[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Feb 14 17:01:55 EST 2005


[***] Results from Oinkmaster started Mon Feb 14 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download"; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype:trojan-activity; sid:2001726; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (4):
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:3;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/zoo\.jpg/i"; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS W32/Bagle.dldr Trojan - download attempt"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/zoo\.jpg/i"; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; classtype:trojan-activity; sid:2001061; rev:9;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; classtype:trojan-activity; sid:2001061; rev:10;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; flow:established; classtype:trojan-activity; sid:2001064; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; flow:established; classtype:trojan-activity; sid:2001064; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (5):
        2001061 || BLEEDING-EDGE VIRUS Bagle Variant Requesting 2.jpg || url,isc.sans.org/diary.php?date=2004-08-09
        2001064 || BLEEDING-EDGE VIRUS Bagle Variant Checking In || url,vil.nai.com/vil/content/v_127423.htm
        2001638 || BLEEDING-EDGE VIRUS W32/Bagle.dldr Trojan - download attempt || url,secunia.com/virus_information/13085/
        2001693 || BLEEDING-EDGE VIRUS Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound || url,secunia.com/virus_information/14902/
        2001726 || BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (4):
        2001061 || BLEEDING-EDGE Bagle Variant Requesting 2.jpg || url,isc.sans.org/diary.php?date=2004-08-09
        2001064 || BLEEDING-EDGE Bagle Variant Checking In || url,vil.nai.com/vil/content/v_127423.htm
        2001638 || BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt || url,secunia.com/virus_information/13085/
        2001693 || BLEEDING-EDGE Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound || url,secunia.com/virus_information/14902/

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list