[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Jul 9 18:02:00 EDT 2005


[***] Results from Oinkmaster started Sat Jul  9 20:00:05 2005 [***]

[+++]          Added rules:          [+++]

 2002086 - BLEEDING-EDGE VIRUS London bombing trojan file (bleeding-virus.rules)
 2002087 - BLEEDING-EDGE POLICY Inbound Frequent Emails -- Possible Spambot Inbound (bleeding-policy.rules)


[///]     Modified active rules:     [///]

 2000328 - BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails (bleeding-policy.rules)
 2002025 - BLEEDING-EDGE TROJAN IRC JOIN command (bleeding-virus.rules)
 2002026 - BLEEDING-EDGE TROJAN IRC PRIVMSG command (bleeding-virus.rules)


[---]         Removed rules:         [---]

 2001370 - BLEEDING-EDGE IRC Trojan Reporting (Exploit) (bleeding-virus.rules)
 2001371 - BLEEDING-EDGE IRC Trojan Reporting (lsass) (bleeding-virus.rules)
 2001372 - BLEEDING-EDGE IRC Trojan Reporting (Scan) (bleeding-virus.rules)
 2001373 - BLEEDING-EDGE IRC Trojan Reporting (zombie) (bleeding-virus.rules)
 2001786 - BLEEDING-EDGE TROJAN potential update/download IRC Bot command (bleeding-virus.rules)
 2001787 - BLEEDING-EDGE TROJAN IRC Bot scan/exploit command (bleeding-virus.rules)
 2001788 - BLEEDING-EDGE TROJAN IRC Bot DDoS command (bleeding-virus.rules)
 2001789 - BLEEDING-EDGE TROJAN Suspicious IRC Bot response (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (3):
        2000328 || BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails
        2002086 || BLEEDING-EDGE VIRUS London bombing trojan file || url,www.theregister.co.uk/2005/07/08/london_bombing_spambot/
        2002087 || BLEEDING-EDGE POLICY Inbound Frequent Emails -- Possible Spambot Inbound

     -> Added to bleeding-virus.rules (1):
        #by Shirkdog

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (9):
        2000328 || BLEEDING-EDGE Multiple Non-SMTP Server Emails
        2001370 || BLEEDING-EDGE IRC Trojan Reporting (Exploit)
        2001371 || BLEEDING-EDGE IRC Trojan Reporting (lsass)
        2001372 || BLEEDING-EDGE IRC Trojan Reporting (Scan)
        2001373 || BLEEDING-EDGE IRC Trojan Reporting (zombie)
        2001786 || BLEEDING-EDGE TROJAN potential update/download IRC Bot command || url,www.honeynet.org/papers/bots/ || url,cert.uni-stuttgart.de/doc/netsec/bots.php
        2001787 || BLEEDING-EDGE TROJAN IRC Bot scan/exploit command || url,www.honeynet.org/papers/bots/ || url,cert.uni-stuttgart.de/doc/netsec/bots.php
        2001788 || BLEEDING-EDGE TROJAN IRC Bot DDoS command || url,www.honeynet.org/papers/bots/ || url,cert.uni-stuttgart.de/doc/netsec/bots.php
        2001789 || BLEEDING-EDGE TROJAN Suspicious IRC Bot response || url,www.honeynet.org/papers/bots/ || url,cert.uni-stuttgart.de/doc/netsec/bots.php

     -> Removed from bleeding-virus.rules (4):
        #DISABLING THESE SIGS TEMPORARILY!!! If the new ones below work out these will be dropped, or left disabled permanently
        #by Joel Esler, the man, the myth, the legend.... - IRC Trojan
        #From Tomfi
        # These are the new sigs replacing the above





More information about the Snort-sigs mailing list