[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Mon Aug 16 06:06:06 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Mon Aug 16 08:05:20 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (7):
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001191; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001193; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance:0;reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001195; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM MyDoom.S Outbound"; content:"LOL!;))))"; nocase; content:"filename=photos_arc.exe"; nocase; reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001194; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001192; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001190; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler"; uricontent:"aim\:goaway?message="; reference:www.idefense.com/application/poi/display?id=121; classtype:misc-activity; sid:2001189; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler"; uricontent:"aim\:goaway?message="; reference:url,www.idefense.com/application/poi/display?id=121; classtype:misc-activity; sid:2001189; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler || url,www.idefense.com/application/poi/display?id=121
        2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001191 || BLEEDING-EDGE libPNG - Width exceeds limit || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001192 || BLEEDING-EDGE libPNG - Height exceeds limit || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001193 || BLEEDING-EDGE libPNG - zero Width || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001194 || BLEEDING-EDGE libPNG - zero Height || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001196 || BLEEDING-EDGE WORM MyDoom.S Outbound || url,isc.sans.org/diary.php?date=2004-08-16 || url,www.f-secure.com/v-descs/mydoom_s.shtml

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler || www.idefense.com/application/poi/display?id=121

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list