[Snort-sigs] Bleedingsnort.com Daily Update

matt at ...2436... matt at ...2436...
Sun Aug 29 18:02:06 EDT 2004


[***] Results from Oinkmaster started Sun Aug 29 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (5):
        alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA trojan activity"; content:"CIA 1."; content:"pass"; classtype:trojan-activity; sid:2001234; rev:1;)
        alert tcp any any -> any 65506 (msg:"BLEEDING-EDGE Unknown activity port 65506"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|00 00 43|"; window: 16616; fragbits: D+; sid:2001232; rev:1;)
        alert tcp any any -> any 559 (msg:"BLEEDING-EDGE ISC Unknown activity port 559"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|04 01 00 50 D9 6A E8 11|"; sid:2001231; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase; sid:2001235;)
        alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA Trojan/Backdoor download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; classtype:trojan-activity; sid:2001233; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (2):
        alert tcp any any -> any 65506 (msg:"BLEEDING-EDGE Unknown activity port 65506"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|00 00 43|"; window: 16616; fragbits: D+; sid:1001232; rev:1;)
        alert tcp any any -> any 559 (msg:"BLEEDING-EDGE ISC Unknown activity port 559"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|04 01 00 50 D9 6A E8 11|"; sid:1001231; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (5):
        2001231 || BLEEDING-EDGE ISC Unknown activity port 559 || url,isc.sans.org/diary.php?date=2004-08-21
        2001232 || BLEEDING-EDGE Unknown activity port 65506 || url,isc.sans.org/diary.php?date=2004-08-21
        2001233 || BLEEDING-EDGE Possible CIA Trojan/Backdoor download/upload attempt
        2001234 || BLEEDING-EDGE Possible CIA trojan activity
        2001235 || BLEEDING-EDGE Weatherbug

     -> Added to bleeding.rules (2):
        # Weatherbug - Dale Handy, PE
        #Written by Chris Norton

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        1001231 || BLEEDING-EDGE ISC Unknown activity port 559 || url,isc.sans.org/diary.php?date=2004-08-21
        1001232 || BLEEDING-EDGE Unknown activity port 65506 || url,isc.sans.org/diary.php?date=2004-08-21

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list