[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sun Jan 9 18:01:02 EST 2005


[***] Results from Oinkmaster started Sun Jan  9 21:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic"; classtype:policy-violation; content:"Host\: kd.barcfg.myway.com"; nocase; flow:to_server,established; sid:2001663; rev:1;)

[+++]         Enabled rules:         [+++]

     -> Enabled in bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator Ad Retrieval"; content:"Host\: webpdp.gator.com"; nocase; classtype:policy-violation; flow:to_server,established; sid:2001014; rev:3;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-scan.rules (3):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:2;)
        new: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:2;)
        new: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:2;)
        new: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:3;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-policy.rules (1):
        #alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Policy SSH Successful user connection"; dsize:52; flags:AP; threshold: type both, track by_src, count 3, seconds 60; classtype:successful-user; sid:2001637; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (1):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; rev:3;)

     -> Added to bleeding-scan.rules (1):
        #Note: These are pass rules to avoid getting hits on other rules that don't really apply. This is benign load balancer probe traffic.

     -> Added to bleeding-sid-msg.map (1):
        2001663 || BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Successful user connection AFTER Brute Force Attack"; flowbits:isset,ssh.brute.attempt; threshold:type both, track by_src, count 2, seconds 60; dsize:52; flags:AP; classtype:successful-user; rev:3;)

     -> Removed from bleeding-scan.rules (1):
        # Note: These rules are more practical as PASS rules, or with suppression in threshold.conf, to ignore harmless load-balancer probes

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list