[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Feb 16 10:00:05 EST 2007


[***] Results from Oinkmaster started Fri Feb 16 15:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003409 - BLEEDING-EDGE POLICY Majestic-12 Spider Bot User-Agent (MJ12bot) (bleeding-policy.rules)
 2003410 - BLEEDING-EDGE POLICY FTP Login Successful (non-anonymous) (bleeding-policy.rules)
 2003411 - BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack inbound (bleeding-exploit.rules)
 2003412 - BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack outbound (bleeding-exploit.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules)
 2003414 - BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting (bleeding-malware.rules)
 2003416 - BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting Clicks (bleeding-malware.rules)
 2003417 - BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity (bleeding-malware.rules)
 2003418 - BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 2 (bleeding-malware.rules)
 2003419 - BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 3 (bleeding-malware.rules)
 2003420 - BLEEDING-EDGE MALWARE Weatherbug Activity (bleeding-malware.rules)
 2003421 - BLEEDING-EDGE MALWARE Weatherbug Design60 Upload Activity (bleeding-malware.rules)
 2003422 - BLEEDING-EDGE MALWARE Weatherbug Command Activity (bleeding-malware.rules)
 2003423 - BLEEDING-EDGE MALWARE Weatherbug Design60 Upload Activity (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2001720 - BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color (bleeding-exploit.rules)
 2003401 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript download file (bleeding-exploit.rules)
 2003402 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript execute command (bleeding-exploit.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2001267 - BLEEDING-EDGE MALWARE Weatherbug Capture (bleeding-malware.rules)
 2001386 - BLEEDING-EDGE INAPPROPRIATE Kiddy Porn pthc (bleeding-inappropriate.rules)
 2001387 - BLEEDING-EDGE INAPPROPRIATE Kiddy Porn zeps (bleeding-inappropriate.rules)
 2001388 - BLEEDING-EDGE INAPPROPRIATE Kiddy Porn r at ...2850... (bleeding-inappropriate.rules)
 2001389 - BLEEDING-EDGE INAPPROPRIATE Kiddy Porn childlover (bleeding-inappropriate.rules)
 2002364 - BLEEDING-EDGE MALWARE Weatherbug Wxbug Capture (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-dos.rules (1):
        # hit on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors)

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 88

     -> Added to bleeding-drop.rules (1):
        #  VERSION 88

     -> Added to bleeding-exploit.rules (1):
        # Submitted 2007-02-12 by Chris Byrd

     -> Added to bleeding-inappropriate.rules (1):
        #Commenting out by default. Enable these if needed

     -> Added to bleeding-malware.rules (1):
        #from spywarelp data, by Matt Jonkman

     -> Added to bleeding-policy.rules (2):
        #By CunningPike
        #by Stephen Nesman at Monster.com

     -> Added to bleeding-sid-msg.map (14):
        2003409 || BLEEDING-EDGE POLICY Majestic-12 Spider Bot User-Agent (MJ12bot) || url,www.majestic12.co.uk/
        2003410 || BLEEDING-EDGE POLICY FTP Login Successful (non-anonymous)
        2003411 || BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack inbound || url,isc.sans.org/diary.html?n&storyid=2220 || url,riosec.com/solaris-telnet-0-day
        2003412 || BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack outbound || url,isc.sans.org/diary.html?n&storyid=2220 || url,riosec.com/solaris-telnet-0-day
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser
        2003414 || BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting || url,www.intermute.com/spysubtract/researchcenter/ClientMan.html
        2003416 || BLEEDING-EDGE MALWARE Epilot.com Spyware Reporting Clicks || url,www.intermute.com/spysubtract/researchcenter/ClientMan.html
        2003417 || BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity || url,www.spyany.com/program/article_spy_rm_CnsMin.html
        2003418 || BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 2 || url,www.spyany.com/program/article_spy_rm_CnsMin.html
        2003419 || BLEEDING-EDGE MALWARE CNSMIN (3721.com) Spyware Activity 3 || url,www.spyany.com/program/article_spy_rm_CnsMin.html
        2003420 || BLEEDING-EDGE MALWARE Weatherbug Activity
        2003421 || BLEEDING-EDGE MALWARE Weatherbug Design60 Upload Activity
        2003422 || BLEEDING-EDGE MALWARE Weatherbug Command Activity
        2003423 || BLEEDING-EDGE MALWARE Weatherbug Design60 Upload Activity

     -> Added to bleeding.rules (3):
        #This is being sent to many victims under the pretense of being a securityt audit script for colocated customers
        #These should catch it in it's current form. More information coming soon
        #Analysis by Jose Nazario

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-dos.rules (1):
        # alert on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors)

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 82

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 82





More information about the Snort-sigs mailing list