[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Jan 17 17:01:06 EST 2005


[***] Results from Oinkmaster started Mon Jan 17 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; sid:2001682; rev:1;)

     -> Added to bleeding-virus.rules (3):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; sid:2001680; rev:1;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET /search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm OUTBOUND"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; sid:2001681; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        #Matt Jonkman, more msn

     -> Added to bleeding-sid-msg.map (4):
        2001619 || BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)
        2001680 || BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING || url,www.sophos.com/virusinfo/articles/vbsuna.html
        2001681 || BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm OUTBOUND || url,www.sophos.com/virusinfo/articles/vbsuna.html
        2001682 || BLEEDING-EDGE Policy MSN IM Poll via HTTP

     -> Added to bleeding-virus.rules (1):
        #Matt Jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:BLEEDING-EDGE Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET /search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:1;)

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list