Akamai Malware Snort Rules
These are identical to the Malware Snort Rules available below, with the
exception that they only look for successful HTTP requests to malicious domains
hosted by Akamai. To accomplish this feat you will need to add a variable to
your snort.conf file. Read the remarks in the ruleset for details on how to
perform this task.
America Online Malware Snort Rules
These are identical to the Malware Snort Rules available below, with the
exception that they only look for successful HTTP requests to malicious domains
hosted by AOL. To accomplish this feat you will need to add a variable to
your snort.conf file. Read the remarks in the ruleset for details on how to
perform this task.
Countries Snort Rules
Intended to detect HTTP requests to domains by country code.
Malware Snort Rules
Intended to detect successful HTTP requests to domains known for malicious activity.
Such activity includes but is not limited to the use of tracking cookies, drive-by
installs of software, or use as controller servers for spyware. Note that I
am not responsible for determining whether a domain is malicious or not. I
culled the domain names from dozens of reputable and publicly available sources,
so don't whine to me if your domain is included.
NPI Snort Rules
Note that this ruleset is for historical purposes only. The individual rules have been
incorporated into the "policy" ruleset of Bleeding Edge Threats so that is where I will
continue to maintain them. Check
their download section for the latest version of bleeding-policy.rules.
Intended to detect sensitive information leaving your environment, including:
US Government Data Classifications - Top Secret, NOFORN, COMINT, PROPIN, etc.
HIPAA related stuff - HCPCS, ICD-10, AMA CPT and other codes.
GLBA related stuff - Social Security and Credit Card numbers, etc.
Other terms that indicate sensitive material - "password", "law enforcement sensitive", etc.
Social Network Snort Rules
Intended to detect the use of MySpace, Friendster and about 300 other social networking web sites.
Web Proxy Snort Rules
Intended to detect the use of web-based proxies such as Anonymizer. I would like to key off of actual requests
to the proxies but this is not possible since the various services use very different methods. Thus I took the
easy way out and just key off of activity to the domains. The rules are still effective though since the only services
currently available at most of the sites are proxies -- therefore should a rule be triggered you can be rather confident
the intent of the source is to utilize said services.
Miscellaneous Rules
These are various rules I have required in the past. In case you are wondering why I don't escape all of the dots in the HTTP rules, there are actually three reasons:
- They aren't really necessary in the host parameter. A single character wildcard has virtually the same effect as an explicit dot.
- It makes for much easier reading in rules that have multiple domains in the expression.
- In large files like malware.rules neglecting to escape the dots where possible saves thousands of characters.
Google Image Search, Safe Mode Off
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INAPPROPRIATE - Google Image Search, Safe Mode Off"; flow:established; uricontent:"&safe=off"; pcre:"/Host\:\simages.google.com\r\n/ism";)
Microsoft Hotmail Login
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INAPPROPRIATE - Hotmail Login"; flow:established; uricontent:"/hmhome?fti"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(hotmail.msn.com)\r\n/ism";)
Yahoo Mail Login
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INAPPROPRIATE - Yahoo Mail Login"; flow:established; uricontent:"/ym/login?.rand"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(mail.yahoo.com)\r\n/ism";)
MySpace Login
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INAPPROPRIATE - MySpace Login"; flow:established; uricontent:"fuseaction=login.process"; pcre:"/Host\:\slogin.myspace.com\r\n/ism";)
Email to a SprintPCS.com account. Feel free to change the "sprintpcs" and "com" to reflect other domains, but do not mess with any other characters (with the exception of the message parameter...).
alert tcp $SMTP_SERVERS any -> any 25 (msg:"AUDITING - Email to SprintPCS Account"; flow:established; content:"LO "; pcre:"/(HELO\s|EHLO\s).*(RCPT\sTO\:).*(\@sprintpcs\.com).*(?=DATA\r\n).*\r\n\.\r\n/ism";)
Successfully spoofed email. Change the "sprintpcs" and "com" to reflect your own domain. Do not mess with any other characters.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INCIDENT - Successfully Spoofed Email"; flow:from_client,established; content:"LO "; pcre:"/(HELO\s|EHLO\s).*(MAIL\sFROM\:\s[a-zA-Z0-9\.\-\<\;]+\@sprintpcs\.com[a-zA-Z0-9\.\-\>\;]+\r\n).*\r\n\.\r\n/ism";)