[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Dec 14 18:01:04 EST 2004


[***] Results from Oinkmaster started Tue Dec 14 21:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (35):
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001203; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; classtype:attempted-dos; flow:from_server,established; sid:2001360; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; flow:to_server,established; sid:2001214; rev:3;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001194; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001193; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-custom.rules (35):
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001203; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; classtype:attempted-dos; flow:from_server,established; sid:2001360; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; flow:to_server,established; sid:2001214; rev:3;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001194; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001193; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-custom.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause significant
        # False positives if you just turn them on everywhere. You're been warned.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (6):
        2001569 || BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection
        2001579 || BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection
        2001580 || BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection
        2001581 || BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection
        2001582 || BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
        2001583 || BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection

     -> Removed from bleeding.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause significant
        # False positives if you just turn them on everywhere. You're been warned.

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list