[Snort-sigs] Bleedingsnort.com Daily Update

Graeme Rider Graeme.Rider at ...2674...
Tue Aug 17 03:57:03 EDT 2004


l don't know if anyone else had the same problem but when l loaded the
signature for MYDOOM.s the semicolon on the content caused snort not to
reload....
l did a /usr/local/bin/snort -c snort.conf -o and it complained about the
content not being enclosed in semi-colons...
maybe it is the way l am doing it..any ideas???
regard
graeme

-----Original Message-----
From: matt at ...2436... [mailto:matt at ...2436...]
Sent: Monday, 16 August 2004 11:05 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Bleedingsnort.com Daily Update


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Mon Aug 16 08:05:20 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (7):
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width
exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
byte_test:4,>=,0x80000000,8,relative,big,string,hex;
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001191; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
byte_test:4,=,0x00000000,8,relative,big,string,hex;
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001193; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D
0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative;
content:!"|00|";
distance:0;reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001195; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
MyDoom.S Outbound"; content:"LOL!;))))"; nocase;
content:"filename=photos_arc.exe"; nocase;
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml;
reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
byte_test:4,=,0x00000000,12,relative,big,string,hex;
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001194; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height
exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
byte_test:4,>=,0x80000000,12,relative,big,string,hex;
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001192; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|";
offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex;
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001190; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
uricontent:"aim\:goaway?message=";
reference:www.idefense.com/application/poi/display?id=121;
classtype:misc-activity; sid:2001189; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
uricontent:"aim\:goaway?message=";
reference:url,www.idefense.com/application/poi/display?id=121;
classtype:misc-activity; sid:2001189; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
Handler || url,www.idefense.com/application/poi/display?id=121
        2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in
png_handle_iCCP || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001191 || BLEEDING-EDGE libPNG - Width exceeds limit ||
url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001192 || BLEEDING-EDGE libPNG - Height exceeds limit ||
url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001193 || BLEEDING-EDGE libPNG - zero Width ||
url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001194 || BLEEDING-EDGE libPNG - zero Height ||
url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in
allocation in png_handle_sPLT ||
url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001196 || BLEEDING-EDGE WORM MyDoom.S Outbound ||
url,isc.sans.org/diary.php?date=2004-08-16 ||
url,www.f-secure.com/v-descs/mydoom_s.shtml

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
Handler || www.idefense.com/application/poi/display?id=121

[*] Added files: [*]
    None.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.




More information about the Snort-sigs mailing list