[Snort-sigs] New Bleeding rules submitted

Matthew Jonkman matt at ...2436...
Tue Jun 29 19:55:12 EDT 2004


Thanks for the tip. I don't know diddly about barnyard.

If you want to add to the msg map please do so. I'll post whatever you 
put together.

Thanks

Matt

John Nagro wrote:

> Matt,
> 
> Once again, i appreciate your work, and the work of the people on this
> list. I have another suggestion. You have been very good at updating
> the sid-msg.map that goes along with these rules, but i think we could
> tweak them a bit. For example for the new rule 2000330 we should use
> this line in the sid-msg.map:
> 
> 2000330 || BLEEDING-EDGE P2P ed2k connection to
> server || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf
> 
> The additional stuff at the end (beyond the message) will make the url
> supplied with the rule actually show up in things like ACID.
> 
> If you'd like i will go through and update the whole sid-msg.map file
> and post it to the list. Just let me know.
> 
> -John
> 
> On Tue, 29 Jun 2004 07:44:43 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> 
>>A number of new submissions today, from Chich Thierry and Sykes. Thanks
>>for your effort gentlemen. There are posted to bleeding.rules now, they
>>do not cause issues. Please let us know about their accuracy. And keep
>>the sigs coming.
>>
>># By Chich Thierry
>>alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to
>>server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|";
>>offset:2; depth:4; classtype:policy-violation;
>>reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
>>sid:2000330;)
>>alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file search";
>>content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2;
>>depth:4; classtype:policy-violation;
>>reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
>>sid:2000331;)
>>alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request part";
>>content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2;
>>depth:4; classtype:policy-violation;
>>reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
>>sid:200332;)
>>alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request
>>answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|";
>>offset:2; depth:4; classtype:policy-violation;
>>reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1;
>>sid:3000333;)
>>alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer
>>sync"; content:"|0000000d0600|"; offset:0; depth:12; flags:PA;
>>classtype:policy-violation; rev:1; sid:2000334;)
>>
>># From Syke at ...2593...
>>alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 DCC
>>Buffer Overflow"; flow:to_client, established; content:DCC SEND "a a a a
>>a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
>>a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
>>a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
>>a a a a a a a a a a a a a a a a a a a a a a"; nocase;
>>classtype:attempted-dos; priority:2; sid:2000329; rev:1; )
>>
>>Matt
>>
>>-------------------------------------------------------
>>This SF.Net email sponsored by Black Hat Briefings & Training.
>>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>>digital self defense, top technical experts, no vendor pitches,
>>unmatched networking opportunities. Visit www.blackhat.com
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list