[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Jan 12 15:00:05 EST 2007


[***] Results from Oinkmaster started Fri Jan 12 20:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003250 - BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit (bleeding-exploit.rules)
 2003251 - BLEEDING-EDGE MALWARE SpySheriff Intial Phone Home (bleeding-malware.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules)
 2003253 - BLEEDING-EDGE Malware MarketScore Spyware Uploading Data (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2001564 - BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (bleeding-malware.rules)
 2002349 - BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL (bleeding-malware.rules)
 2002400 - BLEEDING-EDGE MALWARE Suspicious User Agent (bleeding-malware.rules)
 2003041 - BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound (bleeding-virus.rules)
 2003249 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client Request (bleeding-exploit.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003248 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL (inbound) (bleeding-exploit.rules)


[---]         Removed rules:         [---]

 2001476 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato) (bleeding-malware.rules)
 2001477 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch) (bleeding-malware.rules)
 2001478 - BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe) (bleeding-malware.rules)
 2002985 - BLEEDING-EDGE MALWARE SpySherriff Spyware Activity (bleeding-malware.rules)
 2003101 - BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound v.2 (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 53

     -> Added to bleeding-drop.rules (1):
        #  VERSION 53

     -> Added to bleeding-exploit.rules (3):
        #Commenting the first out by default. It's falsing a lot!
        #Matt Jonkman
        #limited info, but the exploit requires the data type to be 0x10, the command to be 0x24, then a null, and there is a backslash (0x5c) in the body, and the body is over 0x17c or 0x17a. More detail in the reference

     -> Added to bleeding-malware.rules (1):
        #by Mr Magic Pants

     -> Added to bleeding-sid-msg.map (5):
        2003041 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound || url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1 || url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095
        2003250 || BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit || url,research.eeye.com/html/advisories/published/AD20060612.html || cve,2006-3455
        2003251 || BLEEDING-EDGE MALWARE SpySheriff Intial Phone Home || url,vil.nai.com/vil/content/v_135033.htm
        2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
        2003253 || BLEEDING-EDGE Malware MarketScore Spyware Uploading Data || url,www.spysweeper.com/remove-marketscore.html || url,www.marketscore.com

     -> Added to bleeding-virus.rules (1):
        #by mr Magic Pants

     -> Added to bleeding.rules (1):
        #by Mr Magic Pants

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        # $Id: bleeding-attack_response.rules $

     -> Removed from bleeding-dos.rules (1):
        # $Id: bleeding-dos.rules $

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 52

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 52

     -> Removed from bleeding-exploit.rules (1):
        # $Id: bleeding-exploit.rules $

     -> Removed from bleeding-game.rules (1):
        # $Id: bleeding-game.rules $

     -> Removed from bleeding-inappropriate.rules (1):
        # $Id: bleeding-inappropriate.rules $

     -> Removed from bleeding-malware.rules (2):
        # $Id: bleeding-malware.rules $
        #This sig hits on traffic generated by a few REAL windows products, like Media player and MSN Messenger, on occasion. The VAST majority of hits are spyware though, but hits to msn,com and microsoft.com are likely falses.

     -> Removed from bleeding-p2p.rules (1):
        # $Id: bleeding-p2p.rules $

     -> Removed from bleeding-policy.rules (1):
        # $Id: bleeding-policy.rules $

     -> Removed from bleeding-scan.rules (1):
        # $Id: bleeding-scan.rules $

     -> Removed from bleeding-sid-msg.map (6):
        2001476 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato)
        2001477 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch)
        2001478 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe)
        2002985 || BLEEDING-EDGE MALWARE SpySherriff Spyware Activity
        2003041 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound || url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1
        2003101 || BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound v.2 || url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095

     -> Removed from bleeding-virus.rules (3):
        # $Id: bleeding-virus.rules $
        #by Russ McRee
        # Submitted 2006-09-17 by Russ McRee

     -> Removed from bleeding-web.rules (1):
        # $Id: bleeding-web.rules $





More information about the Snort-sigs mailing list