[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Jan 8 18:01:17 EST 2005


[***] Results from Oinkmaster started Sat Jan  8 21:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (8):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow:to_server,established; content:"Host\: www.globalphon.com"; classtype:trojan-activity; sid:2001656; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow:to_server,established; uricontent:"/add_ocx.asp?id="; nocase; content:"globalphon.com"; nocase; classtype:trojan-activity; sid:2001660; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic"; classtype:policy-violation; content:"(Compatible\; MyWay)"; nocase; flow:to_server,established; sid:2001662; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware GlobalPhon.com Dialer Download"; flow:to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype:trojan-activity; sid:2001657; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic"; classtype:policy-violation; content:"Host\: kd.barcfg.myway.com"; nocase; flow:to_server,established; sid:2001661; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; uricontent:"/context/1/up_context_1.xml"; nocase; flow:to_server,established; sid:2001655; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Comet Systems Spyware Reporting"; flow:to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype:policy-violation; reference:url,www.pestpatrol.com/PestInfo/c/cometsystems.asp; sid:2001658; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow:to_server,established; uricontent:"/no_pop.asp?id="; nocase; content:"globalphon.com"; nocase; classtype:trojan-activity; sid:2001659; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Cometsystems Update Engine"; flow:to_server,established; content:"GET /cc/"; depth:8;content:"Host|3a|"; within:300; content:"update.cc.cometsystems.com"; within:40; classtype:policy-violation; reference:url,www.pestpatrol.com/PestInfo/c/cometsystems.asp; sid:2000931; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; flow:to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype:policy-violation; reference:url,www.pestpatrol.com/PestInfo/c/cometsystems.asp; sid:2000931; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Settings Download"; uricontent:"/pointsmanager/seettings.cab?"; nocase; flow:to_server,established; classtype:policy-violation; sid:2000907; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Settings Download"; uricontent:"/pointsmanager/settings.cab?"; nocase; flow:to_server,established; classtype:policy-violation; sid:2000907; rev:5;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Policy SSH Successful user connection"; dsize:100; flags:AP; threshold: type both, track by_src, count 2, seconds 60; classtype:successful-user; sid:2001637; rev:1;)
        new: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Policy SSH Successful user connection"; dsize:52; flags:AP; threshold: type both, track by_src, count 3, seconds 60; classtype:successful-user; sid:2001637; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; rev:3;)

     -> Added to bleeding-malware.rules (1):
        #Submitted by Jason Haar, modified

     -> Added to bleeding-sid-msg.map (9):
        2000931 || BLEEDING-EDGE Malware Comet Systems Spyware Traffic || url,www.pestpatrol.com/PestInfo/c/cometsystems.asp
        2001655 || BLEEDING-EDGE Malware Comet Systems Spyware Traffic
        2001656 || BLEEDING-EDGE Malware GlobalPhon.com Dialer
        2001657 || BLEEDING-EDGE Malware GlobalPhon.com Dialer Download
        2001658 || BLEEDING-EDGE Malware Comet Systems Spyware Reporting || url,www.pestpatrol.com/PestInfo/c/cometsystems.asp
        2001659 || BLEEDING-EDGE Malware GlobalPhon.com Dialer
        2001660 || BLEEDING-EDGE Malware GlobalPhon.com Dialer
        2001661 || BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic
        2001662 || BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection after Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:100; flags:AP; classtype:successful-user; rev:2;)

     -> Removed from bleeding-sid-msg.map (1):
        2000931 || BLEEDING-EDGE Malware Cometsystems Update Engine || url,www.pestpatrol.com/PestInfo/c/cometsystems.asp

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list