[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Dec 27 18:01:05 EST 2004


[***] Results from Oinkmaster started Mon Dec 27 21:00:04 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (7):
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 2"; flow:to_client,established; flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; nocase; content: "command|3B|"; nocase; pcre: "/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid:2001623; rev:2;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 2"; flow:to_server,established; flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; nocase; content: "command|3B|"; nocase; pcre: "/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid:2001626; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Attack Response Outbound PHP Connection"; flow:established,to_server; content:"From\: anon at ...2944..."; offset:0; depth:19; nocase; content:"User-Agent\: PHP"; nocase; classtype:web-application-activity; sid:2001628; rev:1;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 1"; flow:to_server,established; flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; nocase; content: "hhctrl.ocx"; nocase; within: 5; classtype: web-application-activity; sid:2001625; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 3"; flow:to_client, established; flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: web-application-attack; sid:2001624; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 1"; flow:to_client,established; flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; nocase; content: "hhctrl.ocx"; nocase; within: 5;  sid:2001622; classtype: web-application-activity; rev:1;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 3"; flow:to_server,established; flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: web-application-attack; sid:2001627; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION--"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.SantyC.php; flow:to_server,established; sid:2001615; rev:8;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; sid:2001615; rev:8;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.C Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.SantyC.php; flow:to_server,established; sid:2001614; rev:8;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; sid:2001614; rev:8;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:established; sid:2001572; rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:established; sid:2001572; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:established; classtype:misc-activity; sid:2001573; rev:4;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:established; classtype:misc-activity; sid:2001573; rev:5;)

     -> Modified active in bleeding.rules (3):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (14):
        2001572 || BLEEDING-EDGE Virus Zafi Worm - incoming
        2001573 || BLEEDING-EDGE Virus Zafi Worm outgoing detected
        2001609 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1
        2001610 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2
        2001611 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3
        2001614 || BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001615 || BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION-- || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001622 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 1
        2001623 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 2
        2001624 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 3
        2001625 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 1
        2001626 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 2
        2001627 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 3
        2001628 || BLEEDING-EDGE Attack Response Outbound PHP Connection

     -> Added to bleeding-virus.rules (1):
        #Matt Jonkman phpinclude.worm

     -> Added to bleeding.rules (2):
        #By Chris Norton
        #Written by Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (7):
        2001572 || Zafi Worm - incoming
        2001573 || Zafi Worm outgoing detected
        2001609 || F5 BIG-IP 3DNS TCP Probe 1
        2001610 || F5 BIG-IP 3DNS TCP Probe 2
        2001611 || F5 BIG-IP 3DNS TCP Probe 3
        2001614 || BLEEDING-EDGE Virus Santy.C Inbound Attack || url,www.k-otik.com/exploits/20041225.SantyC.php
        2001615 || BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION-- || url,www.k-otik.com/exploits/20041225.SantyC.php

     -> Removed from bleeding-virus.rules (1):
        #Matt Jonkman for .C

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list