[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Feb 21 07:04:40 EST 2005


[***] Results from Oinkmaster started Thu Feb 10 20:00:03 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (8):
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content: "PLTE"; byte_test: 4,>,768,-8,relative; sid:2001721; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content: "PLTE"; byte_test: 4,>,768,-8,relative; classtype:misc-attack; sid:2001721; rev:3;)
        old: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000565; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000565; rev:4;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000566; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000566; rev:4;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,256,17,relative;  content: "tRNS"; distance: 4; sid:2001723; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,256,17,relative;  content: "tRNS"; distance: 4; classtype:misc-attack; sid:2001723; rev:2;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad height"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,4,relative; sid:2001719; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad height"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,4,relative; classtype:misc-attack; sid:2001719; rev:2;)
        old: log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 1,=,3,10,relative; flowbits: set,icolor_png; sid:2001720; rev:1;)
        new: log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 1,=,3,10,relative; flowbits: set,icolor_png; classtype:misc-attack; sid:2001720; rev:2;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content: "hIST"; byte_test: 4,>,512,-8,relative; sid:2001722; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content: "hIST"; byte_test: 4,>,512,-8,relative; classtype:misc-attack; sid:2001722; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad width"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,0,relative; sid:2001718; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit CAN-2004-1244 PNG with bad width"; flow: to_client, established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 4,>,10000,0,relative; classtype:misc-attack; sid:2001718; rev:2;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; priority:1; sid:2001259; rev:1;)
        new: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; priority:1; sid:2001259; rev:2;)

