[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Jan 3 18:04:19 EST 2005


[***] Results from Oinkmaster started Mon Jan  3 21:00:11 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; uricontent:"zoo.jpg"; reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; flow:established; sid: 2001638; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-scan.rules (1):
        old: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:7;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:8;)

     -> Modified active in bleeding-web.rules (3):
        old: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; rev:2;)
        old: alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; distance:100; nocase; sid:2001342; rev:10;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; distance:100; nocase; sid:2001342; rev:11;)
        old: alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; sid:2001343; rev:9;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; sid:2001343; rev:10;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (1):
        2001638 || BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt || url,secunia.com/virus_information/13085/

     -> Added to bleeding-virus.rules (1):
        #	Bagle Trojan - W32/Bagle.dldr from Mark Scott

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list