[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Tue Jul 25 21:00:12 EDT 2006


[***] Results from Oinkmaster started Tue Jul 25 21:00:12 2006 [***]

[+++]          Added rules:          [+++]

 2003047 - BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi) (bleeding-policy.rules)
 2003048 - BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi) (bleeding-policy.rules)
 2003049 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [billy] - Possible Bot (bleeding-virus.rules)
 2003050 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Intbound [billy] (bleeding-virus.rules)
 2003051 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [billy] - Possible Bot (bleeding-virus.rules)
 2003052 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Intbound [billy] (bleeding-virus.rules)
 2003053 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Inbound [zombie] (bleeding-virus.rules)
 2003054 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Inbound [zombie] (bleeding-virus.rules)
 2003055 - BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2002846 - BLEEDING-EDGE WEB Minishare GET Overflow (bleeding-web.rules)
 2003043 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [zombie] - Possible Bot (bleeding-virus.rules)
 2003044 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [zombie] - Possible Bot (bleeding-virus.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #by Reg Quinton

     -> Added to bleeding-policy.rules (3):
        #Seeing some bots and proxy evasion apps use these proxy judges to find their way out
        #by Scotty Melnick
        #Thresholded like the Windows-User-Agent user agent sig (after suggestion from Eduardo)

     -> Added to bleeding-sid-msg.map (11):
        2003043 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [zombie] - Possible Bot
        2003044 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [zombie] - Possible Bot
        2003047 || BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)
        2003048 || BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)
        2003049 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [billy] - Possible Bot
        2003050 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Intbound [billy]
        2003051 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [billy] - Possible Bot
        2003052 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Intbound [billy]
        2003053 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Inbound [zombie]
        2003054 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Inbound [zombie]
        2003055 || BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port

     -> Added to bleeding-virus.rules (2):
        #These sigs are for the unique things that spam bots do in how they talk
        #Submitted by Scott Melnick

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-policy.rules (1):
        #Thresholded like the Windows-User-Agent user agent sig (after suggestion from Eduardo Horowitz

     -> Removed from bleeding-sid-msg.map (2):
        2003043 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound
        2003044 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound





More information about the Snort-sigs mailing list