[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Feb 2 17:02:29 EST 2005


[***] Results from Oinkmaster started Wed Feb  2 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (3):
        alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"BLEEDING-EDGE MyWebEx Installation"; flow:to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; classtype:policy-violation; reference:url,www.mywebexpc.com/how.php; sid:2001713; rev:1;)
        alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"BLEEDING-EDGE MyWebEx Server Traffic"; flow:to_server,established; dsize:<50; content:"|17|"; offset:0; depth:1; threshold: type limit,track by_src, count 1, seconds 360; classtype:policy-violation; reference:url,www.mywebexpc.com/how.php; sid:2001712; rev:1;)
        alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"BLEEDING-EDGE MyWebEx Incoming Connection"; flow:to_client,established; content:"|16 03|"; offset:0; depth:2; content:"Comodo"; nocase; depth:240; content:"accessanywhere.com"; nocase; offset:592; depth:48; classtype:policy-violation; reference:url,www.mywebexpc.com/how.php; sid:2001714; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (9):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; content:"POST /s/l/firstping"; offset:0; depth:19; nocase; content:"Host\: srv.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001446; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; content:"POST "; offset:0; depth:5; nocase; content:"/s/l/firstping"; within:100; nocase; content:"Host\: srv.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001446; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST /downloads/record_download.asp"; nocase; flow:to_server,established; sid:2000588; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST "; nocase; content:"/downloads/record_download.asp"; nocase; flow:to_server,established; sid:2000588; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Abox Install Report"; content:"GET /new_install?id="; offset:25; depth:25; nocase; content:"&time="; nocase; content:"Host\: 209.58.80.244"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001441; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Abox Install Report"; content:"GET "; nocase; offset:0; depth:4; content:"/new_install?id="; within:100; nocase; content:"&time="; nocase; content:"Host\: 209.58.80.244"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001441; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; content:"GET /install/pop"; offset:0; depth:16; nocase; content:"Host\: www.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001445; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; content:"GET "; offset:0; depth:4; nocase; content:"/install/pop"; within:100; nocase; content:"Host\: www.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001445; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; content:"GET /memorywatcher.exe"; offset:0; depth:22; nocase; content:"Host\: www.memorywatcher.com"; nocase; classtype:trojan-activity; reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; sid:2001442; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; content:"GET "; offset:0; depth:4; nocase; content:"/memorywatcher.exe"; within:100; nocase; content:"Host\: www.memorywatcher.com"; nocase; classtype:trojan-activity; reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; sid:2001442; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; content:"POST /"; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; flow:to_server,established; classtype:trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; flow:to_server,established; classtype:trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST /gs_trickler" ;depth:32; nocase; classtype:policy-violation; flow:to_server,established; sid:2000596; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST "; offset:0; depth:5; nocase; content:"/gs_trickler"; within:100; nocase; classtype:policy-violation; flow:to_server,established; sid:2000596; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MediaTickets Download"; content:"GET /MediaTicketsInstaller.cab"; offset:0; depth:30; nocase; content:"Host\: www.mt-download.com"; classtype:trojan-activity; flow:to_server,established; sid:2001448; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MediaTickets Download"; content:"GET "; offset:0; depth:4; nocase; content:"/MediaTicketsInstaller.cab"; within:100; nocase; content:"Host\: www.mt-download.com"; classtype:trojan-activity; flow:to_server,established; sid:2001448; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET /WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET "; nocase; offset:0; depth:4; content:"/WildApp.cab"; within:100; nocase; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:4;)

     -> Modified active in bleeding-policy.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; content:"POST /cgi-bin/premail"; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000038; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; uricontent:"POST "; nocase; uricontent:"/cgi-bin/premail"; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000038; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET /cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000036; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000036; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET /cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000035; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000035; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET /cgi-bin/compose?"; nocase; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000037; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/compose?"; nocase; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000037; rev:6;)

     -> Modified active in bleeding-virus.rules (8):
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET /search|3f|"; nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; sid:2001618; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; sid:2001618; rev:3;)
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET /error.jpg"; nocase; reference:url,secunia.com/virus_information/14877/; classtype:trojan-activity; flow:established; sid: 2001695; rev:1;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET "; nocase; content:"/error.jpg"; nocase; reference:url,secunia.com/virus_information/14877/; threshold:type limit, track by_src, count 5, seconds 660; classtype:trojan-activity; flow:established; sid: 2001695; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32/Bagle.z at ...871... Requesting 5.php"; content:"GET /5.php"; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32/Bagle.z at ...871... Requesting 5.php"; content:"GET "; nocase; content:"/5.php"; nocase; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; content:"GET /zoo.jpg"; nocase; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; content:"GET "; nocase; content:"/zoo.jpg"; nocase; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; flow:established; classtype:trojan-activity; sid:2001061; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET "; nocase; content:"/2.jpg"; nocase; flow:established; classtype:trojan-activity; sid:2001061; rev:7;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET /search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:3;)
        old: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET /"; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e at ...1512...; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; flow:from_client,established; sid:2001430; rev:4;)
        new: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e at ...1512...; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; flow:from_client,established; sid:2001430; rev:5;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET /search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:3;)

     -> Modified active in bleeding-web.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET /"; nocase; content: ".php|3f|"; nocase; within: 64; pcre: "/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET "; nocase; content: ".php|3f|"; nocase; within: 64; pcre: "/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # Submitted by Jason Alvarado

     -> Added to bleeding-sid-msg.map (3):
        2001712 || BLEEDING-EDGE MyWebEx Server Traffic || url,www.mywebexpc.com/how.php
        2001713 || BLEEDING-EDGE MyWebEx Installation || url,www.mywebexpc.com/how.php
        2001714 || BLEEDING-EDGE MyWebEx Incoming Connection || url,www.mywebexpc.com/how.php

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list