[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Dec 23 18:01:03 EST 2004


[***] Results from Oinkmaster started Thu Dec 23 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (3):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator Data Submission"; content:"POST /gs_trickler"; nocase; classtype:policy-violation; flow:to_server,established; sid:2000596; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST /gs_trickler" ;depth:32; nocase; classtype:policy-violation; flow:to_server,established; sid:2000596; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator Agent Installed"; content:"|5573 65 72 2d 41 67 65 6e 74 3a 20 47 61 74 6f 72|";reference:url,pestpatrol.com/pestinfo/g/gain.asp; classtype:policy-violation; flow:to_server,established; sid:2000368; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Agent Installed"; content:"|5573 65 72 2d 41 67 65 6e 74 3a 20 47 61 74 6f 72|"; depth:160; reference:url,pestpatrol.com/pestinfo/g/gain.asp; classtype:policy-violation; flow:to_server,established; sid:2000368; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (2):
        #Matt Jonkman Rule (depth added by bobkberg)
        #Joel Esler rule (depth added by bobkberg)

     -> Added to bleeding-sid-msg.map (5):
        2000368 || BLEEDING-EDGE Malware Gator/Claria Agent Installed || url,pestpatrol.com/pestinfo/g/gain.asp
        2000596 || BLEEDING-EDGE Malware Gator/Claria Data Submission
        2001609 || F5 BIG-IP 3DNS TCP Probe 1
        2001610 || F5 BIG-IP 3DNS TCP Probe 2
        2001611 || F5 BIG-IP 3DNS TCP Probe 3

     -> Added to bleeding.rules (2):
        # Submitted by Frank Knobbe
        # Note: These rules are more practical as PASS rules, or with suppression in threshold.conf, to ignore harmless load-balancer probes

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2000368 || BLEEDING-EDGE Malware Gator Agent Installed || url,pestpatrol.com/pestinfo/g/gain.asp
        2000596 || BLEEDING-EDGE Malware Gator Data Submission

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list