[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Feb 3 17:02:34 EST 2005


[***] Results from Oinkmaster started Thu Feb  3 20:00:07 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001540; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001512; rev:4;)

     -> Added to bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; classtype:trojan-activity; sid:2001614; rev:9;)

     -> Added to bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-attack; sid:2001457; rev:8;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (11):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; content:"POST "; offset:0; depth:5; nocase; content:"/s/l/firstping"; within:100; nocase; content:"Host\: srv.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001446; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; content:"Host\: srv.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001446; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST "; nocase; content:"/downloads/record_download.asp"; nocase; flow:to_server,established; sid:2000588; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; classtype:trojan-activity; reference:url,www.topmoxie.com; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; flow:to_server,established; sid:2000588; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Abox Install Report"; content:"GET "; nocase; offset:0; depth:4; content:"/new_install?id="; within:100; nocase; content:"&time="; nocase; content:"Host\: 209.58.80.244"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001441; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Abox Install Report"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/new_install?id=/i"; content:"&time="; nocase; content:"Host\: 209.58.80.244"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001441; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; classtype:trojan-activity; reference:url,www.featured-results.com; content:"POST "; nocase; content:"/perl/fr.pl"; nocase; content:"action=any"; nocase; content:"country="; nocase; flow:to_server,established; sid:2001293; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; classtype:trojan-activity; reference:url,www.featured-results.com; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; content:"action=any"; nocase; content:"country="; nocase; flow:to_server,established; sid:2001293; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; content:"GET "; offset:0; depth:4; nocase; content:"/install/pop"; within:100; nocase; content:"Host\: www.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001445; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/install\/pop/i"; content:"Host\: www.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype:policy-violation; flow:to_server,established; sid:2001445; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; content:"GET "; offset:0; depth:4; nocase; content:"/memorywatcher.exe"; within:100; nocase; content:"Host\: www.memorywatcher.com"; nocase; classtype:trojan-activity; reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; sid:2001442; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/memorywatcher\.exe/i"; content:"Host\: www.memorywatcher.com"; nocase; classtype:trojan-activity; reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; sid:2001442; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST "; offset:0; depth:5; nocase; content:"/gs_trickler"; within:100; nocase; classtype:policy-violation; flow:to_server,established; sid:2000596; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/gs_trickler/i";  classtype:policy-violation; flow:to_server,established; sid:2000596; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Browseraid.com Agent Reporting Data"; classtype:trojan-activity; reference:url,www.browseraid.com; content:"POST "; nocase; uricontent:"/perl/ads.pl"; nocase; content:"browseraid.com"; nocase; flow:to_server,established; sid:2001266; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Browseraid.com Agent Reporting Data"; classtype:trojan-activity; reference:url,www.browseraid.com; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/ads\.pl/i";  content:"browseraid.com"; nocase; flow:to_server,established; sid:2001266; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MediaTickets Download"; content:"GET "; offset:0; depth:4; nocase; content:"/MediaTicketsInstaller.cab"; within:100; nocase; content:"Host\: www.mt-download.com"; classtype:trojan-activity; flow:to_server,established; sid:2001448; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MediaTickets Download"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/MediaTicketsInstaller\.cab/i"; content:"Host\: www.mt-download.com"; classtype:trojan-activity; flow:to_server,established; sid:2001448; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wintools Download/Configure"; pcre:"/GET \/WTools.\.cab/"; content:"adwave.com"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001450; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wintools Download/Configure"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WTools.\.cab/i"; content:"adwave.com"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001450; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET "; nocase; offset:0; depth:4; content:"/WildApp.cab"; within:100; nocase; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:5;)

     -> Modified active in bleeding-p2p.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P Ares GET"; content:"GET /ares/"; reference:url,www.aresgalaxy.org; classtype:policy-violation; flow:established; sid:2001060; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P Ares GET"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/ares\//i"; reference:url,www.aresgalaxy.org; classtype:policy-violation; flow:established; sid:2001060; rev:3;)

     -> Modified active in bleeding-policy.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; uricontent:"POST "; nocase; uricontent:"/cgi-bin/premail"; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000038; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/premail/i"; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000038; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000036; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Message Access"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/getmsg?msg=MSG/i"; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000036; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000035; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Inbox Access"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/HoTMaiL?curmbox=/i";  content:"hotmail.msn.com"; flow:to_server,established; classtype: policy-violation; sid:2000035; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET "; nocase; uricontent:"/cgi-bin/compose?"; nocase; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000037; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Hotmail Compose Message Access"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/compose?/i"; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: policy-violation; sid:2000037; rev:7;)

     -> Modified active in bleeding-virus.rules (4):
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET "; nocase; content:"/error.jpg"; nocase; reference:url,secunia.com/virus_information/14877/; threshold:type limit, track by_src, count 5, seconds 660; classtype:trojan-activity; flow:established; sid: 2001695; rev:3;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/error\.jpg/i"; reference:url,secunia.com/virus_information/14877/; threshold:type limit, track by_src, count 5, seconds 600; classtype:trojan-activity; flow:established; sid: 2001695; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32/Bagle.z at ...871... Requesting 5.php"; content:"GET "; nocase; content:"/5.php"; nocase; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32/Bagle.z at ...871... Requesting 5.php"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/5\.php/i"; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; content:"GET "; nocase; content:"/zoo.jpg"; nocase; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/zoo\.jpg/i"; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET "; nocase; content:"/2.jpg"; nocase; flow:established; classtype:trojan-activity; sid:2001061; rev:7;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; classtype:trojan-activity; sid:2001061; rev:9;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001512 || BLEEDING-EDGE Malware pool.Westpop.com Spyware Install
        2001540 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || url,www.searchmiracle.com
        2001614 || BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; id:2001540; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; classtype:trojan-activity; id:2001512; rev:3;)

     -> Removed from bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; classtype:trojan-activity; id:2001614; rev:9;)

     -> Removed from bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-attack; id:2001457; rev:8;)

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list