     -> Modified active in bleeding-virus.rules (47):
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS OUTBOUND Suspicious Email Attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2000562; rev:7;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS OUTBOUND Suspicious Email Attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2000562; rev:8;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm detected ";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; classtype:misc-activity; flow:established; sid:2001566; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm detected ";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; classtype:misc-activity; flow:established; sid:2001566; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001601; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001601; rev:3;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE VIRUS Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE VIRUS Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: attachment\; filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:2001285; rev:2; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"Content-Disposition\: attachment\; filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:2001285; rev:3; )
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; sid:2001618; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; sid:2001618; rev:4;)
        old: alert tcp any !$HTTP_PORTS -> any 1639:1640 (msg:"BLEEDING-EDGE WORM MyDoom.AH Victim Accessing Infected Page"; classtype:trojan-activity; flow:established,to_server; content:"/index.htm"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; sid:2001428; rev:4;)
        new: alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639:1640 (msg:"BLEEDING-EDGE WORM MyDoom.AH Victim Accessing Infected Page"; classtype:trojan-activity; flow:established,to_server; content:"/index.htm"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; sid:2001428; rev:6;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:established; classtype:misc-activity; sid:2001573; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Zafi Worm outgoing detected "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; flow:established; classtype:misc-activity; sid:2001573; rev:6;)
        old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; classtype:trojan-activity; sid:2001233; rev:2;)
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Possible CIA download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; classtype:trojan-activity; sid:2001233; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus Zafi.d a.exe file upload"; content:"a.exe"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001594; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"BLEEDING-EDGE Virus Zafi.d a.exe file upload"; content:"a.exe"; nocase; flow:established; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype:trojan-activity; sid:2001594; rev:2;)
        old: alert ip $HOME_NET any -> any any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:2001288; rev:3; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:2001288; rev:4; )
        old: alert tcp any any -> any 6891:6900 (msg:"BLEEDING-EDGE Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF; flow:established,to_server; classtype:misc-attack; sid:2001715; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6891:6900 (msg:"BLEEDING-EDGE Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF; flow:established,to_server; classtype:misc-attack; sid:2001715; rev:3;)
        old: alert udp $HOME_NET any -> any 8998 (msg:"BLEEDING-EDGE VIRUS Sobig.E-F Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8; classtype:trojan-activity; sid:2001547; rev:1;)
        new: alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"BLEEDING-EDGE VIRUS Sobig.E-F Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8; classtype:trojan-activity; sid:2001547; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; flow:established,to_server; sid:2001283; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; flow:established,to_server; sid:2001283; rev:5;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"We are sorry your UTF-8 encoding is not supported by the server"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity; flow:to_server,established; sid:2001277; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"We are sorry your UTF-8 encoding is not supported by the server"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity; flow:to_server,established; sid:2001277; rev:4; )
        old: alert tcp $HOME_NET any -> any 445 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; flow:to_server,established; sid:2001281; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; flow:to_server,established; sid:2001281; rev:4; )
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - outbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001672; rev:1;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - outbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001672; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:2;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; reference:url,secunia.com/virus_information/557/;classtype:misc-activity; flow:established; sid:2001591; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; reference:url,secunia.com/virus_information/557/;classtype:misc-activity; flow:established; sid:2001591; rev:3;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (content:"User-Agent\: beagle_beagle"; flow:to_server,established;  dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; sid:2001269; rev:6; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"User-Agent\: beagle_beagle"; flow:to_server,established;  dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; sid:2001269; rev:7; )
        old: alert tcp $HOME_NET any -> any 25 (content:"represented in 7-bit ASCII"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 1"; classtype:trojan-activity; flow:to_server,established; sid:2001274; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"represented in 7-bit ASCII"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 1"; classtype:trojan-activity; flow:to_server,established; sid:2001274; rev:4; )
        old: alert tcp $HOME_NET any -> any 139 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; flow:to_server,established; sid:2001280; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; flow:to_server,established; sid:2001280; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; flow:established; sid:2001273; rev:7; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; flow:established; sid:2001273; rev:8; )
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; flow:established;sid:2001220; rev: 2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; flow:established;sid:2001220; rev: 3;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: attachment\; filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:2001284; rev:2; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"Content-Disposition\: attachment\; filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:2001284; rev:3; )
        old: alert tcp $HOME_NET any -> any any (content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 35 32|"; msg:"BLEEDING-EDGE VIRUS MyDoom.F Worm"; classtype:trojan-activity; flow:to_server,established; sid:2001279; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 35 32|"; msg:"BLEEDING-EDGE VIRUS MyDoom.F Worm"; classtype:trojan-activity; flow:to_server,established; sid:2001279; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - outgoing detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; flow:established; sid:2001603; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - outgoing detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; flow:established; sid:2001603; rev:3;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"The message contains Unicode characters"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3"; classtype:trojan-activity; flow:to_server,established; sid:2001276; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"The message contains Unicode characters"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3"; classtype:trojan-activity; flow:to_server,established; sid:2001276; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm outbound detected"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; classtype:misc-activity; flow:established; sid:2001578; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Sober.I Worm outbound detected"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; threshold: type limit, track by_src, count 10 , seconds 60; nocase; classtype:misc-activity; flow:established; sid:2001578; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:3;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:3;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:4;)
        old: alert tcp any any -> any 5554 (msg:"BLEEDING-EDGE Sasser FTP exploit attempt"; flow:to_server,established; content:"PORT "; depth:5; dsize:>150; classtype:attempted-admin; reference:url,www.lurhq.com/dabber.html; sid:2001548; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"BLEEDING-EDGE Sasser FTP exploit attempt"; flow:to_server,established; content:"PORT "; depth:5; dsize:>150; classtype:attempted-admin; reference:url,www.lurhq.com/dabber.html; sid:2001548; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; flow:established; sid:2001270; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; flow:established; sid:2001270; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; classtype:misc-activity; sid:2000310; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; classtype:misc-activity; sid:2000310; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001599; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001599; rev:3;)
        old: alert ip $HOME_NET any -> any any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:2001287; rev:3; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:2001287; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (content:"pp-app.zip"; msg:"BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment"; classtype:trojan-activity; flow:to_server,established; sid:2001272; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"pp-app.zip"; msg:"BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment"; classtype:trojan-activity; flow:to_server,established; sid:2001272; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; classtype:trojan-activity; sid:2001291; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; content:"Authorized Researcher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; classtype:trojan-activity; sid:2001291; rev:4;)
        old: alert tcp any any -> any $HTTP_PORTS (content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; flow:to_server,established; sid:2001278; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; flow:to_server,established; sid:2001278; rev:4; )
        old: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e at ...1512...; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; flow:from_client,established; sid:2001430; rev:5;)
        new: alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e at ...1512...; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; flow:from_client,established; sid:2001430; rev:6;)
        old: alert tcp any any -> [194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; sid:2001439; rev:2;)
        new: alert tcp $HOME_NET any -> [194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; sid:2001439; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Mail transaction failed"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; flow:to_server,established; sid:2001275; rev:4; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"Mail transaction failed"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; flow:to_server,established; sid:2001275; rev:5; )
        old: alert tcp $HOME_NET any -> any 1352 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 1352"; classtype:trojan-activity; flow:to_server,established; sid:2001282; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 1352 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 1352"; classtype:trojan-activity; flow:to_server,established; sid:2001282; rev:4; )
        old: alert tcp any any -> any 4321 (msg:"BLEEDING-EDGE Akak trojan protocol hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server; reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; sid:2001236; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 4321 (msg:"BLEEDING-EDGE Akak trojan protocol hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server; reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; sid:2001236; rev:2;)

