[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Jan 7 17:52:28 EST 2005


[***] Results from Oinkmaster started Fri Jan  7 20:51:11 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (16):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Scout Related Spyware"; content:"Host\: content.searchscout.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001650; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; content:"Host\:"; nocase; within:10; content:"vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001651; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; uricontent:"/dlhelper/downloadlogger2.asp?time="; nocase; classtype:trojan-activity; sid:2001644; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/DLhelper/version7/dlhelper.cab"; nocase; classtype:trojan-activity; sid:2001641; rev:1;)
        alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent Requesting File"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"GIVE "; content:"User-Agent\: PeerEnabler"; sid:2001654; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Toprebates.com Install"; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001647; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/1/DownloadHNew.asp?btag="; nocase; classtype:trojan-activity; sid:2001643; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Scout Related Spyware"; content:"Host\: results.searchscout.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001653; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; content:"Host\: static.vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001649; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Activity"; content:"User-Agent\: MGS-Internal-Web-Manager"; nocase; classtype:trojan-activity; sid:2001642; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wild Tangent Agent Activity"; content:"User-Agent\: Wildtangent Kernel"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001639; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent New Code Download"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"User-Agent\: PeerEnabler"; sid:2001652; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; uricontent:"/viper/thunderluck/00"; nocase; classtype:trojan-activity; sid:2001645; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Toprebates.com User Confirming Membership"; uricontent:"/cgi/account.plx?pid="; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001648; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Traffic"; content:"User-Agent\: Peer Points Manager"; nocase; flow:to_server,established; classtype:policy-violation; sid:2001640; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Toprebates.com Install"; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; flow:established,to_server; classtype:trojan-activity; sid:2001646; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; classtype:policy-violation; uricontent:"/myspeedbarcfg2.jsp?"; flow:to_server,established; sid:2000600; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; classtype:policy-violation; uricontent:"/speedbar/mySpeedbarCfg"; nocase; flow:to_server,established; sid:2000600; rev:5;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (4):
        #Matt Jonkman
        #Matt Jonkman
        #Matt Jonkman
        #Matt Jonkman

     -> Added to bleeding-sid-msg.map (16):
        2001639 || BLEEDING-EDGE Malware Wild Tangent Agent Activity
        2001640 || BLEEDING-EDGE Malware Altnet PeerPoints Manager Traffic
        2001641 || BLEEDING-EDGE Malware Microgaming.com Spyware Installation
        2001642 || BLEEDING-EDGE Malware Microgaming.com Spyware Activity
        2001643 || BLEEDING-EDGE Malware Microgaming.com Spyware Installation
        2001644 || BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation
        2001645 || BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install
        2001646 || BLEEDING-EDGE Malware Toprebates.com Install
        2001647 || BLEEDING-EDGE Malware Toprebates.com Install
        2001648 || BLEEDING-EDGE Malware Toprebates.com User Confirming Membership
        2001649 || BLEEDING-EDGE Malware Blazefind Related Spyware
        2001650 || BLEEDING-EDGE Malware Search Scout Related Spyware
        2001651 || BLEEDING-EDGE Malware Blazefind Related Spyware
        2001652 || BLEEDING-EDGE Malware JoltID Agent New Code Download || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,www.joltid.com
        2001653 || BLEEDING-EDGE Malware Search Scout Related Spyware
        2001654 || BLEEDING-EDGE Malware JoltID Agent Requesting File || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,www.joltid.com

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list