[Snort-sigs] New Bleeding rules submitted

John Nagro john.nagro at ...2420...
Tue Jun 29 07:54:01 EDT 2004


Matt,

Once again, i appreciate your work, and the work of the people on this
list. I have another suggestion. You have been very good at updating
the sid-msg.map that goes along with these rules, but i think we could
tweak them a bit. For example for the new rule 2000330 we should use
this line in the sid-msg.map:

2000330 || BLEEDING-EDGE P2P ed2k connection to
server || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf

The additional stuff at the end (beyond the message) will make the url
supplied with the rule actually show up in things like ACID.

If you'd like i will go through and update the whole sid-msg.map file
and post it to the list. Just let me know.

-John

On Tue, 29 Jun 2004 07:44:43 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> A number of new submissions today, from Chich Thierry and Sykes. Thanks
> for your effort gentlemen. There are posted to bleeding.rules now, they
> do not cause issues. Please let us know about their accuracy. And keep
> the sigs coming.
> 
> # By Chich Thierry
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to
> server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|";
> offset:2; depth:4; classtype:policy-violation;
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
> sid:2000330;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file search";
> content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2;
> depth:4; classtype:policy-violation;
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
> sid:2000331;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request part";
> content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2;
> depth:4; classtype:policy-violation;
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
> sid:200332;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request
> answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|";
> offset:2; depth:4; classtype:policy-violation;
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
> sid:3000333;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer
> sync"; content:"|0000000d0600|"; offset:0; depth:12; flags:PA;
> classtype:policy-violation; rev:1; sid:2000334;)
> 
> # From Syke at ...2593...
> alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 DCC
> Buffer Overflow"; flow:to_client, established; content:DCC SEND "a a a a
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
> a a a a a a a a a a a a a a a a a a a a a a"; nocase;
> classtype:attempted-dos; priority:2; sid:2000329; rev:1; )
> 
> Matt
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list