[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Apr 2 17:01:35 EST 2005


[***] Results from Oinkmaster started Sat Apr  2 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

 2001816 - BLEEDING-EDGE .com DNS cache poison attempt (bleeding-attack_response.rules)
 2001817 - BLEEDING-EDGE .net DNS cache poison attempt (bleeding-attack_response.rules)
 2001818 - BLEEDING-EDGE .org DNS cache poison attempt (bleeding-attack_response.rules)
 2001819 - BLEEDING-EDGE .biz DNS cache poison attempt (bleeding-attack_response.rules)
 2001820 - BLEEDING-EDGE .edu DNS cache poison attempt (bleeding-attack_response.rules)
 2001821 - BLEEDING-EDGE .gov DNS cache poison attempt (bleeding-attack_response.rules)
 2001822 - BLEEDING-EDGE .int DNS cache poison attempt (bleeding-attack_response.rules)
 2001823 - BLEEDING-EDGE .mil DNS cache poison attempt (bleeding-attack_response.rules)
 2001824 - BLEEDING-EDGE .info DNS cache poison attempt (bleeding-attack_response.rules)
 2001825 - BLEEDING-EDGE .name DNS cache poison attempt (bleeding-attack_response.rules)
 2001826 - BLEEDING-EDGE .pro DNS cache poison attempt (bleeding-attack_response.rules)
 2001827 - BLEEDING-EDGE .us DNS cache poison attempt (bleeding-attack_response.rules)
 2001828 - BLEEDING-EDGE .ws DNS cache poison attempt (bleeding-attack_response.rules)
 2001829 - BLEEDING-EDGE .museum DNS cache poison attempt (bleeding-attack_response.rules)
 2001830 - BLEEDING-EDGE .tv DNS cache poison attempt (bleeding-attack_response.rules)
 2001831 - BLEEDING-EDGE .uk DNS cache poison attempt (bleeding-attack_response.rules)
 2001832 - BLEEDING-EDGE .de DNS cache poison attempt (bleeding-attack_response.rules)
 2001833 - BLEEDING-EDGE .jp DNS cache poison attempt (bleeding-attack_response.rules)
 2001834 - DNS lookup attempt to hostile, poisoning DNS server - ISC Diary (bleeding.rules)
 2001835 - Sites trying to infect PCs with malware - ISC Diary (bleeding.rules)
 2001836 - Web page trying to infect PCs with malware - ISC Diary (bleeding.rules)
 2001837 - BLEEDING-EDGE Suspicious DNS aerver answer\: 218.38.13.108 (bleeding.rules)
 2001838 - BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148 (bleeding.rules)
 2001839 - BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11 (bleeding.rules)
 2001840 - BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (19):
        # Added 04-02-2005 by Frank Knobbe
        # Following rules were originally created by the fine folks at the SANS
        # Internet Storm Center.
        # Credit goes to: Cody Hatch, Kyle Haugsness, Stephane Nasdrovisky,
        # Tony Carothers
        # These rules attempt to alert on DNS response packets for responsible top
        # level domain servers containing invalid servers. For example, the .com domain
        # is served by a.gtld-servers.net through m.gtld-servers.net. Any DNS response
        # packet claiming that a different name server is responsible for the .com
        # domain is an attempt to poison the querying DNS servers cache.
        # The challenge is to find a single, all encompassing domain. Efforts are under
        # way to write such a rule. These rules below act more as a white list of
        # valid responses and will alert on servers not specifically white-listed.
        ####
        #### THESE RULES ARE CURRENTLY EXPERIMENTAL!  ENABLE AT YOUR OWN RISK!
        ####
        #### Warning: Side affects may include headaches, dry mouth, bloated logs,
        ####          raised blood pressure and abnormal desire for medication.
        ####

     -> Added to bleeding-sid-msg.map (25):
        2001816 || BLEEDING-EDGE .com DNS cache poison attempt
        2001817 || BLEEDING-EDGE .net DNS cache poison attempt
        2001818 || BLEEDING-EDGE .org DNS cache poison attempt
        2001819 || BLEEDING-EDGE .biz DNS cache poison attempt
        2001820 || BLEEDING-EDGE .edu DNS cache poison attempt
        2001821 || BLEEDING-EDGE .gov DNS cache poison attempt
        2001822 || BLEEDING-EDGE .int DNS cache poison attempt
        2001823 || BLEEDING-EDGE .mil DNS cache poison attempt
        2001824 || BLEEDING-EDGE .info DNS cache poison attempt
        2001825 || BLEEDING-EDGE .name DNS cache poison attempt
        2001826 || BLEEDING-EDGE .pro DNS cache poison attempt
        2001827 || BLEEDING-EDGE .us DNS cache poison attempt
        2001828 || BLEEDING-EDGE .ws DNS cache poison attempt
        2001829 || BLEEDING-EDGE .museum DNS cache poison attempt
        2001830 || BLEEDING-EDGE .tv DNS cache poison attempt
        2001831 || BLEEDING-EDGE .uk DNS cache poison attempt
        2001832 || BLEEDING-EDGE .de DNS cache poison attempt
        2001833 || BLEEDING-EDGE .jp DNS cache poison attempt
        2001834 || DNS lookup attempt to hostile, poisoning DNS server - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-31 || url,isc.sans.org/diary.php?date=2005-03-30
        2001835 || Sites trying to infect PCs with malware - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-30
        2001836 || Web page trying to infect PCs with malware - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-30
        2001837 || BLEEDING-EDGE Suspicious DNS aerver answer\: 218.38.13.108
        2001838 || BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148
        2001839 || BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11
        2001840 || BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr

     -> Added to bleeding.rules (7):
        # This file contains some signatures in response to current events. These do
        # not necessarily match on hostile content, but more often match on hostile
        # source or destination addresses or domains.
        # The rules below were written in response to an ISC Diary that listed known
        # evil, poisoning name servers .
        # Added by Frank Knobbe
        # Submitted by Stephane Nasdrovisky





More information about the Snort-sigs mailing list