[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Jan 12 18:01:07 EST 2005


[***] Results from Oinkmaster started Wed Jan 12 21:00:02 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (9):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/DLhelper/version7/dlhelper.cab"; nocase; classtype:trojan-activity; sid:2001641; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/DLhelper/version7/dlhelper.cab"; nocase; classtype:trojan-activity; flow:established,to_server; sid:2001641; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/1/DownloadHNew.asp?btag="; nocase; classtype:trojan-activity; sid:2001643; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Installation"; uricontent:"/1/DownloadHNew.asp?btag="; nocase; classtype:trojan-activity; flow:established,to_server; sid:2001643; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; uricontent:"/viper/thunderluck/00"; nocase; classtype:trojan-activity; sid:2001645; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; uricontent:"/viper/thunderluck/00"; nocase; classtype:trojan-activity; flow:established,to_server; sid:2001645; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; content:"Host\: static.vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001649; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; uricontent:!"/vppImageOnly.js"; nocase; content:"Host\: static.vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001649; rev:2;)
        old: alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent Requesting File"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"GIVE "; content:"User-Agent\: PeerEnabler"; sid:2001654; rev:1;)
        new: alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent Requesting File"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"GIVE "; content:"User-Agent\: PeerEnabler"; flow:established,to_server; sid:2001654; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; content:"Host\:"; nocase; within:10; content:"vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001651; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; uricontent:!"/vppImageOnly.js"; nocase; content:"Host\:"; nocase; within:10; content:"vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001651; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Activity"; content:"User-Agent\: MGS-Internal-Web-Manager"; nocase; classtype:trojan-activity; sid:2001642; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Activity"; content:"User-Agent\: MGS-Internal-Web-Manager"; nocase; classtype:trojan-activity; flow:established,to_server; sid:2001642; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; uricontent:"/dlhelper/downloadlogger2.asp?time="; nocase; classtype:trojan-activity; sid:2001644; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; uricontent:"/dlhelper/downloadlogger2.asp?time="; nocase; classtype:trojan-activity; flow:established,to_server; sid:2001644; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent New Code Download"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"User-Agent\: PeerEnabler"; sid:2001652; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE Malware JoltID Agent New Code Download"; classtype:trojan-activity; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; content:"User-Agent\: PeerEnabler"; flow:established; sid:2001652; rev:4;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Gator Ad Retrieval"; content:"Host\: webpdp.gator.com"; nocase; classtype:policy-violation; flow:to_server,established; sid:2001014; rev:3;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001014 || BLEEDING-EDGE Malware Gator Ad Retrieval

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list