[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Dec 18 18:01:01 EST 2004


[***] Results from Oinkmaster started Sat Dec 18 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (1):
        alert udp any any -> any any (msg:"BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype:policy-violation; sid:2001597; rev:1;)

     -> Added to bleeding-virus.rules (4):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001599; rev:1;)
        alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001600; rev:1;)
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001601; rev:1;)
        alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001598; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-policy.rules (1):
        old: alert udp any any -> any any (msg:"BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype:policy-violation; sid:2001596; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy Skype VOIP Reporting Install"; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; classtype:policy-violation; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; flow:to_server,established; sid:2001596; rev:4;)

     -> Modified active in bleeding-virus.rules (4):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi.B Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:from_server,established; sid:2001572; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:from_server,established; sid:2001572; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi.B Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:to_server,established; classtype:misc-activity; sid:2001573; rev:2;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:to_server,established; classtype:misc-activity; sid:2001573; rev:3;)
        old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel.AX - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:2;)
        new: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:3;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel.AX - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:2;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (9):
        2001567 || BLEEDING-EDGE Virus Bagel - outbound
        2001568 || BLEEDING-EDGE Virus Bagel - incoming
        2001572 || Zafi Worm - incoming
        2001573 || Zafi Worm outgoing detected
        2001597 || BLEEDING-EDGE Policy Netop Remote Control Usage || url,www.netop.com
        2001598 || BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected  || url,secunia.com/virus_information/13874/
        2001599 || BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected  || url,secunia.com/virus_information/13874/
        2001600 || BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected  || url,secunia.com/virus_information/13874/
        2001601 || BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected  || url,secunia.com/virus_information/13874/

     -> Added to bleeding-virus.rules (2):
        #       Zafi.D
        #added by Mark Scott 12/14/2004 for Zafi.D, variant .zip attachment

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (4):
        2001567 || BLEEDING-EDGE Virus Bagel.AX - outbound
        2001568 || BLEEDING-EDGE Virus Bagel.AX - incoming
        2001572 || Zafi.B Worm - incoming
        2001573 || Zafi.B Worm outgoing detected

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list