[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Aug 15 21:00:09 EDT 2006


[***] Results from Oinkmaster started Tue Aug 15 21:00:09 2006 [***]

[///]     Modified active rules:     [///]

 2001841 - BLEEDING-EDGE P2P UDP traffic - Likely Limewire (bleeding-p2p.rules)
 2001961 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CHJO (bleeding-virus.rules)
 2001962 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CFXP (bleeding-virus.rules)
 2001963 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request pspv.exe (bleeding-virus.rules)
 2001964 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request .tea (bleeding-virus.rules)
 2001965 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Upload ___ (bleeding-virus.rules)
 2001966 - BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Check ___ (bleeding-virus.rules)
 2002087 - BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound (bleeding-policy.rules)
 2002091 - BLEEDING-EDGE Malware Searchmiracle.com Spyware Install - silent.exe (bleeding-malware.rules)
 2002092 - BLEEDING-EDGE Malware yupsearch.com Spyware Install - protector.exe (bleeding-malware.rules)
 2002098 - BLEEDING-EDGE Malware yupsearch.com Spyware Install - sideb.exe (bleeding-malware.rules)
 2002120 - BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size (bleeding-exploit.rules)
 2002121 - BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count (bleeding-exploit.rules)
 2002122 - BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size (bleeding-exploit.rules)
 2002123 - BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count (bleeding-exploit.rules)
 2002134 - BLEEDING-EDGE EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow (bleeding-exploit.rules)
 2002137 - BLEEDING-EDGE EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow (bleeding-exploit.rules)
 2002153 - BLEEDING-EDGE MALWARE EXE as User Agent - Potential Spyware (bleeding-malware.rules)
 2002167 - BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent (bleeding-malware.rules)
 2002656 - BLEEDING-EDGE EXPLOIT malformed Sack - Snort DoS-by-$um$id (bleeding-exploit.rules)
 2002679 - BLEEDING-EDGE Malware Sony DRM Related - CodeSupport ActiveX Attempt (bleeding-malware.rules)
 2002680 - BLEEDING-EDGE Malware Sony DRM - Uninstaller CLSID (bleeding-malware.rules)
 2002732 - BLEEDING-EDGE VIRUS Multiple Time server requests - Possible Sober Infection (bleeding-virus.rules)
 2002897 - BLEEDING-EDGE WEB Horde README access probe (bleeding-web.rules)
 2002970 - BLEEDING-EDGE MALWARE VB WinHTTP User Agent - Possible Malware (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2001615 - BLEEDING-EDGE VIRUS PHPInclude.Worm Outbound Attack - LOCAL INFECTION (bleeding-virus.rules)
 2001723 - BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG (bleeding-exploit.rules)
 2002124 - BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document (bleeding-exploit.rules)
 2002669 - BLEEDING-EDGE TROJAN Potential New Spambot Proxy Control Channel - Please report hits to bleeding-sigs at ...2727... (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (29):
        2001615 || BLEEDING-EDGE VIRUS PHPInclude.Worm Outbound Attack - LOCAL INFECTION || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001723 || BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG
        2001841 || BLEEDING-EDGE P2P UDP traffic - Likely Limewire || url,www.limewire.com
        2001961 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CHJO || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001962 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CFXP || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001963 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request pspv.exe || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001964 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request .tea || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001965 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Upload ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001966 || BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Check ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2002087 || BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound
        2002091 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install - silent.exe || url,www.searchmiracle.com
        2002092 || BLEEDING-EDGE Malware yupsearch.com Spyware Install - protector.exe || url,www.yupsearch.com
        2002098 || BLEEDING-EDGE Malware yupsearch.com Spyware Install - sideb.exe || url,www.yupsearch.com
        2002120 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002121 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002122 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002123 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002124 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002134 || BLEEDING-EDGE EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002137 || BLEEDING-EDGE EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002153 || BLEEDING-EDGE MALWARE EXE as User Agent - Potential Spyware
        2002167 || BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002656 || BLEEDING-EDGE EXPLOIT malformed Sack - Snort DoS-by-$um$id
        2002669 || BLEEDING-EDGE TROJAN Potential New Spambot Proxy Control Channel - Please report hits to bleeding-sigs at ...2727...
        2002679 || BLEEDING-EDGE Malware Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454
        2002680 || BLEEDING-EDGE Malware Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931
        2002732 || BLEEDING-EDGE VIRUS Multiple Time server requests - Possible Sober Infection || url,www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1540
        2002897 || BLEEDING-EDGE WEB Horde README access probe || url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28 || cve,CVE-2006-1491
        2002970 || BLEEDING-EDGE MALWARE VB WinHTTP User Agent - Possible Malware

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (29):
        2001615 || BLEEDING-EDGE VIRUS PHPInclude.Worm Outbound Attack --LOCAL INFECTION-- || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001723 || BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 -- bad PNG
        2001841 || BLEEDING-EDGE P2P UDP traffic -- Likely Limewire || url,www.limewire.com
        2001961 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible File Upload CHJO || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001962 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible File Upload CFXP || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001963 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Request pspv.exe || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001964 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Request .tea || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001965 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Status Upload ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2001966 || BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Status Check ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html
        2002087 || BLEEDING-EDGE POLICY Inbound Frequent Emails -- Possible Spambot Inbound
        2002091 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install -- silent.exe || url,www.searchmiracle.com
        2002092 || BLEEDING-EDGE Malware yupsearch.com Spyware Install -- protector.exe || url,www.yupsearch.com
        2002098 || BLEEDING-EDGE Malware yupsearch.com Spyware Install -- sideb.exe || url,www.yupsearch.com
        2002120 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Profile Size || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002121 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Tag Count || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002122 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Profile Size || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002123 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Tag Count || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002124 || BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- PNG with embedded ICC document || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002134 || BLEEDING-EDGE EXPLOIT MS05-036 exploit -- JPEG ICC r/b/g/XYZ GetColorProfileElement overflow || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002137 || BLEEDING-EDGE EXPLOIT MS05-036 exploit -- GIF ICC r/b/g/XYZ GetColorProfileElement overflow || cve,CVE-2005-1219 || url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
        2002153 || BLEEDING-EDGE MALWARE EXE as User Agent -- Potential Spyware
        2002167 || BLEEDING-EDGE MALWARE Possible Spyware -- Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002656 || BLEEDING-EDGE EXPLOIT malformed Sack --Snort DoS-by-$um$id
        2002669 || BLEEDING-EDGE TROJAN Potential New Spambot Proxy Control Channel -- Please report hits to bleeding-sigs at ...2727...
        2002679 || BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454
        2002680 || BLEEDING-EDGE Malware Sony DRM -- Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931
        2002732 || BLEEDING-EDGE VIRUS Multiple Time server requests -- Possible Sober Infection || url,www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1540
        2002897 || BLEEDING-EDGE WEB Horde README access -- Probe || url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28 || cve,CVE-2006-1491
        2002970 || BLEEDING-EDGE MALWARE VB WinHTTP User Agent -- Possible Malware





More information about the Snort-sigs mailing list