[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Apr 20 18:02:47 EDT 2005


[***] Results from Oinkmaster started Wed Apr 20 20:00:05 2005 [***]

[+++]          Added rules:          [+++]

 2001247 - BLEEDING-EDGE WORM General MSN Worm URL Attempt (bleeding-virus.rules)
 2001846 - BLEEDING-EDGE DOS [ISC] ICMP blind TCP reset DoS guessing attempt (bleeding-dos.rules)
 2001873 - BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021) (bleeding-exploit.rules)
 2001874 - BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021) (bleeding-exploit.rules)
 2001875 - BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted (bleeding-exploit.rules)
 2001876 - BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021) (bleeding-exploit.rules)
 2001878 - BLEEDING-EDGE WORM General MSN Worm URL Outbound (bleeding-virus.rules)
 2001879 - BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert (bleeding-virus.rules)
 2001880 - BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert (bleeding-virus.rules)
 2001881 - BLEEDING-EDGE VIRUS Possible Sober virus attachment Outbound (bleeding-virus.rules)
 2001882 - BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold (bleeding-dos.rules)


[///]     Modified active rules:     [///]

 2000330 - BLEEDING-EDGE P2P ed2k connection to server (bleeding-p2p.rules)
 2000331 - BLEEDING-EDGE P2P ed2k file search (bleeding-p2p.rules)
 2000332 - BLEEDING-EDGE P2P ed2k request part (bleeding-p2p.rules)
 2000335 - BLEEDING-EDGE P2P Overnet Server Announce (bleeding-p2p.rules)
 2000496 - BLEEDING-EDGE DOS Microsoft SMS dos attempt (bleeding-dos.rules)
 2001337 - BLEEDING-EDGE Korgo.P offering executable (bleeding-virus.rules)
 2001362 - BLEEDING-EDGE DOS MS04-030 Attempted DoS (bleeding-dos.rules)
 2001461 - BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (bleeding-malware.rules)
 2001622 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1 (bleeding-exploit.rules)
 2001640 - BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic (bleeding-malware.rules)
 2001761 - BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install (bleeding-malware.rules)
 2001836 - BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary (bleeding.rules)
 2001850 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (bleeding-malware.rules)
 2001851 - BLEEDING-EDGE MALWARE Thinking Media Spyware User Agent (bleeding-malware.rules)
 2001852 - BLEEDING-EDGE MALWARE 404Search Spyware User Agent (bleeding-malware.rules)
 2001853 - BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent (bleeding-malware.rules)
 2001854 - BLEEDING-EDGE MALWARE EZULA Spyware User Agent (bleeding-malware.rules)
 2001855 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (bleeding-malware.rules)
 2001856 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (bleeding-malware.rules)
 2001857 - BLEEDING-EDGE MALWARE Enhance My Search Spyware User Agent (bleeding-malware.rules)
 2001858 - BLEEDING-EDGE MALWARE Hotbar Spyware User Agent (bleeding-malware.rules)
 2001859 - BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent (bleeding-malware.rules)
 2001860 - BLEEDING-EDGE MALWARE Kontiki Spyware User Agent (bleeding-malware.rules)
 2001861 - BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent (bleeding-malware.rules)
 2001862 - BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent (bleeding-malware.rules)
 2001863 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (bleeding-malware.rules)
 2001864 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (bleeding-malware.rules)
 2001865 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (bleeding-malware.rules)
 2001866 - BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent (bleeding-malware.rules)
 2001867 - BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent (bleeding-malware.rules)
 2001868 - BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent (bleeding-malware.rules)
 2001869 - BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent (bleeding-malware.rules)
 2001870 - BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent (bleeding-malware.rules)
 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent (bleeding-malware.rules)
 2001872 - BLEEDING-EDGE MALWARE Visicom Spyware User Agent (bleeding-malware.rules)


[///]    Modified inactive rules:    [///]

 2001011 - BLEEDING-EDGE Worm Zincite Probing port 1034 (bleeding-virus.rules)


[---]         Disabled rules:        [---]

 2001723 - BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 -- bad PNG (bleeding-exploit.rules)


[---]         Removed rules:         [---]

 2001333 - BLEEDING-EDGE P2P CHAT Skype VoIP Initialization (bleeding-p2p.rules)
 2001846 - BLEEDING-EDGE EXPLOIT [ISC] ICMP blind TCP reset DoS guessing attempt (bleeding-exploit.rules)
 2001847 - BLEEDING-EDGE WORM pictures.php MSN Worm URL Attempt (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-dos.rules (13):
        #From Erik Fichtner
        # NOTE:  If you can, put in a check on offset 20 through 23, as these
        # are the source IP of the packet that is supposedly generating
        # the traffic that caused the icmp unreach (EG: YOU.)   example, if you
        # have 192.168.0.0/24, you could put:
        # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
        # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
        # You get the idea. This may well be unnecessary overkill.  YMMV.
        # From Erik Fichtner:
        # alert on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and
        # below a sane value, eg 576 bytes.  Adjust to taste.
        # true RFC791 min = 68, true end-to-end pmtu compatble min = 132.
        # real world might even go as high as 1100 bytes min.  YMMV.

     -> Added to bleeding-exploit.rules (3):
        # since this could be variable length chunks, we can't tell if we had
        # enough data to blow the server up or not, so we have to read the
        # chicken bones to see if it looks like exchange sh!t the bed or not.

     -> Added to bleeding-sid-msg.map (11):
        2001247 || BLEEDING-EDGE WORM General MSN Worm URL Attempt || url,isc.sans.org/diary.php?date=2005-04-13
        2001846 || BLEEDING-EDGE DOS [ISC] ICMP blind TCP reset DoS guessing attempt || cve,can-2004-0790
        2001873 || BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)
        2001874 || BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)
        2001875 || BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted
        2001876 || BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)
        2001878 || BLEEDING-EDGE WORM General MSN Worm URL Outbound || url,isc.sans.org/diary.php?date=2005-04-13
        2001879 || BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert
        2001880 || BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert
        2001881 || BLEEDING-EDGE VIRUS Possible Sober virus attachment Outbound
        2001882 || BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060

     -> Added to bleeding-virus.rules (1):
        #Joe Stewart

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-exploit.rules (7):
        # NOTE:  If you can, put in a check on offset 20 through 23, as these
        # are the source IP of the packet that is supposedly generating
        # the traffic that caused the icmp unreach (EG: YOU.)   example, if you
        # have 192.168.0.0/24, you could put:
        # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
        # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
        # You get the idea. This may well be unnecessary overkill.  YMMV.

     -> Removed from bleeding-p2p.rules (1):
        #Submitted by Jason Haar

     -> Removed from bleeding-sid-msg.map (3):
        2001333 || BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
        2001846 || BLEEDING-EDGE EXPLOIT [ISC] ICMP blind TCP reset DoS guessing attempt || cve,can-2004-0790
        2001847 || BLEEDING-EDGE WORM pictures.php MSN Worm URL Attempt || url,isc.sans.org/diary.php?date=2005-04-13





More information about the Snort-sigs mailing list