[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Tue Aug 24 18:03:35 EDT 2004


Todays changes from Bleedingsnort.com:

[***] Results from Oinkmaster started Tue Aug 24 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (4):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware F1Organizer Config Download"; reference:url,www.f1organizer.com; classtype:trojan-activity; uricontent:"/F1/Cmd4F1"; nocase; sid:2001221; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Regnow.com Access"; reference:url,www.regnow.com; classtype:trojan-activity; uricontent:"/softsell/visitor.cgi?affiliate="; nocase; sid:2001223; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Regnow.com Gamehouse.com Access"; reference:url,www.gamehouse.com; classtype:trojan-activity; uricontent:"/affiliates/template.jsp?AID="; nocase; sid:2001224; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Default-homepage-network.com Access"; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype:trojan-activity; uricontent:"/start.cgi?new-hkcu"; nocase; sid:2001222; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MAlware F1Organizer Reporting"; reference:url,www.f1organizer.com; classtype:trojan-activity; uricontent:"/f1/audit/"; nocase; sid:2000582; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware F1Organizer Reporting"; reference:url,www.f1organizer.com; classtype:trojan-activity; uricontent:"/f1/audit/"; nocase; sid:2000582; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MAlware F1Organizer Install Attempt"; reference:url,www.f1organizer.com; classtype:trojan-activity; uricontent:"/f1/objects/ezbdlLs.dll"; nocase; sid:2000585; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware F1Organizer Install Attempt"; reference:url,www.f1organizer.com; classtype:trojan-activity; uricontent:"/f1/objects/"; nocase; sid:2000585; rev:2;)

     -> Modified active in bleeding.rules (12):
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM1"; content:"\/"; content:"COM1"; content:"\/"; nocase; classtype:string-detect; sid:2000499; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM1"; content:"\/"; content:"COM1"; content:"\/"; nocase; classtype:string-detect; sid:2000499; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP hidden directory access"; content:"\/"; content:" "; content:"\/"; classtype:string-detect; sid:2000497; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP hidden directory access"; content:"\/"; content:" "; content:"\/"; classtype:string-detect; sid:2000497; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT1"; content:"\/"; content:"LPT1"; content:"\/"; nocase; classtype:string-detect; sid:2000503; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT1"; content:"\/"; content:"LPT1"; content:"\/"; nocase; classtype:string-detect; sid:2000503; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT2"; content:"\/"; content:"LPT2"; content:"\/"; nocase; classtype:string-detect; sid:2000504; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT2"; content:"\/"; content:"LPT2"; content:"\/"; nocase; classtype:string-detect; sid:2000504; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access NULL"; content:"\/"; content:"NULL"; content:"\/"; nocase; classtype:string-detect; sid:2000508; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access NULL"; content:"\/"; content:"NULL"; content:"\/"; nocase; classtype:string-detect; sid:2000508; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access AUX"; content:"\/"; content:"AUX"; content:"\/"; nocase; classtype:string-detect; sid:2000507; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access AUX"; content:"\/"; content:"AUX"; content:"\/"; nocase; classtype:string-detect; sid:2000507; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM3"; content:"\/"; content:"COM3"; content:"\/"; nocase; classtype:string-detect; sid:2000501; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM3"; content:"\/"; content:"COM3"; content:"\/"; nocase; classtype:string-detect; sid:2000501; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT3"; content:"\/"; content:"LPT3"; content:"\/"; nocase; classtype:string-detect; sid:2000505; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT3"; content:"\/"; content:"LPT3"; content:"\/"; nocase; classtype:string-detect; sid:2000505; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT4"; content:"\/"; content:"LPT4"; content:"\/"; nocase; classtype:string-detect; sid:2000506; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT4"; content:"\/"; content:"LPT4"; content:"\/"; nocase; classtype:string-detect; sid:2000506; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM4"; content:"\/"; content:"COM4"; content:"\/"; nocase; classtype:string-detect; sid:2000502; rev:2;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM4"; content:"\/"; content:"COM4"; content:"\/"; nocase; classtype:string-detect; sid:2000502; rev:2;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM2"; content:"\/"; content:"COM2"; content:"\/"; nocase; classtype:string-detect; sid:2000500; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM2"; content:"\/"; content:"COM2"; content:"\/"; nocase; classtype:string-detect; sid:2000500; rev:1;)
        old: alert udp $EXTERNAL_NET any ->  $HOME_NET 21 (msg:"BLEEDING-EDGE FTP hidden directory access 2"; content:"\/"; content:"."; content:"\/"; classtype:string-detect; sid:2000498; rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP hidden directory access 2"; content:"\/"; content:"."; content:"\/"; classtype:string-detect; sid:2000498; rev:1;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding.rules (1):
        #alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:443"; distance:-12; within:5; flow:to_server,established; sid:2000560; rev:4; )

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2000582 || BLEEDING-EDGE Malware F1Organizer Reporting || url,www.f1organizer.com
        2000585 || BLEEDING-EDGE Malware F1Organizer Install Attempt || url,www.f1organizer.com
        2001221 || BLEEDING-EDGE Malware F1Organizer Config Download || url,www.f1organizer.com
        2001222 || BLEEDING-EDGE Default-homepage-network.com Access || url,default-homepage-network.com/start.cgi?new-hkcu
        2001223 || BLEEDING-EDGE Regnow.com Access || url,www.regnow.com
        2001224 || BLEEDING-EDGE Regnow.com Gamehouse.com Access || url,www.gamehouse.com

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2000560 || BLEEDING-EDGE HTTP CONNECT Tunnel Attempt
        2000582 || BLEEDING-EDGE MAlware F1Organizer Reporting || url,www.f1organizer.com
        2000585 || BLEEDING-EDGE MAlware F1Organizer Install Attempt || url,www.f1organizer.com

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list