     -> Modified active in bleeding-web.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Web IDN url seen.."; flow:established; content: "http"; nocase; content: "|3A 2F 2F|"; within: 1; distance: 3; pcre:"/&#[0-9]+\;/R"; sid:2001716; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Web IDN url seen.."; flow:established; content: "http"; nocase; content: "|3A 2F 2F|"; within: 1; distance: 3; pcre:"/&#[0-9]+\;/R"; classtype:misc-activity; sid:2001716; rev:2;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-policy.rules (3):
        old: #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo Mail Message Send Info Capture"; flow:to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; classtype: policy-violation; sid:2000045; rev:6;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo Mail Message Send Info Capture"; flow:to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; classtype: policy-violation; sid:2000045; rev:7;)
        old: #alert tcp any any <> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; classtype:policy-violation; priority:1; sid:2001260; rev:1;)
        new: #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; classtype:policy-violation; priority:1; sid:2001260; rev:2;)
        old: #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo Mail General Page View"; flow:to_server,established; uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: policy-violation; sid:2000341; rev:4;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo Mail General Page View"; flow:to_server,established; uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: policy-violation; sid:2000341; rev:5;)

     -> Modified inactive in bleeding-virus.rules (1):
        old: #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, track by_src, count 30,seconds 60; rev:6;)
        new: #alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, track by_src, count 30,seconds 60; rev:7;)

[---]  Disabled and modified rules:  [---]

     -> Disabled and modified in bleeding-virus.rules (2):
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm - incoming"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; nocase; classtype:misc-activity; flow:established; sid:2001577; rev:2;)
        new: #alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Sober.I Worm - incoming"; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; nocase; classtype:misc-activity; flow:established; sid:2001577; rev:3;)
        old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - inbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001673; rev:1;)
        new: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - inbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001673; rev:1;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-virus.rules (11):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi Worm - incoming "; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype:misc-activity; flow:established; sid:2001572; rev:5;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus NetSky.C Worm - incoming"; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype:misc-activity; flow:established; sid:2001590; rev:2;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001694; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected "; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001598; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.Z Worm - incoming detected"; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; nocase; reference:url,secunia.com/virus_information/8911/; classtype:misc-activity; flow:established; sid:2001602; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"BLEEDING-EDGE WORM RBOT inbound Bestfriends.scr"; content:"http"; nocase; content:"bestfriends.scr"; within:80; nocase; classtype:trojan-activity; flow:established; sid:2001367; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; flow:established,to_server; sid:2001680; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; flow:established; sid:2001600; rev:2;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype:trojan-activity; flow:established; sid:2001568; rev:4;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001692; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Netsky.P Worm - incoming "; content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; flow:established; classtype:misc-activity; sid:2001565; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        #Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-exploit.rules (1):
        #Erik Fichtner and Paul Jaramillo

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list