[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Wed Aug 18 18:01:02 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Wed Aug 18 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Reporting Data"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/record_download.asp"; nocase; classtype:trojan-activity; sid:2002000; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Download Attempt"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; classtype:trojan-activity; sid:2001198; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Ad Retrieval"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/twain/servlet/Twain?adcontext="; nocase; classtype:trojan-activity; sid:2001199; rev:1;)

     -> Added to bleeding.rules (16):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla Cookie theft"; reference:url,www.securiteam.com/securitynews/5GP0T0U60M.html; pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i"; classtype:misc-activity; sid:2001207; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; sid:2001214; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001203; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE Serv-U FTP Server Long Filename Stack Overflow Vulnerability"; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype:misc-activity; sid:2001215; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; pcre:"/[\w]+\.pdf%00[\w-_\.!~*'"\(\)]+HTTP\/1\.1/Bi"; classtype:attempted-admin; sid:2002001; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE Serv-U FTP directory traversal vulnerability"; pcre:"/\\[\.]+%20/Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype:misc-activity; sid:2001211; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla Firefox Certificate Spoofing"; pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i"; reference:url,www.securiteam.com/securitynews/5EP0L1PDFG.html;classtype:misc-activity; sid:2001206; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Memory Corruption Bug"; pcre:"/<STYLE>[\s\S]*@\;\/*/i"; reference:url,www.securiteam.com/windowsntfocus/5XP051FDFM.html; classtype:misc-activity; sid:2001205; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE Serv-U Local Privilege Escalation Vulnerability"; content:"site exec"; nocase; rawbytes; reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; classtype:misc-activity; sid:2001210; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Unchecked Buffer in mstask.dll"; pcre:"/iframe[\s\S]+src[\s]*=[\s\S]+\.job/i"; reference:url,www.securiteam.com/windowsntfocus/5GP0B2ADFQ.html; classtype:misc-activity; sid:2001204; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE Serv-U LIST -l Parameter Buffer Overflow"; content:"LIST -l\:"; nocase; isdataat:134,relative;reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype:misc-activity; sid:2001213; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNuke SQL injection attemp"; content:"/modules.php?"; content:"name=Search"; content:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; classtype:web-application-attack; sid:2001197; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE Serv-U FTP directory traversal vulnerability"; pcre:"/%20[\.]+\//Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype:misc-activity; sid:2001212; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Reading Local Files in Netscape 6 and Mozilla"; pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i"; reference:url,www.securiteam.com/securitynews/5JP000A76K.html; classtype:misc-activity; sid:2001208; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNuke general SQL injection attempt"; content:"/modules.php?"; content:"name="; content:"UNION"; nocase; content:"SELECT"; nocase; reference: url,www.waraxe.us/?modname=sa&id=030; reference: url,www.waraxe.us/?modname=sa&id=036; classtype:web-application-attack ;sid:2001202; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla FTP View Cross-Site Scripting Vulnerability"; content:"ftp\://"; nocase; content:"<TITLE"; content:"<SCRIPT"; content:"</TITLE"; reference:url,www.securiteam.com/windowsntfocus/5MP0I0080A.html;classtype:misc-activity; sid:2001209; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding.rules (4):
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001191; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001191; rev:1;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance:0;reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001195; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance:0;reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001195; rev:1;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001192; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001192; rev:1;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001190; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001190; rev:1;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding.rules (2):
        old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001193; rev:1;)
        new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001193; rev:1;)
        old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001194; rev:1;)
        new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001194; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Ad Retrieval"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/twain/servlet/Twain?adcontext="; nocase; classtype:trojan-activity; sid:3000592; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Download Attempt"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; classtype:trojan-activity; sid:3000578; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Reporting Data"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/record_download.asp"; nocase; classtype:trojan-activity; sid:3001034; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (23):
        2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001191 || BLEEDING-EDGE libPNG - Width exceeds limit || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001192 || BLEEDING-EDGE libPNG - Height exceeds limit || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001197 || BLEEDING-EDGE PHPNuke SQL injection attemp || url,www.waraxe.us/index.php?modname=sa&id=35
        2001198 || BLEEDING-EDGE Malware Twaintec Download Attempt || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        2001199 || BLEEDING-EDGE Malware Twaintec Ad Retrieval || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        2001202 || BLEEDING-EDGE PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
        2001203 || BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001204 || BLEEDING-EDGE Unchecked Buffer in mstask.dll || url,www.securiteam.com/windowsntfocus/5GP0B2ADFQ.html
        2001205 || BLEEDING-EDGE Internet Explorer Memory Corruption Bug || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html
        2001206 || BLEEDING-EDGE Mozilla Firefox Certificate Spoofing || url,www.securiteam.com/securitynews/5EP0L1PDFG.html
        2001207 || BLEEDING-EDGE Mozilla Cookie theft || url,www.securiteam.com/securitynews/5GP0T0U60M.html
        2001208 || BLEEDING-EDGE Reading Local Files in Netscape 6 and Mozilla || url,www.securiteam.com/securitynews/5JP000A76K.html
        2001209 || BLEEDING-EDGE Mozilla FTP View Cross-Site Scripting Vulnerability || url,www.securiteam.com/windowsntfocus/5MP0I0080A.html
        2001210 || BLEEDING-EDGE Serv-U Local Privilege Escalation Vulnerability || url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html
        2001211 || BLEEDING-EDGE Serv-U FTP directory traversal vulnerability || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001212 || BLEEDING-EDGE Serv-U FTP directory traversal vulnerability || url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001213 || BLEEDING-EDGE Serv-U LIST -l Parameter Buffer Overflow || url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html
        2001214 || BLEEDING-EDGE Serv-U MDTM Command Buffer Overflow Vulnerability || url,www.securiteam.com/windowsntfocus/5HP010ACAS.html
        2001215 || BLEEDING-EDGE Serv-U FTP Server Long Filename Stack Overflow Vulnerability || url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html
        2002000 || BLEEDING-EDGE Malware Twaintec Reporting Data || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        2002001 || BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte || url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html || url,idefense.com/application/poi/display?id=126&type=vulnerabilities

     -> Added to bleeding.rules (1):
        #Submitted by Federico Petronio

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (7):
        2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001191 || BLEEDING-EDGE libPNG - Width exceeds limit || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001192 || BLEEDING-EDGE libPNG - Height exceeds limit || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        3000578 || BLEEDING-EDGE Malware Twaintec Download Attempt || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        3000592 || BLEEDING-EDGE Malware Twaintec Ad Retrieval || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        3001034 || BLEEDING-EDGE Malware Twaintec Reporting Data || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list