Home / Browse / Snort / Mail / Archive

Snort

Email Archive: snort-sigs (read-only)

2000:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct (13)	_Nov (6)	_Dec (8)
2001:	_Jan (4)	_Feb (1)	_Mar (3)	_Apr (6)	_May (4)	_Jun (7)	_Jul (26)	_Aug (24)	_Sep (45)	_Oct (43)	_Nov (49)	_Dec (32)
2002:	_Jan (165)	_Feb (87)	_Mar (148)	_Apr (131)	_May (87)	_Jun (93)	_Jul (150)	_Aug (119)	_Sep (151)	_Oct (113)	_Nov (148)	_Dec (64)
2003:	_Jan (157)	_Feb (152)	_Mar (177)	_Apr (178)	_May (125)	_Jun (322)	_Jul (237)	_Aug (133)	_Sep (122)	_Oct (146)	_Nov (94)	_Dec (118)
2004:	_Jan (152)	_Feb (138)	_Mar (124)	_Apr (137)	_May (155)	_Jun (219)	_Jul (343)	_Aug (287)	_Sep (166)	_Oct (210)	_Nov (129)	_Dec (153)
2005:	_Jan (123)	_Feb (98)	_Mar (139)	_Apr (83)	_May (108)	_Jun (113)	_Jul (107)	_Aug (72)	_Sep (97)	_Oct (92)	_Nov (80)	_Dec (67)
2006:	_Jan (59)	_Feb (64)	_Mar (50)	_Apr (54)	_May (50)	_Jun (40)	_Jul (58)	_Aug (52)	_Sep (27)	_Oct (48)	_Nov (46)	_Dec (32)
2007:	_Jan (49)	_Feb (50)	_Mar (39)	_Apr (50)	_May (42)	_Jun (62)	_Jul (74)	_Aug (35)	_Sep (40)	_Oct (33)	_Nov (28)	_Dec (47)
2008:	_Jan (42)	_Feb (69)	_Mar (48)	_Apr (54)	_May (13)	_Jun (8)	_Jul (16)	_Aug (13)	_Sep (10)	_Oct (12)	_Nov (12)	_Dec (27)
2009:	_Jan (9)	_Feb (11)	_Mar (7)	_Apr (25)	_May (11)	_Jun (6)	_Jul (45)	_Aug (8)	_Sep (16)	_Oct (9)	_Nov (69)	_Dec (92)
2010:	_Jan (88)	_Feb (67)	_Mar (80)	_Apr (131)	_May (52)	_Jun (56)	_Jul (41)	_Aug (13)	_Sep (22)	_Oct (121)	_Nov (51)	_Dec (97)
2011:	_Jan (28)	_Feb (103)	_Mar (46)	_Apr (31)	_May (25)	_Jun (35)	_Jul (11)	_Aug (47)	_Sep (49)	_Oct (34)	_Nov (32)	_Dec (54)
2012:	_Jan (19)	_Feb (52)	_Mar (84)	_Apr (19)	_May (45)	_Jun (39)	_Jul (26)	_Aug (79)	_Sep (87)	_Oct (59)	_Nov (48)	_Dec (35)
2013:	_Jan (51)	_Feb (28)	_Mar (76)	_Apr (104)	_May (124)	_Jun (35)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Snort-sigs] Exploit-ByteVerify

From: <Petar.Jurkovic@ht...> - 2004-01-05 13:17

Attachments: Message as HTML

Experimental rule for Exploit-ByteVerify.

=20

winter tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS =
(msg:"Exploit-ByteVerify beyond.class"; content:"|74 74 70 3a 2f 2f 36 =
36 2e 32 33 30 2e 31 33 34 2e 31 35 30|";)

Re: [Snort-sigs] Exploit-ByteVerify

From: Brian <bmc@sn...> - 2004-01-05 13:39

On Mon, Jan 05, 2004 at 02:17:23PM +0100, Petar Jurkovi=C4=87 wrote:
> Experimental rule for Exploit-ByteVerify.
>=20
> =20
>=20
> winter tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Exploit-Byt=
eVerify beyond.class"; content:"|74 74 70 3a 2f 2f 36 36 2e 32 33 30 2e 3=
1 33 34 2e 31 35 30|";)

Uh...  so why not...=20

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"ttp\://66.=
230.134.150";)

According to data released by Symantec about this trojan, the trojan
connects to http://www.clavus.net, not an IP address.  While they have been
wrong in the past, but they are usually right on when it comes to
trojans.

-brian