[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Dec 15 18:01:02 EST 2004


[***] Results from Oinkmaster started Wed Dec 15 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-custom.rules (16):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)

     -> Added to bleeding-virus.rules (3):
        alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus Zafi.d a.exe file upload"); content:"a.exe"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001594; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"ICQ 2005A NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001593; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"WINAMP 5.7 NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001592; rev:1;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-custom.rules (6):
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:2;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:2;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:@; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:2;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:2;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:2;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (35):
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R"; pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R"; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001203; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001100; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access FILE\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; flow:from_server,established; classtype:misc-attack; sid:2001104; rev:3;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:from_server,established; sid:2001098; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; classtype:attempted-dos; flow:from_server,established; sid:2001360; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; flow:to_server,established; content:"'|00|"; content:"+|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000374; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection"; dsize:0; ack:0; fragbits:D; flags:S,12; window:64240; reference:arachnids,162; classtype:attempted-recon; sid:2000535; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000376; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"=|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000375; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:4096; reference:arachnids,162; classtype:attempted-recon; sid:2000541; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000539; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability"; pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; classtype:misc-activity; flow:to_server,established; sid:2001214; rev:3;)
        #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sU"; dsize:0; reference:arachnids,162; classtype:attempted-recon; sid:2000542; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000493; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000492; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001194; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Type Property Overflow"; pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i"; reference:url,www.hnc3k.com/ievulnerabil.htm;classtype:web-application-attack; flow:from_server,established; sid:2001180; rev:2;)
        #alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,=,0x00000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001193; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:">|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000490; rev:2;)
        #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow"; pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i"; content:"BM"; byte_test:4,>,2147483648,8,relative,little; reference:url,www.securitytracker.com/alerts/2004/Feb/1009067.html; classtype:shellcode-detect; flow:from_server,established; sid:2001175; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; content:"<|00|"; content:"'|00|'|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; classtype:attempted-user; sid:2000491; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; flow:to_server,established; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-custom.rules (4):
        #Various authors, mostly Joseph Gama
        #By Joseph Gama
        #These have value but are prone to falses
        #By Joseph Gama

     -> Added to bleeding-sid-msg.map (3):
        2001592 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"WINAMP 5.7 NEW!.EXE || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001593 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"ICQ 2005A NEW!.EXE || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001594 || BLEEDING-EDGE Virus Zafi.d a.exe file upload"); content:"a.exe || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

     -> Added to bleeding-virus.rules (1):
        #by Chris Harrington

     -> Added to bleeding.rules (1):
        #Submitted by mjp

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (35):
        2000374 || BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000375 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000376 || BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000490 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000491 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000492 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000493 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000521 || BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000522 || BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000523 || BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000524 || BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000525 || BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000526 || BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000527 || BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000528 || BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000529 || BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000530 || BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000531 || BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000532 || BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000533 || BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000534 || BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1
        2000535 || BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection || arachnids,162
        2000539 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
        2000541 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
        2000542 || BLEEDING-EDGE SCAN NMAP -sU || arachnids,162
        2001098 || BLEEDING-EDGE Attempt to execute Javascript code
        2001100 || BLEEDING-EDGE Attempt to access SHELL\:
        2001104 || BLEEDING-EDGE Stealth attempt to access FILE\:
        2001175 || BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow || url,www.securitytracker.com/alerts/2004/Feb/1009067.html
        2001180 || BLEEDING-EDGE Internet Explorer Object Type Property Overflow || url,www.hnc3k.com/ievulnerabil.htm
        2001193 || BLEEDING-EDGE libPNG - zero Width || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001194 || BLEEDING-EDGE libPNG - zero Height || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001203 || BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun in png_handle_tRNS || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
        2001214 || BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow Vulnerability || url,www.securiteam.com/windowsntfocus/5HP010ACAS.html
        2001360 || BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability Attempt || url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html

     -> Removed from bleeding.rules (2):
        #Submitted by mjp to replace the above rules
        #Submitted by cooljay

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list