Main WebBleeding Edge Threats Rule Documentation Wiki
This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author if available is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact bleeding@bleedingthreats.net and it can be archived privately, available to any vetted researcher. AllRulesets AllProjects Other Major projects Documented Here: SnortSam BlackHoleDNS NewSignatureIdeas If you have one, or are looking for an idea to put some time into and learn about.Last 10 Signature Documentation Changes
Results from Main web retrieved at 05:27 (GMT)
Snort.Conf Samples The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"BLEEDING EDGE MALWARE User Agent Containing http\:// Suspicious Likely Spyware/Trojan"; flow:to server ...
JohnMcCash 10 Jan 2008 I have a question for the BleedingThreats audience at large. I was just reading up a bit on Fast Flux DNS configurations, which are being ...
alert udp $HOME NET 1024:65535 $EXTERNAL NET 1024:65535 (msg:"BLEEDING EDGE TROJAN Storm Worm Encrypted Traffic Outbound Likely Search by md5"; dsize:25; threshold ...
My Links .ATasteOfTWiki view a short introductory presentation on TWiki for beginners .WelcomeGuest starting points on TWiki .TWikiUsersGuide ...
My Links .ATasteOfTWiki view a short introductory presentation on TWiki for beginners .WelcomeGuest starting points on TWiki .TWikiUsersGuide ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"BLEEDING EDGE TROJAN Downloader.Affill User Agent Detected (lol)"; flow:established,to server; content: ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"BLEEDING EDGE TROJAN Win32 ALT C C Initial Infection Checkin"; flow:established,to server; dsize:18; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"BLEEDING EDGE TROJAN Prg Trojan HTTP POST"; flow:established,to server; content:"POST "; depth:5; uricontent ...
alert udp $HOME NET 1024: $EXTERNAL NET 4099 (msg:"BLEEDING EDGE TROJAN Srizbi registering with controller"; dsize:20; content:" 2d "; offset:6; content:" 2d ...
Number of topics: 10
All additions will be reviewed by the documentation team at Bleeding Edge Threats, a volunteer group. Please report any inaccuracies or wikispam to bleeding@bleedingthreats.net.
To post please register. -- Registration
Follow documentation updates via WebRss or WebAtom
Conventions
All rules are available by accessing the following URL format:Main Utilities
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- CVS View of All Rules
- WebRss Feed
- BleedingFAQ
 |
|
