[Emerging-Sigs] anyone think these could be useful

Kevin Ross kevross33 at googlemail.com
Fri Jul 24 09:48:05 EDT 2009


Yeah. I think Policy would be more appropriate though I would get nervous if
a machine requested and .exe from a .ru or .cn site :) The pcre one i was
more concerned on load from the pcre.

2009/7/24 dxp <dxp2532 at gmail.com>

>  If these ever get implemented then perhaps it should be for the POLICY
> ruleset and not MALWARE.  There's nothing malicious about requesting an EXE
> file from those TLDs.
>
> Last rule for the excessive connections is an overkill in my opinion.
> Again, who says those TLDs are suspicious?
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
>
> On Fri, 2009-07-24 at 10:46 +0100, Kevin Ross wrote:
>
> Me just playing about. Does anyone think this sort of signature could be
> useful?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE Possible
> Malware .exe Request from a Chinese Domain";  flow:to_server,established;
> uricontent:".cn/"; nocase; uricontent:".exe"; nocase;
> classtype:trojan-activity; sid:160000004; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE Possible
> .exe Request from a Russian Domain";  flow:to_server,established;
> uricontent:".ru/"; nocase; uricontent:".exe"; nocase;
> classtype:trojan-activity; sid:160000003; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE Possible
> .exe request from a .biz domain - Possible Malware Infection";
> flow:to_server,established; uricontent:".biz/"; nocase; uricontent:".exe";
> nocase; classtype:trojan-activity; sid:160000006; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE
> Excessive Connection Attempts to Suspicious Domain, Possible Malware
> Infection"; flow:to_server; flags:S,12; pcre:"/(.ru/|.cn/|.biz/)/Ui";
> threshold: type threshold, track by_src, count 40, seconds 30;
> classtype:trojan-activity; sid:160000007; rev:1;)
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090724/763aaaa2/attachment-0001.html


More information about the Emerging-sigs mailing list