[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sat Jun 18 18:00:51 EDT 2005


[***] Results from Oinkmaster started Sat Jun 18 20:00:05 2005 [***]

[+++]          Added rules:          [+++]

 2002022 - BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling Client OK (bleeding-policy.rules)
 2002023 - BLEEDING-EDGE TROJAN IRC USER command (bleeding-virus.rules)
 2002024 - BLEEDING-EDGE TROJAN IRC NICK command (bleeding-virus.rules)
 2002025 - BLEEDING-EDGE TROJAN IRC JOIN command (bleeding-virus.rules)
 2002026 - BLEEDING-EDGE TROJAN IRC PRIVMSG command (bleeding-virus.rules)
 2002027 - BLEEDING-EDGE TROJAN IRC PING command (bleeding-virus.rules)
 2002028 - BLEEDING-EDGE TROJAN IRC PONG response (bleeding-virus.rules)
 2002029 - BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command (bleeding-virus.rules)
 2002030 - BLEEDING-EDGE TROJAN BOT - potential scan/exploit command (bleeding-virus.rules)
 2002031 - BLEEDING-EDGE TROJAN BOT - potential update/download (bleeding-virus.rules)
 2002032 - BLEEDING-EDGE TROJAN BOT - potential DDoS command (bleeding-virus.rules)
 2002033 - BLEEDING-EDGE TROJAN BOT - potential response (bleeding-virus.rules)


[---]         Disabled rules:        [---]

 2001370 - BLEEDING-EDGE IRC Trojan Reporting (Exploit) (bleeding-virus.rules)
 2001371 - BLEEDING-EDGE IRC Trojan Reporting (lsass) (bleeding-virus.rules)
 2001372 - BLEEDING-EDGE IRC Trojan Reporting (Scan) (bleeding-virus.rules)
 2001373 - BLEEDING-EDGE IRC Trojan Reporting (zombie) (bleeding-virus.rules)
 2001786 - BLEEDING-EDGE TROJAN potential update/download IRC Bot command (bleeding-virus.rules)
 2001787 - BLEEDING-EDGE TROJAN IRC Bot scan/exploit command (bleeding-virus.rules)
 2001788 - BLEEDING-EDGE TROJAN IRC Bot DDoS command (bleeding-virus.rules)
 2001789 - BLEEDING-EDGE TROJAN Suspicious IRC Bot response (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        #This intends to be a more intelligent version of the old gotomypc rule, eventually to replace the old if it catches everything

     -> Added to bleeding-sid-msg.map (12):
        2002022 || BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling Client OK
        2002023 || BLEEDING-EDGE TROJAN IRC USER command
        2002024 || BLEEDING-EDGE TROJAN IRC NICK command
        2002025 || BLEEDING-EDGE TROJAN IRC JOIN command
        2002026 || BLEEDING-EDGE TROJAN IRC PRIVMSG command
        2002027 || BLEEDING-EDGE TROJAN IRC PING command
        2002028 || BLEEDING-EDGE TROJAN IRC PONG response
        2002029 || BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command
        2002030 || BLEEDING-EDGE TROJAN BOT - potential scan/exploit command
        2002031 || BLEEDING-EDGE TROJAN BOT - potential update/download
        2002032 || BLEEDING-EDGE TROJAN BOT - potential DDoS command
        2002033 || BLEEDING-EDGE TROJAN BOT - potential response

     -> Added to bleeding-virus.rules (12):
        #DISABLING THESE SIGS TEMPORARILY!!! If the new ones below work out these will be dropped, or left disabled permanently
        # These are the new sigs replacing the above
        # By Erik Fichtner
        # Bleeding-Remix :: irc / ircbot detection state machine
        # compiled from various sources.
        # thanks to: Joe Stewart of LURHO, Joel Esler, Tomfi.
        ###  Client login process.  flowbits needs an OR.
        ###  Client needs to tell the server who they are, join
        ###  join a group, and someone needs to say something to
        ###  someone else.
        ###  Alternate path to is_proto_irc, Catch PING/PONG.
        #  Bot potty





More information about the Snort-sigs mailing list