EmergingThreats> Main Web>WebHome (revision 62)EditAttach

Emerging Threats Rule Documentation Wiki

This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author if available is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact emerging@emergingthreats.net and it can be archived privately, available to any vetted researcher.

UserDocs | AllRulesets | EmergingFAQ | AllProjects

Start Here

Want some guidance on using the Emerging Threats Rulesets for the first time? NewUserGuide

Some tips on writing rules? SnortSigs101?

Tips on what to add to your local ruleset that's not in the main rulesets: WhatEverySnortUserShouldDo?

OpenInfosec

Feature development discussions around the Open Information Security Foundation's new projects! ( http://www.openinfosecfoundation.org )

SidReporter

Try out SidReporter, the newest project at Emerging Threats!! Help improve the accuracy and reliability of the Emerging Threats Rulesets anonymously!

Last 10 Signature Documentation Changes

Results from Main web retrieved at 20:42 (GMT)

2008059
MattJonkman
r3 - 2013-05-08 - 21:52 

##alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443`; flow:established,to server; content:` 07 ...
2015652
TWikiGuest
NEW - 2013-05-03 - 02:17 

##alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012`; flow:established,from server; file ...
2015864
TWikiGuest
NEW - 2013-05-03 - 02:17 

##alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET DELETED Blackhole 2.0 PDF GET request`; flow:established,to server; content:`.php?`; http uri; content ...
2010283
TWikiGuest
NEW - 2013-05-03 - 02:17 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN Opachki Link Hijacker HTTP Header Injection`; flow:established,to server; content:`.php?l `; fast ...
2010156
TWikiGuest
NEW - 2013-05-03 - 02:17 

alert udp any any $HOME NET 27901 (msg:`ET GAMES Alien Arena 7.30 Remote Code Execution Attempt`; content:`print 0A 5C `; isdataat:257,relative; pcre:`/\x5C ^\x5C ...
2010512
TWikiGuest
NEW - 2013-05-03 - 02:17 

alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN FakeAV FakeSmoke HTTP POST check in`; flow:established,to server; content:`POST`; nocase; http ...
2009976
TWikiGuest
NEW - 2013-05-03 - 02:16 

#alert tcp $EXTERNAL NET any $HOME NET 1723 (msg:`ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability`; flow:to server; content:` 90 ...
2008651
TWikiGuest
NEW - 2013-05-03 - 02:16 

#alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:`ET WEB SPECIFIC APPS JMweb MP3 src Multiple Local File Inclusion`; flow:established,to server; content ...
2007937
TWikiGuest
NEW - 2013-05-03 - 02:16 

alert udp $EXTERNAL NET any $HOME NET 14000 (msg:`ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow`; content:` 44 53 52 65 71 75 65 73 74 `; pcre:`/ 0 9a ...
2008822
TWikiGuest
NEW - 2013-05-03 - 02:16 

alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:`ET WEB SPECIFIC APPS Joomla Pro Desk Component include file Local File Inclusion`; flow:to server,established ...
Number of topics: 10

All additions will be reviewed by the documentation team at Emerging Threats, a volunteer group. Please report any inaccuracies or wikispam to emerging@emergingthreats.net.

To post please register. -- Registration

Follow documentation updates via WebRss or WebAtom

Conventions

All rules are available by accessing the following URL format: http://doc.emergingthreats.net/SID

i.e. http://docs.emergingthreats.net/2003434

As a rule is changed the new revision will automatically be placed above the old rule and old comments with an Auto-Added timestamp. This should allow a conversation to be relevant to the revision of the rule at the time. Please post "Yes, that fixed it" comments if a new revision fixes an older issue.

Within each signature entry there is a form to place a comment, suitable for short entries or questions about a rule. For larger posts or formal documentation please use the edit function and place the information below other content. You can use most html tags, recommend using PRE tags with code or packet text to keep it formatted as intended.

Signature authors are informally responsible for initial documentation where necessary. However ANY user may post information they have to contribute, and please do.

Documentation need not be formal. Links to POC code, vulnerability alerts, even mailing list conversations may be added to the rule's documentation. More information is definitely best. The Emerging Documentation team will review and reformat things as required over time.

See the EmergingFAQ

Navigation

Main Utilities

Edit | Attach | Print version | History: r66 | r64 < r63 < r62 < r61 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r62 - 2011-06-06 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats