Main WebEmerging Threats Rule Documentation Wiki
This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author, if available, is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact emerging@emergingthreats.net and it can be archived privately, available to any vetted researcher. UserDocs | AllRulesets | EmergingFAQ | AllProjectsStart Here
Want some guidance on using the Emerging Threats Rulesets for the first time? NewUserGuide Some tips on writing rules? SnortSigs101 Tips on what to add to your local ruleset that's not in the main rulesets: WhatEverySnortUserShouldDo?OpenInfosec
Feature development discussions around the Open Information Security Foundation's new projects! ( http://www.openinfosecfoundation.org )SidReporter
Try out SidReporter, the newest project at Emerging Threats!! Help improve the accuracy and reliability of the Emerging Threats Rulesets anonymously!Last 10 Signature Documentation Changes
Results from Main web retrieved at 18:57 (GMT)
#alert udp $HOME NET 137 $EXTERNAL NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:" 20 43 ...
##alert tcp $HOME NET any any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to server,established; content:"PRIVMSG 20 "; depth:8; pcre:"/(cheguei gazelas ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to server; content:"GET"; http method ...
alert tcp $HOME NET any $EXTERNAL NET 3389 (msg:"ET TROJAN MS Terminal Server User A Login, possible Morto Outbound"; flow:to server,established; content:" 03 00 ...
##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Suspicious User Agent Detected (DigitAl56K/6.3)"; flow:established,to server; content:"User ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to server,established; content:"GET"; http method ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET DELETED Banker.OT Checkin (2 packet)"; flow:established,to server; content:"praquem "; depth:8; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts HTTP POST"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Goldun Reporting User Activity"; flow:established,to server; content:".php?param "; http uri; ...
#alert udp any 53 $HOME NET any (msg:"ET DNS Excessive NXDOMAIN responses Possible DNS Backscatter or Fast Flux DNS Lookups"; byte test:1, ,128,2; byte test:1 ...
Number of topics: 10
All additions will be reviewed by the documentation team at Emerging Threats, a volunteer group. Please report any inaccuracies or wikispam to emerging@emergingthreats.net.
To post please register. -- Registration
Follow documentation updates via WebRss or WebAtom
Conventions
All rules are available by accessing the following URL format:Main Utilities
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback