[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Jan 15 17:01:05 EST 2005


[***] Results from Oinkmaster started Sat Jan 15 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; flow:to_server,established; sid:2001679; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Webhancer Data Post"; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype:trojan-activity; flow:from_server,established; sid:2001677; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Webhancer Agent Activity"; content:"Host\: prime.webhancer.com"; nocase; classtype:trojan-activity; flow:from_server,established; sid:2001678; rev:1;)

     -> Added to bleeding-virus.rules (1):
        alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus Bot Reporting/Commencing DDoS"; content:"PRIVMSG"; nocase; pcre:"ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3|syn|ack|random)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001676; rev:2;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SpywareLabs VirtualBouncer Seeking Instructions"; classtype:trojan-activity; pcre:"m/instructions\/(\d\d).xml/"; flow:to_server,established; sid:2000587; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SpywareLabs VirtualBouncer Seeking Instructions"; classtype:trojan-activity; pcre:"/instructions\/\d{2}\.xml/mi"; flow:to_server,established; sid:2000587; rev:4;)

     -> Modified active in bleeding-virus.rules (2):
        old: alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase; content:"mssql"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:1;)
        new: alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:2;)
        old: alert icmp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:2001283; rev:2; )
        new: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:2001283; rev:3;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-virus.rules (1):
        #alert tcp $HOME_NET any -> [129.27.9.247,129.27.9.248,161.53.2.81,193.109.122.67,193.109.122.68,193.110.95.1,193.254.240.246,194.134.7.194,194.134.7.195,195.197.175.21,195.204.1.130,195.204.1.132,195.47.220.2,195.54.102.4,195.68.221.221,199.184.165.133,201.224.87.98,204.193.136.54,208.247.17.10,209.67.60.33,212.40.34.230,213.131.131.150,213.48.150.1,213.48.150.13,216.152.77.10,217.169.140.245,217.29.87.254,62.235.13.228,64.235.225.250,66.197.0.145,66.198.160.2,67.15.64.33] 6667:6670 (msg:"BLEEDING-EDGE VIRUS Korgo Worm IRC Connection"; classtype:trojan-activity; sid:2001289; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase; content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001585; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (5):
        2001584 || BLEEDING-EDGE Virus Bot Reporting Scan/Exploit || url,www.nitroguard.com/rxbot.html || url,cert.uni-stuttgart.de/doc/netsec/bots.php
        2001676 || BLEEDING-EDGE Virus Bot Reporting/Commencing DDoS || url,www.nitroguard.com/rxbot.html || url,cert.uni-stuttgart.de/doc/netsec/bots.php
        2001677 || BLEEDING-EDGE Malware Webhancer Data Post
        2001678 || BLEEDING-EDGE Malware Webhancer Agent Activity
        2001679 || BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001584 || BLEEDING-EDGE Virus IRC Trojan Reporting (mssql) || url,www.nitroguard.com/rxbot.html
        2001585 || BLEEDING-EDGE Virus IRC Trojan Reporting (file transfer) || url,www.nitroguard.com/rxbot.html

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list