[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Fri Aug 13 14:01:01 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Fri Aug 13 16:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (1):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet"; classtype:policy-violation; sid:2001188; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (7):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Jelmer shellscript.js"; content:"document.body.insertAdjacentHTML"; content:"<script"; content:"ActiveXObject"; content:"Shell.Application"; content:"ShellExecute"; content:"cmd.exe"; content:"document.write"; content:"<iframe"; content:"shell\:"; content:"setTimeout";  reference:url, http.vdb.dragonsoft.com.tw/exploit/Application.Shell_Exploit.html; classtype:misc-activity; sid:2001073; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Scob shellscript_loader.js"; pcre:"/function[\s]+([\w]+)\([\s]*\)[^\{]+\{[^\}]+\}[^\1]+(?<=setTimeout)/i"; reference:url, http.www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; classtype:misc-activity; sid:2001071; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Scob md.htm"; content:"<SCRIPT"; pcre:"/window\.returnValue[\s]*=[\s]*window\.dialogArguments/Ri"; content:"function"; pcre:"/try[\s]*\{/Ri"; content:"window.dialogArguments.location.href"; content:"catch"; content:"window.close"; content:"setTimeout"; nocase; reference:url, http.www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; classtype:misc-activity; sid:2001068; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Scob new.htm"; content:"<script"; content:"function"; content:"showModalDialog"; content:"location"; content:"setTimeout"; content:"execScript"; content:"setTimeout"; content:"execScript"; nocase; pcre:"/=[\s]*['"]([\d]+[^0-9]){20}/Ri"; reference:url, http.www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; classtype:misc-activity; sid:2001069; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Jelmer shellscript_loader.js"; content:"function"; content:"document.write"; content:"<SCRIPT"; content:"SRC"; content:"<\\/SCRIPT>"; content:"document.write"; content:"<IFRAME"; content:"ID"; content:"</IFRAME>"; content:"setTimeout"; reference:url, http.vdb.dragonsoft.com.tw/exploit/Application.Shell_Exploit.html; classtype:misc-activity; sid:2001072; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Scob shellscript.js"; pcre:"/var[\s]+[\d\w]+[\s]*=[\s]*unescape[\s]*\([\s]*["']%[\da-fA-F]/i"; pcre:"/new[\s]+ActiveXObject/Ri"; pcre:"/\.Open[\s]*\([\s]*/Ri"; pcre:"/\.Send[\s]*\([\s]*/Ri"; pcre:"/\.Mode[\s]*=/Ri"; pcre:"/\.Open[\s]*\(/Ri"; pcre:"/\.Write[\s]*\(/Ri"; pcre:"/\.SaveToFile[\s]*\(/Ri"; reference:url, http.www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; classtype:misc-activity; sid:2001070; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Jelmer installer.htm"; content:"<script"; content:"showModalDialog"; content:"execScript"; nocase; pcre:"/function[\s]+([\w]+)\([^\)]*\)[^\1]+setTimeout[\s]*\([\s]*['"][\w]+\.execScript/i"; reference:url, http.www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; classtype:trojan-activity; sid:2001067; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (2):
        2001186 || BLEEDING-EDGE P2P Soulseek traffic
        2001188 || BLEEDING-EDGE P2P Soulseek

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001186 || BLEEDING-EDGE P2P Soulseek

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list