[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Jan 28 17:00:17 EST 2005


[***] Results from Oinkmaster started Fri Jan 28 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (4):
        alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - OUTBOUND"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001693; rev:1;)
        alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - OUTBOUND"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001691; rev:1;)
        alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001694; rev:1;)
        alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001692; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)
        old: alert tcp any !20 -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001691 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - OUTBOUND || url,secunia.com/virus_information/14902/
        2001692 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound || url,secunia.com/virus_information/14902/
        2001693 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - OUTBOUND || url,secunia.com/virus_information/14902/
        2001694 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound || url,secunia.com/virus_information/14902/

     -> Added to bleeding-virus.rules (1):
        #added by Mark Scott 01/27/2005 - Bagle.AY

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list