[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Dec 14 17:31:19 EST 2004


[***] Results from Oinkmaster started Tue Dec 14 20:30:14 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-custom.rules (41):
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001203; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; classtype:attempted-dos; flow:from_server,established; sid:2001360; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; flow:to_server,established; sid:2001214; rev:3;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001194; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001193; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)

     -> Added to bleeding-malware.rules (4):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; classtype:policy-violation; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; uricontent:"/oss/upgrchk_2a.asp"; nocase; flow:to_server,established; sid:2001587; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MarketScore.com Spyware Activity"; classtype:policy-violation; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; uricontent:"/oss/dittorules.asp"; nocase; flow:to_server,established; sid:2001588; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MarketScore.com Spyware Activity"; classtype:policy-violation; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; uricontent:"/oss/routerrules2.asp"; nocase; flow:to_server,established; sid:2001589; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; classtype:policy-violation; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; flow:to_server,established; sid:2001586; rev:1;)

     -> Added to bleeding-virus.rules (4):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; reference:url,secunia.com/virus_information/557/;classtype:misc-activity; sid:2001591; rev:1;)
        alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase; content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001585; rev:1;)
        alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - incoming"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype:misc-activity; sid:2001590; rev:1;)
        alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase; content:"mssql"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (43):
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001203; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; classtype:attempted-dos; flow:from_server,established; sid:2001360; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:2;)
        alert ip 83.102.166.0/24 any -> any any (msg:"BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Bigger Packets"; byte_test: 2,>,45,2; byte_test: 2,=,64,6; content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|"; reference:url,isc.sans.org/diary.php?date=2004-12-10; sid:2001575; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        alert ip 83.102.166.0/24 any -> any any (msg:"BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Narrowing TTL - PLEASE REPORT to incidents.org"; byte_test: 2,=,45,2; byte_test: 2,=,64,6; byte_test: 1,>,56,8; content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|"; reference:url,isc.sans.org/diary.php?date=2004-12-10; sid:2001574; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; flow:to_server,established; sid:2001214; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001194; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001193; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #Info from sgtocanada

     -> Added to bleeding-sid-msg.map (8):
        2001584 || BLEEDING-EDGE Virus IRC Trojan Reporting (mssql) || url,www.nitroguard.com/rxbot.html
        2001585 || BLEEDING-EDGE Virus IRC Trojan Reporting (file transfer) || url,www.nitroguard.com/rxbot.html
        2001586 || BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com
        2001587 || BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com
        2001588 || BLEEDING-EDGE Malware MarketScore.com Spyware Activity || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com
        2001589 || BLEEDING-EDGE Malware MarketScore.com Spyware Activity || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com
        2001590 || BLEEDING-EDGE Virus NetSky.C Worm - incoming || url,secunia.com/virus_information/557/
        2001591 || BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected || url,secunia.com/virus_information/557/

     -> Added to bleeding-virus.rules (2):
        #added by Mark Scott 3/11/2004 for NetSky.C, updated 3/23/2003
        #By James Riden

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001574 || BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Narrowing TTL - PLEASE REPORT to incidents.org || url,isc.sans.org/diary.php?date=2004-12-10
        2001575 || BLEEDING-EDGE ISC Handlers - UDP Frag Hunt - Bigger Packets || url,isc.sans.org/diary.php?date=2004-12-10

     -> Removed from bleeding.rules (2):
        #From the ISC Folks, written by Erik Fitchner.
        #If you get a hit on these PLEASE REPORT to incidents.org!!! See reference for more info

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list