[Snort-sigs] Bleeding Edge Threats Daily Update

bleeding at ...3254... bleeding at ...3254...
Mon Nov 27 15:00:03 EST 2006


[***] Results from Oinkmaster started Mon Nov 27 20:00:03 2006 [***]

[+++]          Added rules:          [+++]

 2003195 - BLEEDING-EDGE POLICY Unusual number of DNS No Such Name Responses (bleeding-policy.rules)
 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2001834 - BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary (bleeding.rules)
 2001835 - BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary (bleeding.rules)
 2001836 - BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary (bleeding.rules)
 2001837 - BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108 (bleeding.rules)
 2001838 - BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148 (bleeding.rules)
 2001839 - BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11 (bleeding.rules)
 2001840 - BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr (bleeding.rules)
 2001842 - BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com (bleeding.rules)
 2001843 - BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com (bleeding.rules)
 2001844 - BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com (bleeding.rules)
 2002670 - BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp) (bleeding.rules)
 2002672 - BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp) (bleeding.rules)
 2002692 - BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host (bleeding.rules)
 2002712 - BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - people.freenet.de (bleeding.rules)
 2002713 - BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - scifi.pages.at (bleeding.rules)
 2002714 - BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at (bleeding.rules)
 2002715 - BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - free.pages.at (bleeding.rules)
 2002716 - BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.arcor.de (bleeding.rules)
 2002813 - BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag (bleeding.rules)
 2003111 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.1 (bleeding.rules)
 2003112 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.2 (bleeding.rules)
 2003113 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.3 (bleeding.rules)
 2003114 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.4 (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 5

     -> Added to bleeding-drop.rules (1):
        #  VERSION 5

     -> Added to bleeding-policy.rules (1):
        #Adapted from nextsoft.cz

     -> Added to bleeding-sid-msg.map (6):
        2003192 || BLEEDING-EDGE VOIP INVITE Message Flood
        2003193 || BLEEDING-EDGE VOIP REGISTER Message Flood
        2003194 || BLEEDING-EDGE VOIP Multiple Unathorized SIP Responses
        2003195 || BLEEDING-EDGE POLICY Unusual number of DNS No Such Name Responses
        2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10)  || url,www.shadowserver.org
        2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 1

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 1

     -> Removed from bleeding-sid-msg.map (23):
        2001834 || BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-31 || url,isc.sans.org/diary.php?date=2005-03-30
        2001835 || BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-30
        2001836 || BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary || url,isc.sans.org/diary.php?date=2005-03-30
        2001837 || BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108
        2001838 || BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148
        2001839 || BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11
        2001840 || BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr
        2001842 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com || url,isc.sans.org/diary.php?date=2005-04-07
        2001843 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com || url,isc.sans.org/diary.php?date=2005-04-07
        2001844 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com || url,isc.sans.org/diary.php?date=2005-04-07
        2002670 || BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp) || url,isc.sans.org/diary.php?storyid=819
        2002672 || BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp) || url,isc.sans.org/diary.php?storyid=819
        2002692 || BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host
        2002712 || BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - people.freenet.de || url,www.lurhq.com/soberdates.html || url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
        2002713 || BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - scifi.pages.at || url,www.lurhq.com/soberdates.html || url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
        2002714 || BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at || url,www.lurhq.com/soberdates.html || url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
        2002715 || BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - free.pages.at || url,www.lurhq.com/soberdates.html || url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
        2002716 || BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.arcor.de || url,www.lurhq.com/soberdates.html || url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
        2002813 || BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag || url,isc.sans.org/diary.php?storyid=1138
        2003111 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.1 || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
        2003112 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.2 || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
        2003113 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.3 || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
        2003114 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.4 || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738

     -> Removed from bleeding.rules (13):
        # Added 2006-02-21 after pondering about the current OS/X issue
        #by jnorcross
        #This will false some, but should be minimal. This should be removed in a month or so. Reevaluate on 1/1/07
        #Turning off by default. is does false a lot, and the threat is mostly gone. Will remove completely soon.
        # The rules below were written in response to an ISC Diary that listed known
        # evil, poisoning name servers .
        # Added by Frank Knobbe
        # Submitted by Stephane Nasdrovisky
        #Matt Jonkman, related to dns poisoning
        #from dajackman re incidents.org entry
        # Added by Frank Knobbe in preparation for Sober activity
        # Trojan.Proxy.PPAgent.A ruleset from Russ McRee
        # These for dns are temporary, the domains will surely change soon. To be removed in a few days.

[+] Added files (consider updating your snort.conf to include them if needed): [+]

    -> bleeding-voip.rules





More information about the Snort-sigs mailing list