[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sun Feb 13 17:01:26 EST 2005


[***] Results from Oinkmaster started Sun Feb 13 20:00:03 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content: "|3C|OBJECT "; nocase; pcre: "/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype:misc-attack; sid:2001725; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content: "|3C|OBJECT "; nocase; pcre: "/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype:misc-attack; sid:2001725; rev:3;)

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001679; rev:4;)
        new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001679; rev:5;)

     -> Modified active in bleeding-virus.rules (7):
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:3;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:3;)
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/error\.jpg/i"; reference:url,secunia.com/virus_information/14877/; threshold:type limit, track by_src, count 5, seconds 600; classtype:trojan-activity; flow:established; sid: 2001695; rev:6;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/error\.jpg/i"; reference:url,secunia.com/virus_information/14877/; threshold:type limit, track by_src, count 5, seconds 600; classtype:trojan-activity; flow:established; sid: 2001695; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32/Bagle.z at ...871... Requesting 5.php"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/5\.php/i"; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus W32/Bagle.z at ...871... Requesting 5.php"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/5\.php/i"; reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; sid:2001556; rev:5;)
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:4;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"User-Agent\: beagle_beagle"; flow:to_server,established;  dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; sid:2001269; rev:7; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"BLEEDING-EDGE Virus User-Agent\: beagle_beagle"; flow:to_server,established;  dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; sid:2001269; rev:8; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; classtype:trojan-activity; sid:2001292; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Possible Bagle.AI Worm"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; classtype:trojan-activity; sid:2001292; rev:8;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; flow:established; sid:2001270; rev:4; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; flow:established; sid:2001270; rev:5; )

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-attack_response.rules (1):
        old: #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; sid:2001717; rev:3;)
        new: #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; sid:2001717; rev:4;)

     -> Modified inactive in bleeding-policy.rules (1):
        old: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bleeding-Edge Policy Mozilla XPI install files download"; content:"content-type\: application/x-xpinstall"; nocase; classtype:bad-unknown; flow:from_server,established; sid:2001114; rev:2;)
        new: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Policy Mozilla XPI install files download"; content:"content-type\: application/x-xpinstall"; nocase; classtype:bad-unknown; flow:from_server,established; sid:2001114; rev:2;)

     -> Modified inactive in bleeding-virus.rules (2):
        old: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001694; rev:2;)
        new: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001694; rev:3;)
        old: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001692; rev:3;)
        new: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001692; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (11):
        2001114 || BLEEDING-EDGE Policy Mozilla XPI install files download
        2001292 || BLEEDING-EDGE Virus Possible Bagle.AI Worm
        2001556 || BLEEDING-EDGE Virus W32/Bagle.z at ...871... Requesting 5.php || mcafee,122415
        2001679 || BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server
        2001691 || BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound || url,secunia.com/virus_information/14902/
        2001692 || BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming || url,secunia.com/virus_information/14902/
        2001693 || BLEEDING-EDGE Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound || url,secunia.com/virus_information/14902/
        2001694 || BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming || url,secunia.com/virus_information/14902/
        2001695 || BLEEDING-EDGE Virus Bagle.BJ [alias .AY, .BC] - download attempt || url,secunia.com/virus_information/14877/
        2001717 || BLEEDING-EDGE SSH Successful user connection AFTER Brute Force Attack
        2001725 || BLEEDING-EDGE Exploit MS05-014 HTML OBJECT tag local zone exploit

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (11):
        2001114 || Bleeding-Edge Policy Mozilla XPI install files download
        2001292 || BLEEDING-EDGE VIRUS Possible Bagle.AI Worm
        2001556 || W32/Bagle.z at ...871... Requesting 5.php || mcafee,122415
        2001679 || BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server
        2001691 || Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound || url,secunia.com/virus_information/14902/
        2001692 || Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming || url,secunia.com/virus_information/14902/
        2001693 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound || url,secunia.com/virus_information/14902/
        2001694 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming || url,secunia.com/virus_information/14902/
        2001695 || Bagle.BJ [alias .AY, .BC] - download attempt || url,secunia.com/virus_information/14877/
        2001717 || SSH Successful user connection AFTER Brute Force Attack
        2001725 || MS05-014 HTML OBJECT tag local zone exploit

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list