[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Feb 15 17:00:24 EST 2005


[***] Results from Oinkmaster started Tue Feb 15 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-exploit.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit MS05-005 Office XP Remote Code Attempt"; pcre:"/(\x2ertf|\x2edoc)\x250a.{500,}?/mi"; flow:established,to_server; classtype:attempted-admin; sid:2001727; rev:2;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download"; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype:trojan-activity; sid:2001726; rev:1;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download"; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; flow:established,from_server; classtype:trojan-activity; sid:2001726; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        #By Shirkdog

     -> Added to bleeding-sid-msg.map (1):
        2001727 || BLEEDING-EDGE Exploit MS05-005 Office XP Remote Code Attempt

     -> Added to bleeding-virus.rules (24):
        #	Akak Trojan
        #Submitted by Joe Stewart, Akak Trojan
        #	Bofra Worm
        #submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm
        #	IE Ilookup Trojan
        #Submitted by Joseph Gama, for IE Ilookup Trojan
        #	IRC Trojan Reporting
        #Unknown Writer - IRC Trojan
        #	Psyme Trojan
        #Submitted by Matt Jonkman for the Psyme Trojan
        #	Agobot/Phatbot
        #Taken from lurhq.com
        #	Zafi Virus
        #submitted by Mark Scott, 6/13/2004 for Zafi.B
        #submitted by Chris Harrington, for Zafi.D
        #submitted by Mark Scott 12/14/2004 for Zafi.D, variant attachments
        #	MyDoom variants
        #Submitted by Matt Jonkman for MyDoom.AH
        #Submitted by colforbin5 for MyDoom.AH/I
        #From the Netsquid Rules for MyDoom.F
        #Submitted by Mark Scott, 1/5/2005, for MyDoom.I
        #From the Netsquid Rules for MyDoom/MiMail
        #Submitted by Joel Esler for MyDoom.P
        #Submitted by Matt Jonkman for MyDoom.S

     -> Added to bleeding-web.rules (2):
        # Submitted by Chris Norton
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB PHP vBulletin Remote Command Execution Attempt"; flow:established,to_server; uricontent:"forumdisplay.php?"; nocase; uricontent:"comma="; nocase; classtype:web-application-attack; reference:bugtraq,12542; rev:1;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-virus.rules (11):
        #Submitted by Joe Stewart
        #Matt Jonkman, additions by David Maciejak
        #Unknown Writer
        #Submitted by colforbin5
        #       Zafi.D
        #added by Mark Scott, Mark.Scott at ...2921..., 6/13/2004 for incoming Zafi.B
        #added by Mark Scott, Mark.Scott at ...2921..., 6/13/2004 for outgoing Zafi.B
        #by Chris Harrington
        #added by Mark Scott 12/14/2004 for Zafi.D, variant .zip attachment
        #Submitted by Joel Esler
        #	MyDoom.I created by Mark Scott, 1/5/2005

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list