[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Dec 22 18:01:04 EST 2004


[***] Results from Oinkmaster started Wed Dec 22 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-inappropriate.rules (1):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Inappropriate Likely Porn"; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; classtype:kickass-porn; sid:2001608; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; threshold:type limit, track by_src, count 10, seconds 60; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; sid:2001034; rev:7;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; rev:10;)

     -> Modified active in bleeding.rules (3):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:5;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:7;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Sanity.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; uricontent:"&highlight='.write(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-inappropriate.rules (1):
        #By Jeffrey Lowe

     -> Added to bleeding-sid-msg.map (2):
        2001604 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001608 || BLEEDING-EDGE Inappropriate Likely Porn

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001604 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Sanity.A Worm || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list