EditAttachPrintable
r42 - 08 Apr 2008 - 04:19:12 - MattJonkmanYou are here: TWiki >  Main Web > WebHome

Emerging Threats Rule Documentation Wiki

This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author if available is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact emerging@emergingthreats.net and it can be archived privately, available to any vetted researcher.

AllRulesets | RulesFAQ | AllProjects

Last 10 Signature Documentation Changes

Results from Main web retrieved at 23:19 (GMT)

2008370
TWikiGuest
NEW - 06 Jul 2008 - 20:19 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to server; uricontent:"/RewardInstall ...
2001891
TWikiGuest
NEW - 06 Jul 2008 - 20:19 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (agent)"; flow: to server,established; content:" 0d 0a User Agent\: agent ...
2008077
TWikiGuest
NEW - 04 Jul 2008 - 13:35 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm EXE Request (fireworks.exe)"; flow:established,to server; content ...
2008367
TWikiGuest
NEW - 03 Jul 2008 - 19:30 

alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:" 0d 0a ...
2008368
TWikiGuest
NEW - 03 Jul 2008 - 19:30 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail "; uricontent ...
2001685
TWikiGuest
NEW - 03 Jul 2008 - 19:24 

alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content ...
2001684
TWikiGuest
NEW - 03 Jul 2008 - 19:24 

alert tcp any $HTTP PORTS $HOME NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content ...
2008369
TWikiGuest
NEW - 03 Jul 2008 - 19:24 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established; content:"POST"; depth:5; content:" message 2b keylogger ...
2008366
TWikiGuest
NEW - 03 Jul 2008 - 15:12 

alert tcp $HOME NET any $EXTERNAL NET 82 (msg:"ET TROJAN LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to server; content:"POST "; depth:5; content ...
2008185
TWikiGuest
NEW - 03 Jul 2008 - 14:34 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32 Cloaker Related Post Infection Checkin"; flow:established,to server; uricontent:"/log/proc ...
Number of topics: 10

All additions will be reviewed by the documentation team at Emerging Threats, a volunteer group. Please report any inaccuracies or wikispam to emerging@emergingthreats.net.

To post please register. -- Registration

Follow documentation updates via WebRss or WebAtom

Conventions

All rules are available by accessing the following URL format: http://doc.emergingthreats.net/SID

i.e. http://docs.emergingthreats.net/2003434

As a rule is changed the new revision will automatically be placed above the old rule and old comments with an Auto-Added timestamp. This should allow a conversation to be relevant to the revision of the rule at the time. Please post "Yes, that fixed it" comments if a new revision fixes an older issue.

Within each signature entry there is a form to place a comment, suitable for short entries or questions about a rule. For larger posts or formal documentation please use the edit function and place the information below other content. You can use most html tags, recommend using PRE tags with code or packet text to keep it formatted as intended.

Signature authors are informally responsible for initial documentation where necessary. However ANY user may post information they have to contribute, and please do.

Documentation need not be formal. Links to POC code, vulnerability alerts, even mailing list conversations may be added to the rule's documentation. More information is definitely best. The Emerging Documentation team will review and reformat things as required over time.

See the EmergingFAQ

Navigation

  • WebHome

Main Utilities

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r42 < r41 < r40 < r39 < r38 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback