[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Thu Nov 30 15:00:04 EST 2006


[***] Results from Oinkmaster started Thu Nov 30 20:00:04 2006 [***]

[+++]          Added rules:          [+++]

 2003197 - BLEEDING-EDGE EXPLOIT ProFTPD .message file overflow attempt (bleeding-exploit.rules)
 2003198 - BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Get (bleeding-exploit.rules)
 2003199 - BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Put (bleeding-exploit.rules)


[///]     Modified active rules:     [///]

 2003196 - BLEEDING-EDGE EXPLOIT FTP .message file write (bleeding-exploit.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 9

     -> Added to bleeding-drop.rules (1):
        #  VERSION 9

     -> Added to bleeding-exploit.rules (5):
        #by Steve Adair steven at ...3269... - 11/28/2006, updates from Mat Rowley
        #These rules are mostly for malformed tftp related to, but not for any one specific exploit.
        #The tftp get or put should be opcode(\x01 or \x02)\x00filename\x00mode\x00. Mode is either netascii, binary or mail.
        #by Matt Jonkman
        #These look for write or get that does not have the correct mode. Will catch many of the tftp exploits, like the 3com stuff of late.

     -> Added to bleeding-sid-msg.map (4):
        2003196 || BLEEDING-EDGE EXPLOIT FTP .message file write || url,www.milw0rm.com/exploits/2856
        2003197 || BLEEDING-EDGE EXPLOIT ProFTPD .message file overflow attempt || url,www.milw0rm.com/exploits/2856
        2003198 || BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Get
        2003199 || BLEEDING-EDGE EXPLOIT TFTP Invalid Mode in file Put

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 6

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 6

     -> Removed from bleeding-exploit.rules (1):
        #by Steve Adair steven at ...3269... - 11/28/2006

     -> Removed from bleeding-sid-msg.map (1):
        2003196 || BLEEDING-EDGE EXPLOIT Potential ProFTPD .message file overflow attempt || url,www.milw0rm.com/exploits/2856





More information about the Snort-sigs mailing list