[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Dec 17 18:03:05 EST 2004


[***] Results from Oinkmaster started Fri Dec 17 21:00:17 2004 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-policy.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup)"; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; sid:2001595; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup)"; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; flow:to_server,established; sid:2001595; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Reporting Install"; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; sid:2001596; rev:3;)
        new: alert udp any any -> any any (msg:"BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype:policy-violation; sid:2001596; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-policy.rules (1):
        alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; priority:1; sid:2001265; rev:1;)

     -> Removed from bleeding.rules (7):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"main1.chm"; flow:to_server,established; sid:2000553; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness4"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"screen.exe"; flow:to_server,established; sid:2000555; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness6"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"update.exe"; flow:to_server,established; sid:2000557; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness7"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"winrr.exe"; flow:to_server,established; sid:2000558; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness3"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"mstasks.exe"; flow:to_server,established; sid:2000554; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Russian Bank Ebay Scam Link Captured Information Submitted"; reference:url,spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142; reference:url,isc.sans.org/diary.php?date=2004-07-16;  uricontent:"/loads/post.php"; flow:to_server,established; sid:2000552; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE iscbaddness5"; reference:url,isc.sans.org/diary.php?date=2004-07-16; uricontent:"loger.exe"; flow:to_server,established; sid:2000556; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        #Submitted by Lance Boon

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (8):
        2000552 || BLEEDING-EDGE Russian Bank Ebay Scam Link Captured Information Submitted || url,isc.sans.org/diary.php?date=2004-07-16 || url,spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142
        2000553 || BLEEDING-EDGE iscbaddness || url,isc.sans.org/diary.php?date=2004-07-16
        2000554 || BLEEDING-EDGE iscbaddness3 || url,isc.sans.org/diary.php?date=2004-07-16
        2000555 || BLEEDING-EDGE iscbaddness4 || url,isc.sans.org/diary.php?date=2004-07-16
        2000556 || BLEEDING-EDGE iscbaddness5 || url,isc.sans.org/diary.php?date=2004-07-16
        2000557 || BLEEDING-EDGE iscbaddness6 || url,isc.sans.org/diary.php?date=2004-07-16
        2000558 || BLEEDING-EDGE iscbaddness7 || url,isc.sans.org/diary.php?date=2004-07-16
        2001265 || BLEEDING-EDGE CHAT MSN message

     -> Removed from bleeding.rules (1):
        #Submitted by James Ashton

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list