[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Jan 13 17:27:22 EST 2005


[***] Results from Oinkmaster started Thu Jan 13 20:00:07 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-exploit.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; sid:20001668; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit MS05-002 Malformed .ANI stack overflow attack"; content: "RIFF"; content: "ACON"; distance: 8; content: "anih"; distance: 160;  byte_test:4,>,36,0,relative; flow:to_client,established; classtype: misc-attack; sid:2001668; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; sid:20001667; rev:3;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; uricontent:!"/vppImageOnly.js"; nocase; content:"Host\: static.vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001649; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Blazefind Related Spyware"; uricontent:!"/vppImageOnly.js"; nocase; content:"Host\:"; nocase; within:10; content:"vpptechnologies.com"; nocase; classtype:policy-violation; flow:established,to_server; sid:2001651; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (2):
        #Matt Jonkman and Frank Knobbe
        #By Erik Fichtner

     -> Added to bleeding-sid-msg.map (3):
        2001668 || BLEEDING-EDGE Exploit MS05-002 Malformed .ANI stack overflow attack
        20001667 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in
        20001668 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001649 || BLEEDING-EDGE Malware Blazefind Related Spyware
        2001651 || BLEEDING-EDGE Malware Blazefind Related Spyware

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list