[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Jan 21 17:01:08 EST 2005


[***] Results from Oinkmaster started Fri Jan 21 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (3):
        alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; within:12; flow: established; sid:2001685; rev:1;)
        alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:1;)
        alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; flow:established,to_server; sid:2001682; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy MSN IM Poll via HTTP"; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold:type limit, track by_src, count 10, seconds 3600; flow:established,to_server; sid:2001682; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #From Vernon Stark

     -> Added to bleeding-sid-msg.map (3):
        2001683 || BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image
        2001684 || BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32
        2001685 || BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list