[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Feb 8 17:01:48 EST 2005


[***] Results from Oinkmaster started Tue Feb  8 20:00:03 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (2):
        old: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; classtype:misc-attack; sid:2000568; rev:4;)
        new: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0\:"; flow:from_server,established; classtype:misc-attack; sid:2000568; rev:5;)
        old: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; classtype:misc-attack; sid:2000563; rev:5;)
        new: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0\:"; flow:from_server,established; classtype:misc-attack; sid:2000563; rev:6;)

     -> Modified active in bleeding-malware.rules (12):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Relevancy Spyware"; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; flow:established,to_server; sid:2001696; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Relevancy Spyware"; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001696; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; flow:established,to_server; sid:2001710; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001710; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; flow:established,to_server; sid:2001700; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001700; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; uricontent:"/agentprefs.sah" nocase; flow:established,to_server; sid:2001709; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; uricontent:"/agentprefs.sah" nocase; flow:established,to_server; classtype:policy-violation; sid:2001709; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param=" nocase; flow:established,to_server; sid:2001708; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param=" nocase; flow:established,to_server; classtype:policy-violation; sid:2001708; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Install"; uricontent:"/AproposClientInstaller.exe"; nocase; flow:established,to_server; sid:2001704; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Install"; uricontent:"/AproposClientInstaller.exe"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001704; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; content:"User-Agent\: AproposClient AutoLoader"; nocase; flow:established,to_server; sid:2001703; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; content:"User-Agent\: AproposClient AutoLoader"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001703; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: SAH Agent" nocase; flow:established,to_server; sid:2001707; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: SAH Agent" nocase; flow:established,to_server; classtype:policy-violation; sid:2001707; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: Bundle" nocase; flow:established,to_server; sid:2001702; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: Bundle" nocase; flow:established,to_server; classtype:policy-violation; sid:2001702; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/SportsInteraction.exe"; nocase; flow:established,to_server; sid:2001705; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/SportsInteraction.exe"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001705; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; uricontent:"User-Agent\: EnvoloAutoUpdater AutoLoader"; nocase; flow:established,to_server; sid:2001706; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; uricontent:"User-Agent\: EnvoloAutoUpdater AutoLoader"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001706; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; flow:established,to_server; sid:2001701; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001701; rev:3;)

