[Snort-sigs] Bleeding Edge Threats Daily Signature Changes
bleeding at ...3254...
bleeding at ...3254...
Fri Jan 12 15:00:05 EST 2007
[***] Results from Oinkmaster started Fri Jan 12 20:00:05 2007 [***]
[+++] Added rules: [+++]
2003250 - BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit (bleeding-exploit.rules)
2003251 - BLEEDING-EDGE MALWARE SpySheriff Intial Phone Home (bleeding-malware.rules)
2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules)
2003253 - BLEEDING-EDGE Malware MarketScore Spyware Uploading Data (bleeding-malware.rules)
[///] Modified active rules: [///]
2001564 - BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (bleeding-malware.rules)
2002349 - BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL (bleeding-malware.rules)
2002400 - BLEEDING-EDGE MALWARE Suspicious User Agent (bleeding-malware.rules)
2003041 - BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound (bleeding-virus.rules)
2003249 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client Request (bleeding-exploit.rules)
2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules)
2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules)
2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules)
2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules)
2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules)
2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules)
2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules)
2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules)
2404008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules)
2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
[---] Disabled rules: [---]
2003248 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL (inbound) (bleeding-exploit.rules)
[---] Removed rules: [---]
2001476 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato) (bleeding-malware.rules)
2001477 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch) (bleeding-malware.rules)
2001478 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe) (bleeding-malware.rules)
2002985 - BLEEDING-EDGE MALWARE SpySherriff Spyware Activity (bleeding-malware.rules)
2003101 - BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound v.2 (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (1):
# VERSION 53
-> Added to bleeding-drop.rules (1):
# VERSION 53
-> Added to bleeding-exploit.rules (3):
#Commenting the first out by default. It's falsing a lot!
#Matt Jonkman
#limited info, but the exploit requires the data type to be 0x10, the command to be 0x24, then a null, and there is a backslash (0x5c) in the body, and the body is over 0x17c or 0x17a. More detail in the reference
-> Added to bleeding-malware.rules (1):
#by Mr Magic Pants
-> Added to bleeding-sid-msg.map (5):
2003041 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound || url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1 || url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095
2003250 || BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit || url,research.eeye.com/html/advisories/published/AD20060612.html || cve,2006-3455
2003251 || BLEEDING-EDGE MALWARE SpySheriff Intial Phone Home || url,vil.nai.com/vil/content/v_135033.htm
2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
2003253 || BLEEDING-EDGE Malware MarketScore Spyware Uploading Data || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com
-> Added to bleeding-virus.rules (1):
#by mr Magic Pants
-> Added to bleeding.rules (1):
#by Mr Magic Pants
[---] Removed non-rule lines: [---]
-> Removed from bleeding-attack_response.rules (1):
# $Id: bleeding-attack_response.rules $
-> Removed from bleeding-dos.rules (1):
# $Id: bleeding-dos.rules $
-> Removed from bleeding-drop-BLOCK.rules (1):
# VERSION 52
-> Removed from bleeding-drop.rules (1):
# VERSION 52
-> Removed from bleeding-exploit.rules (1):
# $Id: bleeding-exploit.rules $
-> Removed from bleeding-game.rules (1):
# $Id: bleeding-game.rules $
-> Removed from bleeding-inappropriate.rules (1):
# $Id: bleeding-inappropriate.rules $
-> Removed from bleeding-malware.rules (2):
# $Id: bleeding-malware.rules $
#This sig hits on traffic generated by a few REAL windows products, like Media player and MSN Messenger, on occasion. The VAST majority of hits are spyware though, but hits to msn,com and microsoft.com are likely falses.
-> Removed from bleeding-p2p.rules (1):
# $Id: bleeding-p2p.rules $
-> Removed from bleeding-policy.rules (1):
# $Id: bleeding-policy.rules $
-> Removed from bleeding-scan.rules (1):
# $Id: bleeding-scan.rules $
-> Removed from bleeding-sid-msg.map (6):
2001476 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato)
2001477 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch)
2001478 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe)
2002985 || BLEEDING-EDGE MALWARE SpySherriff Spyware Activity
2003041 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound || url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1
2003101 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound v.2 || url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095
-> Removed from bleeding-virus.rules (3):
# $Id: bleeding-virus.rules $
#by Russ McRee
# Submitted 2006-09-17 by Russ McRee
-> Removed from bleeding-web.rules (1):
# $Id: bleeding-web.rules $
More information about the Snort-sigs
mailing list