Why the large updates: [Snort-sigs] Bleedingsnort.com Daily Update

Matt Jonkman mjonkman at ...2436...
Wed Feb 2 09:24:37 EST 2005

In case you're wondering about the huge updates of late:  Frank Knobbe 
and Mark Warren have been putting a lot of work into cleaning up the 
signature base. They're adding things like Flow, classtype, etc to all 
sigs.  So the updates have been large and will be for a while.

We are adding new sigs, I put up a bunch of new spyware sigs yesterday 
as well. But the bulk of the updates are maintenance.


bleeding at ...2727... wrote:
> [***] Results from Oinkmaster started Tue Feb  1 20:00:02 2005 [***]
> [+++]          Added rules:          [+++]
>      -> Added to bleeding-malware.rules (16):
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Relevancy Spyware"; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; flow:established,to_server; sid:2001696; rev:2;)
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; flow:established,to_server; sid:2001710; rev:2;)
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; flow:established,to_server; sid:2001700; rev:3;)
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; uricontent:"/agentprefs.sah" nocase; flow:established,to_server; sid:2001709; rev:2;)

More information about the Snort-sigs mailing list