[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Thu Aug 19 18:01:12 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Thu Aug 19 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Reporting Data"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/record_download.asp"; nocase; classtype:trojan-activity; sid:2001216; rev:1;)

     -> Added to bleeding.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; flow:to_server,established; uricontent:".pdf|00|"; nocase; classtype:attempted-admin; sid:2001217; rev:4;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNukegeneral XSS attemp"; content:"/modules.php?"; content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference: url,www.waraxe.us/?modname=sa&id=030; classtype:web-application-attack; sid:2001218; rev:1;)
        alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; sid:2002004; rev: 1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Twaintec Reporting Data"; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; uricontent:"/downloads/record_download.asp"; nocase; classtype:trojan-activity; sid:2002000; rev:1;)

     -> Removed from bleeding.rules (2):
        alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; sid:2001183; rev: 1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; pcre:"/[\w]+\.pdf%00[\w-_\.!~*'"\(\)]+HTTP\/1\.1/Bi"; classtype:attempted-admin; sid:2002001; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001216 || BLEEDING-EDGE Malware Twaintec Reporting Data || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        2001217 || BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte || cve,2004-0629 || url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html || url,idefense.com/application/poi/display?id=126&type=vulnerabilities
        2001218 || BLEEDING-EDGE PHPNukegeneral XSS attemp || url,www.waraxe.us/?modname=sa&id=030
        2002004 || BLEEDING-EDGE RXBOT / RBOT Exploit Report || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL || url,www.nitroguard.com/rxbot.html

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2002000 || BLEEDING-EDGE Malware Twaintec Reporting Data || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp
        2002001 || BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte || url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html || url,idefense.com/application/poi/display?id=126&type=vulnerabilities

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list