[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Wed Aug 18 01:06:08 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Tue Aug 17 20:00:01 2004 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding.rules (8):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase; dsize:<64; flow:to_server,established; tag:session,3600,seconds; classtype:trojan-activity; sid:2000345; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000345; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; tag:session,3600,seconds; classtype:trojan-activity; sid:2000348; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000348; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -  DCC chat request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT chat"; nocase; tag:session,3600,seconds; classtype:policy-violation; sid:2000350; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC -  DCC chat request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT chat"; nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000350; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1; content:" 302 "; content:"=+"; content:"@"; dsize:<128; flow:to_client,established; tag:session,3600,seconds; classtype:trojan-activity; sid:2000346; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1; content:" 302 "; content:"=+"; content:"@"; dsize:<128; flow:to_client,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000346; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; nocase; tag:session,3600,seconds; classtype:policy-violation; sid:2000349; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000349; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - channel join on non-std port"; flow:to_server,established; content:"JOIN \: \#"; nocase; offset:0; depth:8; tag:session,3600,seconds; classtype:policy-violation; sid:2000351; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - channel join on non-std port"; flow:to_server,established; content:"JOIN \: \#"; nocase; offset:0; depth:8; tag:session,300,seconds; classtype:policy-violation; sid:2000351; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128; flow:to_server,established; tag:session,3600,seconds; classtype:trojan-activity; sid:2000347; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000347; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC - dns request on non-std port"; flow:to_server,established; content:"USERHOST "; nocase; offset:0; depth:9; tag:session,3600,seconds; classtype:policy-violation; sid:2000352; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - dns request on non-std port"; flow:to_server,established; content:"USERHOST "; nocase; offset:0; depth:9; tag:session,300,seconds; classtype:policy-violation; sid:2000352; rev:3;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding.rules (2):
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001193; rev:1;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001194; rev:1;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001193 || BLEEDING-EDGE libPNG - zero Width || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001194 || BLEEDING-EDGE libPNG - zero Height || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list