Skip navigation.
Home

Snort Rules for Detecting Dasher, sdbot, and bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

alert tcp $HOME_NET any -> [69.50.160.0/19,85.255.112.0/20] any (msg:"[OFFENSIVE COMPUTING] Traffic to naughty netblocks - WMF";refrence:url,http://isc.sans.org/diary.php?storyid=997;sid:66600005;rev:1;)