[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Dec 13 18:01:03 EST 2004


[***] Results from Oinkmaster started Mon Dec 13 21:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm outbound detected"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; classtype:misc-activity; flow:established,to_server; sid:2001578; rev:1;)
        alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm - incoming"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; nocase; classtype:misc-activity; flow:established,to_server; sid:2001577; rev:1;)

     -> Added to bleeding.rules (6):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Virus Rogue Port 445 traffic"; threshold: type limit, track by_src, count 100 , seconds 600; sid:2001569; rev:3;)

     -> Removed from bleeding.rules (2):
        alert tcp any any -> any 65506 (msg:"BLEEDING-EDGE Unknown activity port 65506"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|00 00 43|"; window: 16616; fragbits: D+; sid:2001232; rev:1;)
        alert tcp any any -> any 559 (msg:"BLEEDING-EDGE ISC Unknown activity port 559"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|04 01 00 50 D9 6A E8 11|"; flow:to_server,established; sid:2001231; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001569 || BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection
        2001577 || BLEEDING-EDGE Sober.I Worm - incoming
        2001578 || BLEEDING-EDGE Sober.I Worm outbound detected
        2001579 || BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection
        2001580 || BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection
        2001581 || BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection
        2001582 || BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
        2001583 || BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection

     -> Added to bleeding-virus.rules (1):
        #added 11/19/2004 Sober.I - created by Mark Scott

     -> Added to bleeding.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause significant
        # False positives if you just turn them on everywhere. You're been warned.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2001231 || BLEEDING-EDGE ISC Unknown activity port 559 || url,isc.sans.org/diary.php?date=2004-08-21
        2001232 || BLEEDING-EDGE Unknown activity port 65506 || url,isc.sans.org/diary.php?date=2004-08-21
        2001569 || BLEEDING-EDGE Virus Rogue Port 445 traffic

     -> Removed from bleeding-virus.rules (2):
        #These are general tools to detect worm outbreaks - enable at your own risk
        #Turn this on only if your external_net is not set to ANY.

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list