[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Feb 24 17:03:04 EST 2005


[***] Results from Oinkmaster started Thu Feb 24 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-exploit.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"BLEEDING-EDGE Exploit Shoutcast file request overflow"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/content\//i"; pcre:"/\x06\x41\x41[\x81\x23][\xD0\xEB][\x01\xBE][\x78\x77]/"; flow:established,to_server; classtype:misc-attack; sid:2001751; rev:2;)

     -> Added to bleeding-virus.rules (2):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Sober.K Worm - incoming detected"; content:"UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICAgICAg"; nocase; reference:url,secunia.com/search/?search=sober.k; classtype:misc-activity; flow:established;  sid:2001749; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Sober.K Worm - outgoing detected"; content:"UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICAgICAg"; nocase; reference:url,secunia.com/search/?search=sober.k; classtype:misc-activity; flow:established;  sid:2001750; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        #by Nicholas Nachefski

     -> Added to bleeding-sid-msg.map (3):
        2001749 || Sober.K Worm - incoming detected || url,secunia.com/search/?search=sober.k
        2001750 || Sober.K Worm - outgoing detected || url,secunia.com/search/?search=sober.k
        2001751 || BLEEDING-EDGE Exploit Shoutcast file request overflow

     -> Added to bleeding-virus.rules (1):
        #Submitted by Mark Scott, 2/24/2005, for Sober.K

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list