[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Apr 5 18:02:03 EDT 2005


[***] Results from Oinkmaster started Tue Apr  5 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001841 - BLEEDING-EDGE P2P UDP traffic -- Lilkely Limewire (bleeding-p2p.rules)


[///]     Modified active rules:     [///]

 2001837 - BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108 (bleeding.rules)


[---]         Disabled rules:        [---]

 2001815 - BLEEDING-EDGE Spambot Suspicious 220 Banner on Local Port (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection (bleeding-custom.rules)
 2001816 - BLEEDING-EDGE ATTACK-RESPONSE .com DNS cache poison attempt (bleeding-attack_response.rules)
 2001817 - BLEEDING-EDGE ATTACK-RESPONSE .net DNS cache poison attempt (bleeding-attack_response.rules)
 2001818 - BLEEDING-EDGE ATTACK-RESPONSE .org DNS cache poison attempt (bleeding-attack_response.rules)
 2001819 - BLEEDING-EDGE ATTACK-RESPONSE .biz DNS cache poison attempt (bleeding-attack_response.rules)
 2001820 - BLEEDING-EDGE ATTACK-RESPONSE .edu DNS cache poison attempt (bleeding-attack_response.rules)
 2001821 - BLEEDING-EDGE ATTACK-RESPONSE .gov DNS cache poison attempt (bleeding-attack_response.rules)
 2001822 - BLEEDING-EDGE ATTACK-RESPONSE .int DNS cache poison attempt (bleeding-attack_response.rules)
 2001823 - BLEEDING-EDGE ATTACK-RESPONSE .mil DNS cache poison attempt (bleeding-attack_response.rules)
 2001824 - BLEEDING-EDGE ATTACK-RESPONSE .info DNS cache poison attempt (bleeding-attack_response.rules)
 2001825 - BLEEDING-EDGE ATTACK-RESPONSE .name DNS cache poison attempt (bleeding-attack_response.rules)
 2001826 - BLEEDING-EDGE ATTACK-RESPONSE .pro DNS cache poison attempt (bleeding-attack_response.rules)
 2001827 - BLEEDING-EDGE ATTACK-RESPONSE .us DNS cache poison attempt (bleeding-attack_response.rules)
 2001828 - BLEEDING-EDGE ATTACK-RESPONSE .ws DNS cache poison attempt (bleeding-attack_response.rules)
 2001829 - BLEEDING-EDGE ATTACK-RESPONSE .museum DNS cache poison attempt (bleeding-attack_response.rules)
 2001830 - BLEEDING-EDGE ATTACK-RESPONSE .tv DNS cache poison attempt (bleeding-attack_response.rules)
 2001831 - BLEEDING-EDGE ATTACK-RESPONSE .uk DNS cache poison attempt (bleeding-attack_response.rules)
 2001832 - BLEEDING-EDGE ATTACK-RESPONSE .de DNS cache poison attempt (bleeding-attack_response.rules)
 2001833 - BLEEDING-EDGE ATTACK-RESPONSE .jp DNS cache poison attempt (bleeding-attack_response.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-scan.rules (1):
        # These are intended to catch new worms and such scanning internally. Careful of falses.

     -> Added to bleeding-sid-msg.map (2):
        2001837 || BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108
        2001841 || BLEEDING-EDGE P2P UDP traffic -- Lilkely Limewire

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (19):
        # Added 04-02-2005 by Frank Knobbe
        # Following rules were originally created by the fine folks at the SANS
        # Internet Storm Center.
        # Credit goes to: Cody Hatch, Kyle Haugsness, Stephane Nasdrovisky,
        # Tony Carothers
        # These rules attempt to alert on DNS response packets for responsible top
        # level domain servers containing invalid servers. For example, the .com domain
        # is served by a.gtld-servers.net through m.gtld-servers.net. Any DNS response
        # packet claiming that a different name server is responsible for the .com
        # domain is an attempt to poison the querying DNS servers cache.
        # The challenge is to find a single, all encompassing domain. Efforts are under
        # way to write such a rule. These rules below act more as a white list of
        # valid responses and will alert on servers not specifically white-listed.
        ####
        #### THESE RULES ARE CURRENTLY EXPERIMENTAL!  ENABLE AT YOUR OWN RISK!
        ####
        #### Warning: Side effects may include headaches, dry mouth, bloated logs,
        ####          raised blood pressure and abnormal desire for medication.
        ####

     -> Removed from bleeding-custom.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause significant
        # False positives if you just turn them on everywhere. You're been warned.

     -> Removed from bleeding-sid-msg.map (19):
        2001816 || BLEEDING-EDGE ATTACK-RESPONSE .com DNS cache poison attempt
        2001817 || BLEEDING-EDGE ATTACK-RESPONSE .net DNS cache poison attempt
        2001818 || BLEEDING-EDGE ATTACK-RESPONSE .org DNS cache poison attempt
        2001819 || BLEEDING-EDGE ATTACK-RESPONSE .biz DNS cache poison attempt
        2001820 || BLEEDING-EDGE ATTACK-RESPONSE .edu DNS cache poison attempt
        2001821 || BLEEDING-EDGE ATTACK-RESPONSE .gov DNS cache poison attempt
        2001822 || BLEEDING-EDGE ATTACK-RESPONSE .int DNS cache poison attempt
        2001823 || BLEEDING-EDGE ATTACK-RESPONSE .mil DNS cache poison attempt
        2001824 || BLEEDING-EDGE ATTACK-RESPONSE .info DNS cache poison attempt
        2001825 || BLEEDING-EDGE ATTACK-RESPONSE .name DNS cache poison attempt
        2001826 || BLEEDING-EDGE ATTACK-RESPONSE .pro DNS cache poison attempt
        2001827 || BLEEDING-EDGE ATTACK-RESPONSE .us DNS cache poison attempt
        2001828 || BLEEDING-EDGE ATTACK-RESPONSE .ws DNS cache poison attempt
        2001829 || BLEEDING-EDGE ATTACK-RESPONSE .museum DNS cache poison attempt
        2001830 || BLEEDING-EDGE ATTACK-RESPONSE .tv DNS cache poison attempt
        2001831 || BLEEDING-EDGE ATTACK-RESPONSE .uk DNS cache poison attempt
        2001832 || BLEEDING-EDGE ATTACK-RESPONSE .de DNS cache poison attempt
        2001833 || BLEEDING-EDGE ATTACK-RESPONSE .jp DNS cache poison attempt
        2001837 || BLEEDING-EDGE Suspicious DNS aerver answer\: 218.38.13.108





More information about the Snort-sigs mailing list