[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Jan 18 17:01:42 EST 2005


[***] Results from Oinkmaster started Tue Jan 18 20:00:02 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (1):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; content:"\/IFRAME"; nocase; flow:from_server,established; sid:2001401; rev:9;)
        new: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; flow:from_server,established; sid:2001401; rev:10;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; sid:2001682; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; flow:established,to_server; sid:2001682; rev:2;)

     -> Modified active in bleeding-virus.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; sid:2001680; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; flow:established,to_server; sid:2001680; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm OUTBOUND"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; sid:2001681; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm OUTBOUND"; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; flow:established,to_server; sid:2001681; rev:2;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list