[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Jan 11 18:01:11 EST 2005


[***] Results from Oinkmaster started Tue Jan 11 21:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Metarewards Spyware Activity"; classtype:policy-violation; content:"Host\: www.metareward.com"; nocase; flow:to_server,established; sid:2001666; rev:1;)
        alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; content:"PrintMe"; classtype:bad-unknown; sid:2001665; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-scan.rules (3):
        old: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:4;)
        old: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:4;)
        old: pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:4;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-attack_response.rules (1):
        alert tcp any any -> any !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick change on non-std port"; content: "NICK "; offset:0; depth:5; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:policy-violation; sid:2000344; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #By Joel Esler

     -> Added to bleeding-scan.rules (1):
        #Note: These are more effective as pass rules to avoid getting hits on other rules that don't really apply. This is benign load balancer probe traffic.

     -> Added to bleeding-sid-msg.map (2):
        2001665 || BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware
        2001666 || BLEEDING-EDGE Malware Metarewards Spyware Activity

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-scan.rules (1):
        #Note: These are pass rules to avoid getting hits on other rules that don't really apply. This is benign load balancer probe traffic.

     -> Removed from bleeding-sid-msg.map (1):
        2000344 || BLEEDING-EDGE IRC - Nick change on non-std port

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list