[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Dec 6 18:02:00 EST 2004


[***] Results from Oinkmaster started Mon Dec  6 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (5):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm detected ";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; classtype:misc-activity; flow:established,to_server; sid:2001566; rev:3;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Virus Rogue Port 445 traffic"; threshold: type limit, track by_src, count 100 , seconds 600; sid:2001569; rev:3;)
        alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel.AX - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:2;)
        alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel.AX - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm - incoming "; content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; flow:established,from_server; classtype:misc-activity; sid:2001565; rev:3;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Buffer Overflow Exploit in Adobe Acrobat Reader"; pcre:"/URI/URI\(mailto\:[^"]*"[^"]*"x[\d]{3}/i"; reference:url,www.securiteam.com/securitynews/5WP080AAKK.html; classtype:shellcode-detect; sid:2001049; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Buffer Overflow Exploit in Adobe Acrobat Reader"; pcre:"/URI/URI\(mailto\:[^"]*"[^"]*"x[\d]{3}/i"; reference:url,www.securiteam.com/securitynews/5WP080AAKK.html; classtype:shellcode-detect; flow:established; sid:2001049; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (5):
        2001565 || BLEEDING-EDGE Virus Netsky.P Worm - incoming
        2001566 || BLEEDING-EDGE Virus Netsky.P Worm detected
        2001567 || BLEEDING-EDGE Virus Bagel.AX - outbound
        2001568 || BLEEDING-EDGE Virus Bagel.AX - incoming
        2001569 || BLEEDING-EDGE Virus Rogue Port 445 traffic

     -> Added to bleeding-virus.rules (5):
        #Submitted by Mark Scott
        #These are general tools to detect worm outbreaks - enable at your own risk
        #Submitted by Mark Scott
        #Turn this on only if your external_net is not set to ANY.
        #Submitted by Mark Scott, Mark.Scott at ...2921..., created 3/22/2004

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list