[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sun Jan 16 17:01:03 EST 2005


[***] Results from Oinkmaster started Sun Jan 16 20:00:02 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; flow:to_server,established; sid:2001679; rev:2;)
        new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; flow:to_server,established; sid:2001679; rev:3;)

     -> Modified active in bleeding-virus.rules (4):
        old: alert icmp $HOME_NET any -> any any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:2001287; rev:2; )
        new: alert ip $HOME_NET any -> any any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:2001287; rev:3; )
        old: alert icmp $HOME_NET any -> any 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; sid:2001273; rev:6; )
        new: alert tcp $HOME_NET any -> any 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; flow:established; sid:2001273; rev:7; )
        old: alert icmp $HOME_NET any -> any any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:2001288; rev:2; )
        new: alert ip $HOME_NET any -> any any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:2001288; rev:3; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Rbot IRC activity - giuse.ns0.it"; content:"giuse.ns0.it"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001629; rev:1;)
        new: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg: "BLEEDING-EDGE Virus Rbot DNS Lookup - giuse.ns0.it"; content:"giuse.ns0.it"; reference:url,secunia.com/virus_information/11709/; classtype: misc-activity; sid:2001629; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (1):
        2001629 || BLEEDING-EDGE Virus Rbot DNS Lookup - giuse.ns0.it || url,secunia.com/virus_information/11709/

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001629 || BLEEDING-EDGE Virus Rbot IRC activity - giuse.ns0.it || url,secunia.com/virus_information/11709/

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list