# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules").  The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved.  All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights).  In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.##----------# Spyware and Potentially Unwanted Technology#----------alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home select installation in progress"; flow:to_server,established; uricontent:"GRInstallCL.asp"; nocase; uricontent:"E="; nocase; uricontent:"MID="; nocase; uricontent:"Refer="; nocase; uricontent:"WGR="; nocase; uricontent:"Prev="; nocase; uricontent:"sGUID="; nocase; metadata:policy security-ips drop; classtype:misc-activity; sid:5810; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker comet systems runtime detection - update requests"; flow:to_server,established; uricontent:"v="; nocase; uricontent:"t="; nocase; uricontent:"c="; nocase; content:"Host|3A|"; nocase; content:"update.cc.cometsystems.com"; distance:0; nocase; pcre:"/\x2F[^\r\n]*\.(dat)|(xml)\?[^\r\n]*v=[^\r\n]*t=[^\r\n]*c=/Ui"; pcre:"/^Host\x3A[^\r\n]*update\.cc\.cometsystems\.com/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5831; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - third party information collection"; flow:to_server,established; uricontent:"/d/sr/?"; nocase; uricontent:"xargs="; nocase; uricontent:"yargs="; nocase; content:"Referer|3A|"; nocase; content:"mysearch.dropspam.com/index.php?tpid="; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fmysearch\.dropspam\.com\x2Findex\.php\?tpid=/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Snoopware pc acme pro runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"mPOP"; distance:0; nocase; content:"Web-Mail"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*mPOP\s+Web-Mail/smi"; flowbits:set,PCAcmePro; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5873; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - start tuner"; flow:to_server,established; uricontent:"/newsurfer4/mainplocal.htm?"; nocase; uricontent:"brand="; nocase; uricontent:"ver="; nocase; uricontent:"call="; nocase; uricontent:"speed="; nocase; uricontent:"unlock="; nocase; uricontent:"archive="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5825; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT hijacker smart finder detection - keys update"; flow:to_server,established; uricontent:"/r/keys/keys"; nocase; content:"User-Agent|3A|"; nocase; content:"Feat2"; distance:0; nocase; content:"Updater"; distance:0; nocase; pcre:"/\x2Fr\x2Fkeys\x2Fkeys\d+/Ui"; pcre:"/^User-Agent\x3A[^\r\n]*Feat2\s+Updater/smi"; threshold:type limit, track by_src, count 1, seconds 900; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5970; rev:2;)