[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Feb 9 17:01:11 EST 2005


[***] Results from Oinkmaster started Wed Feb  9 20:00:06 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-attack_response.rules (1):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; sid:2001717; rev:3;)

     -> Added to bleeding-exploit.rules (7):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit libpng CAN-2004-1244 overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test: 1,=,3,10,relative; content:"tRNS"; byte_test:4,>,256,-8,relative; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; reference:bugtraq,10872; classtype:attempted-admin; sid:2001724; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content: "PLTE"; byte_test: 4,>,768,-8,relative; sid:2001721; rev:2;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,256,17,relative;  content: "tRNS"; distance: 4; sid:2001723; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad height"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,4,relative; sid:2001719; rev:1;)
        log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 1,=,3,10,relative; flowbits: set,icolor_png; sid:2001720; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content: "hIST"; byte_test: 4,>,512,-8,relative; sid:2001722; rev:2;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad width"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,0,relative; sid:2001718; rev:1;)

     -> Added to bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Web IDN url seen.."; flow:established; content: "http"; nocase; content: "|3A 2F 2F|"; within: 1; distance: 3; pcre:"/&#[0-9]+\;/R"; sid:2001716; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE Multiple Non-SMTP Server Emails";flags: S; threshold: type threshold, track by_src,count 10, seconds 120; classtype:misc-activity; rev:3; sid:2000328;)
        new: alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE Multiple Non-SMTP Server Emails";flags: S,12; threshold: type threshold, track by_src,count 10, seconds 120; classtype:misc-activity; sid:2000328; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        #Erik Fichtner and Paul Jaramillo

     -> Added to bleeding-sid-msg.map (9):
        2001716 || BLEEDING-EDGE Web IDN url seen..
        2001717 || SSH Successful user connection AFTER Brute Force Attack
        2001718 || BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad width
        2001719 || BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad height
        2001720 || BLEEDING-EDGE Exploit CAN-2004-0597 PNG with indexed color
        2001721 || BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big PLTE
        2001722 || BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big hIST
        2001723 || BLEEDING-EDGE Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG
        2001724 || BLEEDING-EDGE Exploit libpng CAN-2004-1244 overflow attempt || bugtraq,10872 || cve,2004-0597

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; rev:3;)

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list