[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Apr 13 16:00:06 EDT 2007


[***] Results from Oinkmaster started Fri Apr 13 16:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003571 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-) (bleeding.rules)
 2003572 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-) (bleeding.rules)
 2003573 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-) (bleeding.rules)
 2003574 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-) (bleeding.rules)
 2003575 - BLEEDING-EDGE MALWARE Gator/Clarian Spyware Posting Data (bleeding-malware.rules)
 2003576 - BLEEDING-EDGE MALWARE Security-updater.com Spyware Posting Data (bleeding-malware.rules)
 2003577 - BLEEDING-EDGE MALWARE Mirarsearch.com Spyware Posting Data (bleeding-malware.rules)
 2003578 - BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Data (bleeding-malware.rules)
 2003579 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (clickthrough) (bleeding-malware.rules)
 2003580 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendtracker) (bleeding-malware.rules)
 2003581 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendmedia) (bleeding-malware.rules)
 2003582 - BLEEDING-EDGE MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped) (bleeding-malware.rules)
 2003583 - BLEEDING-EDGE MALWARE Suspicious User-Agent (update) (bleeding-malware.rules)
 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules)
 2003585 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) (bleeding-malware.rules)
 2003586 - BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) (bleeding-malware.rules)
 2003587 - BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack (bleeding.rules)


[///]     Modified active rules:     [///]

 2003306 - BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event 2 reporting) (bleeding-malware.rules)
 2003463 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003447 - BLEEDING-EDGE MALWARE Humanclick.com Client Checkin (bleeding-malware.rules)
 2003448 - BLEEDING-EDGE MALWARE Humanclick.com Client Update (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2003361 - BLEEDING-EDGE Malware My Search Spyware Config Download 2 (bleeding-malware.rules)
 2003393 - BLEEDING-EDGE Malware My Search Spyware Config Download 3 (bleeding-malware.rules)
 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding at ...3254... (bleeding.rules)
 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding at ...3254... (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 152

     -> Added to bleeding-drop.rules (1):
        #  VERSION 152

     -> Added to bleeding-malware.rules (4):
        #Matt Jonkman, from spyware LP Data
        # Commenting these out. They're generating to many false positives, and may just be ads.
        #by Matt Jonkman, from spyware LP Data
        #by Matt Jonkman, from spyware LP Data

     -> Added to bleeding-sid-msg.map (17):
        2003571 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-) || url,isc.sans.org/diary.html?storyid=2612
        2003572 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-) || url,isc.sans.org/diary.html?storyid=2612
        2003573 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-) || url,isc.sans.org/diary.html?storyid=2612
        2003574 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-) || url,isc.sans.org/diary.html?storyid=2612
        2003575 || BLEEDING-EDGE MALWARE Gator/Clarian Spyware Posting Data || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999
        2003576 || BLEEDING-EDGE MALWARE Security-updater.com Spyware Posting Data
        2003577 || BLEEDING-EDGE MALWARE Mirarsearch.com Spyware Posting Data
        2003578 || BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Data || url,www.pctools.com/mrc/infections/id/BaiDu/
        2003579 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (clickthrough)
        2003580 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendtracker)
        2003581 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendmedia)
        2003582 || BLEEDING-EDGE MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped)
        2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || url,doc.bleedingthreats.net/2003583
        2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || url,doc.bleedingthreats.net/2003584
        2003585 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) || url,doc.bleedingthreats.net/2003585
        2003586 || BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) || url,doc.bleedingthreats.net/2003586
        2003587 || BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack || url,isc.sans.org/diary.html?storyid=2627 || url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html

     -> Added to bleeding.rules (5):
        # This is a temporary sig till we have more information. I'd recommend running it only on your nternet facing sensors.
        # Discussion is very useful at the first reference link
        ### EXPERIMENTAL ###
        #idea from shirkdog
        #temporary to help control the recent storm worm outbreaks. This rule should be removed in a week or so

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 151

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 151

     -> Removed from bleeding-malware.rules (1):
        #Replaced by the above pcre

     -> Removed from bleeding-sid-msg.map (4):
        2003361 || BLEEDING-EDGE Malware My Search Spyware Config Download 2
        2003393 || BLEEDING-EDGE Malware My Search Spyware Config Download 3
        2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding at ...3254... || url,www.dshield.org/diary.html?storyid=2584
        2003540 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding at ...3254... || url,www.dshield.org/diary.html?storyid=2584

     -> Removed from bleeding.rules (3):
        #by Michael Schidell
        # ISC reports a possible active MS DNS exploit. Please report any hits. More info as we get it.
        ### Commenting out for now. More information hasn't surfaced yet. Will update when we can





More information about the Snort-sigs mailing list