     -> Modified active in bleeding-policy.rules (14):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Weatherbug Capture"; content:"GET"; content:"Host\:"; content:"weatherbug.com"; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:to_server,established; sid:2001267; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Weatherbug Capture"; content:"GET"; content:"Host\:"; content:"weatherbug.com"; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:to_server,established; classtype:misc-activity; sid:2001267; rev:5;)
        old: alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)
        new: alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH Port Usage"; flags:AP+;content: "SSH-"; depth:8; classtype:policy-violation; sid:2000354; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:established,to_server; sid:2001682; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:established,to_server; classtype: policy-violation; sid:2001682; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP connection request"; content: "|03|"; offset: 0; depth: 1; content: "|E0|"; offset:5; depth: 1; flow:to_server,established; priority:1; sid:2001329; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP connection request"; content: "|03|"; offset: 0; depth: 1; content: "|E0|"; offset:5; depth: 1; flow:to_server,established; priority:1; classtype:misc-activity; sid:2001329; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE AOL Webmail Login"; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; flow:to_server,established; sid:2000572; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE AOL Webmail Login"; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; flow:to_server,established; classtype:policy-violation; sid:2000572; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail Inbox Access"; uricontent:"/gmail?view=tl&search=inbox&start="; nocase; flow:to_server,established; sid:2001424; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail Inbox Access"; uricontent:"/gmail?view=tl&search=inbox&start="; nocase; flow:to_server,established; classtype: policy-violation; sid:2001424; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail Message Send"; content:"Content-Disposition\: form-data\; name=\"to\""; nocase; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; flow:to_server,established; sid:2001426; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail Message Send"; content:"Content-Disposition\: form-data\; name=\"to\""; nocase; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; flow:to_server,established; classtype: policy-violation; sid:2001426; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP disconnect request"; content: "|03|"; offset: 0; depth: 1; content: "|80|"; offset:5; depth: 1; flow:to_server,established; priority:1; sid:2001331; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP disconnect request"; content: "|03|"; offset: 0; depth: 1; content: "|80|"; offset:5; depth: 1; flow:to_server,established; priority:1; classtype:misc-activity; sid:2001331; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail File Send"; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; content:"name=\"form-data\; file0\"\; filename=\""; nocase; flow:to_server,established; sid:2001425; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail File Send"; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; content:"name=\"form-data\; file0\"\; filename=\""; nocase; flow:to_server,established; classtype: policy-violation; sid:2001425; rev:4;)
        old: alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE RDP connection confirm"; content: "|03|"; offset: 0; depth: 1; content: "|D0|"; offset:5; depth: 1; flow:from_server,established;  priority:1; sid:2001330; rev:2;)
        new: alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE RDP connection confirm"; content: "|03|"; offset: 0; depth: 1; content: "|D0|"; offset:5; depth: 1; flow:from_server,established; priority:1; classtype:misc-activity; sid:2001330; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY IRC connection"; content:"Welcome to the "; content:"IRC Network"; nocase; flow:established; sid:2000356; rev:1; )
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY IRC connection"; content:"Welcome to the "; content:"IRC Network"; nocase; flow:established; classtype:misc-activity; sid:2000356; rev:2; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE AOL Webmail Message Send"; uricontent:"/compose_frame.adp"; content:"POST"; flow:to_server,established; sid:2000571; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE AOL Webmail Message Send"; uricontent:"/compose_frame.adp"; content:"POST"; flow:to_server,established; classtype:policy-violation; sid:2000571; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:to_server,established; sid:2001235; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:to_server,established; classtype:misc-activity; sid:2001235; rev:5;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY IRC authorization message"; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; flow: established; sid:2000355; rev:1; )
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY IRC authorization message"; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; flow: established; classtype:misc-activity; sid:2000355; rev:2; )

     -> Modified active in bleeding-virus.rules (1):
        old: alert tcp any any -> any 6891:6900 (msg:"BLEEDING-EDGE Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF; classtype:misc-attack; sid:2001715; rev:1;)
        new: alert tcp any any -> any 6891:6900 (msg:"BLEEDING-EDGE Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF; flow:established,to_server; classtype:misc-attack; sid:2001715; rev:2;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-policy.rules (12):
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001380; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001380; rev:7;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001378; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001378; rev:7;)
        old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in Clear Text"; pcre:"/ (00[1-9]|010-733|750-772)-\d{2}-\d{4} /"; flow:established; sid:2001328; rev:5;)
        new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in Clear Text"; pcre:"/ (00[1-9]|010-733|750-772)-\d{2}-\d{4} /"; flow:established; classtype:policy-violation;sid:2001328; rev:6;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001383; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001383; rev:7;)
        old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in Clear Text"; pcre:"/ (00[1-9]|010-733|750-772) \d{2} \d{4} /"; flow:established; sid:2001384; rev:5;)
        new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in Clear Text"; pcre:"/ (00[1-9]|010-733|750-772) \d{2} \d{4} /"; flow:established; classtype:policy-violation;sid:2001384; rev:6;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001377; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001377; rev:7;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001375; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001375; rev:7;)
        old: #alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:443"; distance:-12; within:5; flow:to_server,established; sid:2000560; rev:4; )
        new: #alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; content:!"\:443"; distance:-12; within:5; flow:to_server,established; classtype:misc-activity; sid:2000560; rev:5; )
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001376; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001376; rev:7;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001382; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001382; rev:7;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001381; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001381; rev:7;)
        old: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001379; rev:6;)
        new: #alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; sid:2001379; rev:7;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list