[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Jan 14 17:01:07 EST 2005


[***] Results from Oinkmaster started Fri Jan 14 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-exploit.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; sid:2001667; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; sid:2001671; rev:3;)

     -> Added to bleeding-virus.rules (2):
        alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - outbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001672; rev:1;)
        alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus MyDoom.I worm - inbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; flow:established; sid:2001673; rev:1;)

     -> Added to bleeding-web.rules (4):
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy POST Request"; flow:to_server,established; content:"POST http\://"; depth:12; nocase; classtype:bad-unknown; sid:2001674; rev:1;)
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy CONNECT Request"; flow:to_server,established; content:"CONNECT "; depth:8; nocase; classtype:bad-unknown; sid:2001675; rev:1;)
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Web Proxy HEAD Request"; flow:to_server,established; content:"HEAD http\://"; depth:12; nocase; classtype:bad-unknown; sid:2001670; rev:2;)
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Web Proxy GET Request"; flow:to_server,established; content:"GET http\://"; depth:11; nocase; classtype:bad-unknown; sid:2001669; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit MS05-002 Malformed .ANI stack overflow attack"; content: "RIFF"; content: "ACON"; distance: 8; content: "anih"; distance: 160;  byte_test:4,>,36,0,relative; flow:to_client,established; classtype: misc-attack; sid:2001668; rev:1;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit MS05-002 Malformed .ANI stack overflow attack"; content: "RIFF"; content: "ACON"; distance: 8; content: "anih"; distance: 160;  byte_test:4,>,36,0,relative,little; flow:to_client,established; classtype: misc-attack; sid:2001668; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-exploit.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; sid:20001668; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; sid:20001667; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001667 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in
        2001669 || BLEEDING-EDGE Web Proxy GET Request
        2001670 || BLEEDING-EDGE Web Proxy HEAD Request
        2001671 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)
        2001672 || BLEEDING-EDGE Virus MyDoom.I worm - outbound || url,secunia.com/virus_information/8818/
        2001673 || BLEEDING-EDGE Virus MyDoom.I worm - inbound || url,secunia.com/virus_information/8818/
        2001674 || BLEEDING-EDGE Proxy POST Request
        2001675 || BLEEDING-EDGE Proxy CONNECT Request

     -> Added to bleeding-virus.rules (1):
        #	MyDoom.I created by Mark Scott, 1/5/2005

     -> Added to bleeding-web.rules (1):
        #From Adam Hogan

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        20001667 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in
        20001668 || BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list