[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Dec 31 18:01:03 EST 2004


[***] Results from Oinkmaster started Fri Dec 31 21:00:03 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (1):
        alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Policy SSH Successful user connection"; dsize:100; flags:AP; threshold: type both, track by_src, count 2, seconds 60; classtype:successful-user; sid:2001637; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-scan.rules (1):
        old: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; classtype:attempted-dos; sid:2001219; rev:6;)
        new: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:7;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (2):
        #By Matt Jonkman
        alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection after Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:100; flags:AP; classtype:successful-user; rev:2;)

     -> Added to bleeding-policy.rules (1):
        #By Chris Norton

     -> Added to bleeding-sid-msg.map (1):
        2001637 || BLEEDING-EDGE Policy SSH Successful user connection

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list