[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Dec 28 18:01:05 EST 2004


[***] Results from Oinkmaster started Tue Dec 28 21:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (4):
        alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001631; rev:1;)
        alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot IRC activity - ReDirectMe hosts"; content:"ReDiReCtMe.NeT"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001632; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001630; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Rbot IRC activity - giuse.ns0.it"; content:"giuse.ns0.it"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001629; rev:1;)

     -> Added to bleeding.rules (2):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise"; flow:to_client,established; content:"writehta.txt"; pcre:"/^C\x3A\\\Documents\s+and\s+Settings\\All\s+Users\\Start\s+Menu\\Programs\\Startup\\+?([A-Z]|[a-z]|[0-9])\x2E\hta/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype:web-application-attack; sid:2001634; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise"; flow:to_client,established; pcre:"/^file\x3A\\/\/C\x3A\\\WINDOWS\\PCHealth\\HelpCtr\\System\\blurbs\\tools\x2E\htm/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype:web-application-attack; sid:2001633; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2001629 || BLEEDING-EDGE Virus Rbot IRC activity - giuse.ns0.it || url,secunia.com/virus_information/11709/
        2001630 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC || url,secunia.com/virus_information/11709/
        2001631 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC || url,secunia.com/virus_information/11709/
        2001632 || BLEEDING-EDGE Virus Rbot IRC activity - ReDirectMe hosts || url,secunia.com/virus_information/11709/
        2001633 || BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise || url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm
        2001634 || BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise || url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm

     -> Added to bleeding-virus.rules (1):
        # Investigating Rbot activity - created by Mark Scott, 12/27/2004

     -> Added to bleeding.rules (1):
        #By Sam Pabon

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list