[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Dec 16 18:01:02 EST 2004


[***] Results from Oinkmaster started Thu Dec 16 21:00:06 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup)"; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; sid:2001595; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Reporting Install"; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; sid:2001596; rev:3;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (3):
        old: alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus Zafi.d a.exe file upload"); content:"a.exe"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001594; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus Zafi.d a.exe file upload"; content:"a.exe"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001594; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"ICQ 2005A NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001593; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"; content:"ICQ 2005A NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001593; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"WINAMP 5.7 NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001592; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"; content:"WINAMP 5.7 NEW!.EXE"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001592; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        #By Chich Thierry

     -> Added to bleeding-sid-msg.map (27):
        2000374 || BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000375 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000376 || BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000490 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000491 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000492 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000493 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
        2000535 || BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection || arachnids,162
        2000539 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
        2000541 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
        2000542 || BLEEDING-EDGE SCAN NMAP -sU || arachnids,162
        2001098 || BLEEDING-EDGE Attempt to execute Javascript code
        2001100 || BLEEDING-EDGE Attempt to access SHELL\:
        2001104 || BLEEDING-EDGE Stealth attempt to access FILE\:
        2001175 || BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow || url,www.securitytracker.com/alerts/2004/Feb/1009067.html
        2001180 || BLEEDING-EDGE Internet Explorer Object Type Property Overflow || url,www.hnc3k.com/ievulnerabil.htm
        2001569 || BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection
        2001579 || BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection
        2001580 || BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection
        2001581 || BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection
        2001582 || BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
        2001583 || BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
        2001592 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001593 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001594 || BLEEDING-EDGE Virus Zafi.d a.exe file upload || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001595 || BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
        2001596 || BLEEDING-EDGE Policy Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2001592 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"WINAMP 5.7 NEW!.EXE || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001593 || BLEEDING-EDGE Virus Zafi.d P2P Infection Attempt"); content:"ICQ 2005A NEW!.EXE || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D
        2001594 || BLEEDING-EDGE Virus Zafi.d a.exe file upload"); content:"a.exe || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list