128,58,relative,little; content:"PE|00 00|"; rawbytes; within:130; sid:2009033; rev:1;)
> 
> /etc/snort/rules/em-threat/emerging-policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; sid:2009034; rev:1;)
> 
> /etc/snort/rules/em-threat/emerging-policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; sid:2009035; rev:1;)
> 
> /etc/snort/rules/em-threat/emerging-virus.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST "; depth:5; content:"&hAssunto=infect-"; distance:50; within:400; content:"&hCorpo="; distance:0; within:50; content:"&hPara="; distance:0; within:50; sid:2008984; rev:1;)
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090125/f77279f2/attachment.bin


More information about the Emerging-sigs mailing list