Main WebEmerging Threats Rule Documentation Wiki
This wiki contains all current rules, added as each is put into the main tarball and cvs repository. The rule author, if available, is primarily responsible for the documentation of a rule, however the entire community is encouraged and welcomed to contribute or document any rule. You may attach pcaps, packet text, and even code samples to any entry relevant. This is particularly useful for future troubleshooting. Please document if possible where the sample was captured. If you have a sample that's not suitable for posting publicly please contact emerging@emergingthreats.net and it can be archived privately, available to any vetted researcher. UserDocs | AllRulesets | EmergingFAQ | AllProjectsStart Here
Want some guidance on using the Emerging Threats Rulesets for the first time? NewUserGuide Some tips on writing rules? SnortSigs101 Tips on what to add to your local ruleset that's not in the main rulesets: WhatEverySnortUserShouldDo?OpenInfosec
Feature development discussions around the Open Information Security Foundation's new projects! ( http://www.openinfosecfoundation.org )SidReporter
Try out SidReporter, the newest project at Emerging Threats!! Help improve the accuracy and reliability of the Emerging Threats Rulesets anonymously!Last 10 Signature Documentation Changes
Results from Main web retrieved at 06:01 (GMT)
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS Joomla com joomtouch controller parameter Local File Inclusion Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS Joomla com obsuggest controller parameter Local File Inclusion Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established ...
alert tcp $EXTERNAL NET any $HOME NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to server,established; content:" 2F requests 2F status ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to server; content:"GET"; nocase; http method ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits ...
alert tcp $EXTERNAL NET any $HTTP SERVERS $HTTP PORTS (msg:"ET WEB SPECIFIC APPS Possible Mambo Cache Lite Class mosConfig absolute path Remote File Inclusion Attempt ...
alert tcp any any $HOME NET 139,445 (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to server,established; content:" 4F 00 72 00 69 00 67 ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:"ET MALWARE 404 Response with an EXE Attached Likely Malware Drop"; flow:established,from server; content ...
alert tcp any any $HOME NET 139,445 (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to server,established; content:" 5c 00 74 ...
Number of topics: 10
All additions will be reviewed by the documentation team at Emerging Threats, a volunteer group. Please report any inaccuracies or wikispam to emerging@emergingthreats.net.
To post please register. -- Registration
Follow documentation updates via WebRss or WebAtom
Conventions
All rules are available by accessing the following URL format:Main Utilities
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback