[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Dec 11 18:01:03 EST 2004


[***] Results from Oinkmaster started Sat Dec 11 21:00:06 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware BInet Information Install Report"; uricontent:"/bi/servlet/ThinstallPost"; nocase; flow:to_server,established; classtype:trojan-activity; reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; sid:2001576; rev:1;)

     -> Added to bleeding.rules (2):
        alert ip 83.102.166.0/24 any -> any any (msg:"BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Narrowing TTL - PLEASE REPORT to incidents.org"; byte_test: 2,=,45,2; byte_test: 2,=,64,6; byte_test: 1,>,56,8; content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|"; reference:url,isc.sans.org/diary.php?date=2004-12-10; sid:2001574; rev:1;)
        alert ip 83.102.166.0/24 any -> any any (msg:"BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Bigger Packets"; byte_test: 2,>,45,2; byte_test: 2,=,64,6; content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|"; reference:url,isc.sans.org/diary.php?date=2004-12-10; sid:2001575; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (2):
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"Zafi.B Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; sid:2001572;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi.B Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:from_server,established; sid:2001572; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi.B Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; classtype:misc-activity; sid:2001573;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"Zafi.B Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:to_server,established; classtype:misc-activity; sid:2001573; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-inappropriate.rules (3):
        alert tcp $HOME_NET any -> any !443 (msg:"BLEEDING-EDGE Inappropriate Content - Cunt"; content:" cunt "; nocase; flow:established; classtype:policy-violation; sid:2001356; rev:2;)
        alert tcp $HOME_NET any -> any !443 (msg:"BLEEDING-EDGE Inappropriate Content - Gangbang"; content:" gangbang "; nocase; flow:established; classtype:policy-violation; sid:2001355; rev:2;)
        alert tcp $HOME_NET any -> any !443 (msg:"BLEEDING-EDGE Inappropriate Content - Nigger"; content:" nigger "; nocase; flow:established; classtype:policy-violation; sid:2001358; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #Data from Allison Macfarland

     -> Added to bleeding-sid-msg.map (3):
        2001574 || BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Narrowing TTL - PLEASE REPORT to incidents.org || url,isc.sans.org/diary.php?date=2004-12-10
        2001575 || BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Bigger Packets || url,isc.sans.org/diary.php?date=2004-12-10
        2001576 || BLEEDING-EDGE Malware BInet Information Install Report || url,sarc.com/avcenter/venc/data/pf/adware.binet.html

     -> Added to bleeding.rules (2):
        #From the ISC Folks, written by Erik Fitchner.
        #If you get a hit on these PLEASE REPORT to incidents.org!!! See reference for more info

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-inappropriate.rules (1):
        #Ideas from the lists and anonymous suggestions :)

     -> Removed from bleeding-sid-msg.map (3):
        2001355 || BLEEDING-EDGE Inappropriate Content - Gangbang
        2001356 || BLEEDING-EDGE Inappropriate Content - Cunt
        2001358 || BLEEDING-EDGE Inappropriate Content - Nigger

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list