[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Jan 25 17:01:01 EST 2005


[***] Results from Oinkmaster started Tue Jan 25 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-exploit.rules (1):
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow:established,from_client; uricontent:"/awstats.pl?configdir="; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; classtype:web-application-attack;sid:2001686; rev:5;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:1;)
        new: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:2;)
        old: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:1;)
        new: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        # Submitted to Snort-Sigs by Chas Tomlin

     -> Added to bleeding-sid-msg.map (1):
        2001686 || BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || url,www.k-otik.com/exploits/20050124.awexpl.c.php

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list