[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Dec 21 15:27:02 EST 2004


[***] Results from Oinkmaster started Tue Dec 21 18:25:48 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; sid:2001607; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets"; uricontent:"&q=allinurl%3A+%22viewtopic.php%22+%22"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; sid:2001606; rev:1;)

     -> Added to bleeding.rules (2):
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Sanity.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.write(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (17):
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - outgoing detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; sid:2001603; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - outgoing detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; flow:established; sid:2001603; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:from_server,established; sid:2001572; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:established; sid:2001572; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm detected ";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; classtype:misc-activity; flow:established,to_server; sid:2001566; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm detected ";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; classtype:misc-activity; flow:established; sid:2001566; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm - incoming"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; nocase; classtype:misc-activity; flow:established,to_server; sid:2001577; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm - incoming"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; nocase; classtype:misc-activity; flow:established; sid:2001577; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - incoming"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype:misc-activity; sid:2001590; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - incoming"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype:misc-activity; flow:established; sid:2001590; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001601; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001601; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:3;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001598; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001598; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm outbound detected"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; classtype:misc-activity; flow:established,to_server; sid:2001578; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm outbound detected"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; classtype:misc-activity; flow:established; sid:2001578; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:to_server,established; classtype:misc-activity; sid:2001573; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:established; classtype:misc-activity; sid:2001573; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server,established; classtype:misc-activity; sid:2000310; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; classtype:misc-activity; sid:2000310; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm - incoming "; content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; flow:established,from_server; classtype:misc-activity; sid:2001565; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm - incoming "; content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; flow:established; classtype:misc-activity; sid:2001565; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001599; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001599; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; reference:url,secunia.com/virus_information/557/;classtype:misc-activity; sid:2001591; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; reference:url,secunia.com/virus_information/557/;classtype:misc-activity; flow:established; sid:2001591; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - incoming detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; nocase; reference:url,secunia.com/virus_information/8911/; classtype:misc-activity; flow:established,to_server; sid:2001602; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - incoming detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; nocase; reference:url,secunia.com/virus_information/8911/; classtype:misc-activity; flow:established; sid:2001602; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; sid:2001600; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001600; rev:2;)
        old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:3;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:established; sid:2001568; rev:4;)

     -> Modified active in bleeding.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE phpBB Highlighting SQL Injection <2.0.11"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE phpBB Highlighting Remote Code Execution Attempt HowDark.com"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:5;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001557 || BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection || url,www.securiteam.com/unixfocus/6Z00R2ABPY.html
        2001604 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Sanity.A Worm || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001605 || BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001606 || BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets || url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
        2001607 || BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page || url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

     -> Added to bleeding-virus.rules (1):
        #From Dshield

     -> Added to bleeding.rules (1):
        #From Dshield

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001457 || BLEEDING-EDGE phpBB Highlighting Remote Code Execution Attempt HowDark.com || url,www.howdark.com/poc/phpbb2010_hl.phps
        2001557 || BLEEDING-EDGE phpBB Highlighting SQL Injection <2.0.11 || url,www.securiteam.com/unixfocus/6Z00R2ABPY.html

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list