[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Apr 12 18:03:48 EDT 2005


[***] Results from Oinkmaster started Tue Apr 12 20:00:07 2005 [***]

[+++]          Added rules:          [+++]

 2001846 - BLEEDING-EDGE Exploit [ISC] ICMP blind TCP reset DoS guessing attempt (bleeding-exploit.rules)


[///]     Modified active rules:     [///]

 2001748 - BLEEDING-EDGE Malware Pynix.dll BHO Activity (bleeding-malware.rules)
 2001761 - BLEEDING-EDGE Malware ABX Toolbar ActiveX Install (bleeding-malware.rules)
 2001783 - BLEEDING-EDGE Malware Media Pass ActiveX Install (bleeding-malware.rules)
 2001793 - BLEEDING-EDGE Malware Incredisearch.com Spyware Ping (bleeding-malware.rules)
 2001794 - BLEEDING-EDGE Malware Incredisearch.com Spyware Activity (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2000374 - BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name (bleeding-custom.rules)
 2000375 - BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR (bleeding-custom.rules)
 2000376 - BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line comment (bleeding-custom.rules)
 2000490 - BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 2 (bleeding-custom.rules)
 2000491 - BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 3 (bleeding-custom.rules)
 2000492 - BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 4 (bleeding-custom.rules)
 2000493 - BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an OR 5 (bleeding-custom.rules)
 2000535 - BLEEDING-EDGE SCAN NMAP -sT or TCP incoming connection (bleeding-custom.rules)
 2000539 - BLEEDING-EDGE SCAN NMAP -sA (bleeding-custom.rules)
 2000541 - BLEEDING-EDGE SCAN NMAP -sA (bleeding-custom.rules)
 2000542 - BLEEDING-EDGE SCAN NMAP -sU (bleeding-custom.rules)
 2001098 - BLEEDING-EDGE Attempt to execute Javascript code (bleeding-custom.rules)
 2001100 - BLEEDING-EDGE Attempt to access SHELL\: (bleeding-custom.rules)
 2001104 - BLEEDING-EDGE Stealth attempt to access FILE\: (bleeding-custom.rules)
 2001175 - BLEEDING-EDGE Internet Explorer Bitmap Integer Overflow (bleeding-custom.rules)
 2001180 - BLEEDING-EDGE Internet Explorer Object Type Property Overflow (bleeding-custom.rules)
 2001616 - BLEEDING-EDGE Attack Response Zone-H.org defacement notification (bleeding-attack_response.rules)
 2001782 - BLEEDING-EDGE MALWARE DUST Spyworm Install (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (7):
        # NOTE:  If you can, put in a check on offset 20 through 23, as these
        # are the source IP of the packet that is supposedly generating
        # the traffic that caused the icmp unreach (EG: YOU.)   example, if you
        # have 192.168.0.0/24, you could put:
        # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
        # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
        # You get the idea. This may well be unnecessary overkill.  YMMV.

     -> Added to bleeding-sid-msg.map (6):
        2001748 || BLEEDING-EDGE Malware Pynix.dll BHO Activity || url,www.pynix.com
        2001761 || BLEEDING-EDGE Malware ABX Toolbar ActiveX Install || url,isc.sans.org/diary.php?date=2005-03-04
        2001783 || BLEEDING-EDGE Malware Media Pass ActiveX Install || url,static.windupdates.com/Release/v19/Info.txt || url,www.benedelman.org/news/010205-1.html
        2001793 || BLEEDING-EDGE Malware Incredisearch.com Spyware Ping
        2001794 || BLEEDING-EDGE Malware Incredisearch.com Spyware Activity
        2001846 || BLEEDING-EDGE Exploit [ISC] ICMP blind TCP reset DoS guessing attempt || cve,can-2004-0790

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        #By Erik Fichtner

     -> Removed from bleeding-custom.rules (4):
        #Various authors, mostly Joseph Gama
        #By Joseph Gama
        #These have value but are prone to falses
        #By Joseph Gama

     -> Removed from bleeding-malware.rules (1):
        #From Mark Tombaugh, ISC

     -> Removed from bleeding-sid-msg.map (7):
        2001616 || BLEEDING-EDGE Attack Response Zone-H.org defacement notification
        2001748 || BLEEDING-EDGE MALWARE Pynix.dll BHO Activity || url,www.pynix.com
        2001761 || BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install || url,isc.sans.org/diary.php?date=2005-03-04
        2001782 || BLEEDING-EDGE MALWARE DUST Spyworm Install || url,isc.sans.org/diary.php?date=2005-03-10
        2001783 || BLEEDING-EDGE MALWARE Media Pass ActiveX Install || url,static.windupdates.com/Release/v19/Info.txt || url,www.benedelman.org/news/010205-1.html
        2001793 || BLEEDING-EDGE MALWARE Incredisearch.com Spyware Ping
        2001794 || BLEEDING-EDGE MALWARE Incredisearch.com Spyware Activity





More information about the Snort-sigs mailing list