r2 - 28 Sep 2007 - 09:47:18 - RajendraPalnaty?You are here: TWiki >  Main Web > RuleChanges

Last 50 Site Changes

Results from Main web retrieved at 03:36 (GMT)

alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN ZeuS ICE IX cid in cookie"; content:"POST"; http method; content:" 0D 0A Cookie 3a cid "; pcre: ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED HTTP Request to a .cz.tf domain"; flow:to server,established; content:".cz.tf 0D 0A "; fast ...
##alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET DELETED FAKEAV CryptMEN inst.exe Payload Download"; flow:established,from server; content:"Content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET TROJAN Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to client; file ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN MSUpdater POST checkin to CnC"; flow:established,to server; content:"/microsoft/errorpost/default ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN MSUpdater post auth checkin"; flow:established,to server; content:"/search6"; http uri; fast pattern ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET TROJAN Delf/Troxen/Zema controller responding to client"; flow:established,to client; file data; content ...
alert tcp $EXTERNAL NET 443 $HOME NET any (msg:"ET TROJAN Sykipot SSL Certificate serial number detected"; flow:established,to client; content:" 16 "; content: ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN MSUpdater Connectivity Check to Google"; flow:established,to server; content:"/search?qu "; http ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MOBILE MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN MSUpdater alt checkin to CnC"; flow:established,to server; content:"/microsoft/errorpost/default ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to client; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Likely MS12 004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS CUTE IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to server; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS CutePack Exploit Kit Landing Page Detected"; flow:established,to client; content:"button ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS CUTE IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN TLD4 Purple Haze Variant Initial CnC Request for Ad Servers"; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to server; content:"POST ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from server ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to server; content:".php?rnd "; http uri; fast pattern ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to server; content:"User Agent ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole Java Exploit request to /content/rin.jar"; flow:established,to server; content ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to server; content:"POST"; http method; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN W32/VPEYE Trojan Downloader User Agent (VP EYE Downloader)"; flow:established,to server; content ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to server; content:" Added 2012 02 06 22:00:16 UTC
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE W32/OpenTrio User Agent (Open3)"; flow:established,to server; content:"User Agent 3A 20 Open3 ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Malicious getpvstat.php file Reporting"; flow:established,to server; content:"GET"; http method ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS Joomla mod currencyconverter from Cross Site Scripting Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS SAPID get infochannel.inc.php Remote File inclusion Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET VIRUS Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to server; content:"GET"; http ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Malicious ad track.php file Reporting"; flow:established,to server; content:"GET"; http method ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to server; content:"GET"; http method ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32.MSUpdater C C traffic GET"; flow:from client,established; content:".aspx?ID "; http uri ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Incognito Exploit Kit Java request to showthread.php?t "; flow:established,to server; ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to server; content:"/popsetarray.php? country ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32/Cryptrun.B/MSUpdater C C traffic 1"; flow:from client,established; content:"/search"; http ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE User Agent (Yodao Desktop Dict)"; flow:to server,established; content:"User Agent 3a Yodao ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Unknown Malware Checkin Possibly ZeuS"; flow:established,to server; content:"POST"; http ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to server; content:".php?aid "; http uri ...
My Links .ATasteOfTWiki view a short introductory presentation on TWiki for beginners .WelcomeGuest starting points on TWiki .TWikiUsersGuide ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Laik exploit kit binary download request"; flow:established,to server; content:"/load ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS Probable Laik exploit kit landing page with obfuscated URLs"; flow:established,from server ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32/Cryptrun.B Connectivity check"; flow:from client,established; content:"GET"; http method ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Zeus POST Request to CnC content type variation"; flow:established,to server; content:"POST ...
#alert udp $HOME NET 137 $EXTERNAL NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:" 20 43 ...
##alert tcp $HOME NET any any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to server,established; content:"PRIVMSG 20 "; depth:8; pcre:"/(cheguei gazelas ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Suspicious User Agent (TheWorld)"; flow:established,to server; content:"TheWorld"; http header ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Zeus POST Request to CnC URL agnostic"; flow:established,to server; content:"POST"; http method ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS TROJAN ClickCounter Connectivity Check"; flow:established,to server; content:" clickme ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Suspicious HTTP Request to . kwik.to/i.html"; flow:established,to server; content:"kwik ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to server; content ...
alert udp $HOME NET any $EXTERNAL NET 53 (msg:"ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:" 01 00 00 01 00 00 00 00 00 00 " ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to server; content:"POST"; http method; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to server; content:"?sv "; fast pattern; http uri; content ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to server; content:"GET"; http method ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from server; file data; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing File Info Details"; flow:established,to client; file data; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing Update Details"; flow:established,to client; file data; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Suspicious User Agent MyAgrent"; flow:established,to server; content:"User Agent 3A 20 MyAgrent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to server; content:"/gate.php?username "; http ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MOBILE MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to server; content:" ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to server; content:"?pr "; http uri; fast ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MOBILE MALWARE Android/FakeTimer.A Reporting to CnC"; flow:established,to server; content:"/send.php ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to server ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole Acrobat 1 7 PDF exploit download request 4"; flow:established,to server; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to server; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS Microsoft Windows Media component specific exploit"; flow:established,to client; file ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS Microsoft Windows Media component specific exploit SET"; flow:established,to client ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET CURRENT EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to client; file data ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to server; content:"?MI "; http uri; content:" os ...
alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET CURRENT EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow ...
alert tcp $HOME NET any $EXTERNAL NET 3389 (msg:"ET TROJAN MS Terminal Server User A Login, possible Morto Outbound"; flow:to server,established; content:" 03 00 ...
##alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET DELETED Client Visiting Sidename.js Injected Website Malware Related"; flow:established,to client ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot infected host POSTing process list"; flow:established,to server; file ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Gozi Checkin to CnC"; flow:to server,established; content:"user id "; depth:8; http client body ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Suspicious executable download possible Trojan NgrBot"; flow:established,to server; content ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Suspicious User Agent Detected (DigitAl56K/6.3)"; flow:established,to server; content:"User ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to server,established; content:"GET"; http method ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Banker.OT Checkin (2 packet)"; flow:established,to server; content:"praquem "; depth:8; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id is1)"; flow:established,to server ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts HTTP POST"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Goldun Reporting User Activity"; flow:established,to server; content:".php?param "; http uri; ...
My Links .ATasteOfTWiki view a short introductory presentation on TWiki for beginners .WelcomeGuest starting points on TWiki .TWikiUsersGuide ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Clickfraud Framework Request"; flow:to server,established; content:"/go.php?uid "; http ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Unknown checkin"; flow:established,to server; content:"POST"; http method; content:"/c.php" ...
##alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET DELETED Driveby bredolab server response contains .ru 8080/index.php?"; flow:established,to client ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to server; content:"/yahoo.com ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET GAMES Blizzard Downloader Client User Agent (Blizzard Downloader 2.x)"; flow:to server,established; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to server; content:"/load.php ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS LOIC Javascript DDoS Outbound"; flow:established,to server; content:"GET"; http method ...
Number of topics: 100

-- MattJonkman - 28 Feb 2007

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback