[Snort-sigs] New Bleeding rules submitted

Matthew Jonkman matt at ...2436...
Tue Jun 29 05:45:09 EDT 2004


A number of new submissions today, from Chich Thierry and Sykes. Thanks 
for your effort gentlemen. There are posted to bleeding.rules now, they 
do not cause issues. Please let us know about their accuracy. And keep 
the sigs coming.

# By Chich Thierry
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to 
server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; 
offset:2; depth:4; classtype:policy-violation; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; 
sid:2000330;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file search"; 
content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2; 
depth:4; classtype:policy-violation; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; 
sid:2000331;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request part"; 
content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2; 
depth:4; classtype:policy-violation; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; 
sid:200332;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request 
answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|"; 
offset:2; depth:4; classtype:policy-violation; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; 
sid:3000333;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer 
sync"; content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
classtype:policy-violation; rev:1; sid:2000334;)

# From Syke at ...2593...
alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 DCC 
Buffer Overflow"; flow:to_client, established; content:DCC SEND "a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a"; nocase; 
classtype:attempted-dos; priority:2; sid:2000329; rev:1; )

Matt




More information about the Snort-sigs mailing list