[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Mon Jan 15 15:00:04 EST 2007


[***] Results from Oinkmaster started Mon Jan 15 20:00:04 2007 [***]

[+++]          Added rules:          [+++]

 2003254 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003255 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003256 - BLEEDING-EDGE MALWARE Socksv4 Port 25 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003257 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003258 - BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Windows Source) (bleeding-malware.rules)
 2003259 - BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Linux Source) (bleeding-malware.rules)
 2003260 - BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Windows Source) (bleeding-malware.rules)
 2003261 - BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Linux Source) (bleeding-malware.rules)
 2003262 - BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Windows Source) (bleeding-malware.rules)
 2003263 - BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Linux Source) (bleeding-malware.rules)
 2003264 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source) (bleeding-malware.rules)
 2003265 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source) (bleeding-malware.rules)
 2003266 - BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003267 - BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003268 - BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003269 - BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003270 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003271 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003272 - BLEEDING-EDGE MALWARE Socksv4 Port 5190 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003273 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003274 - BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003275 - BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003276 - BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003277 - BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003278 - BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003279 - BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003280 - BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003281 - BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003282 - BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003283 - BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003284 - BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003285 - BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003286 - BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003287 - BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003288 - BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Windows Source) (bleeding-malware.rules)
 2003289 - BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Linux Source) (bleeding-malware.rules)
 2003290 - BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Linux Source) (bleeding-malware.rules)
 2003291 - BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Windows Source) (bleeding-malware.rules)
 2003292 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound (bleeding-virus.rules)
 2003293 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound (bleeding-virus.rules)
 2003294 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound (bleeding-virus.rules)
 2003295 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound (bleeding-virus.rules)
 2003296 - BLEEDING-EDGE TROJAN Possible Web-based DDoS-command being issued (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2002992 - BLEEDING-EDGE SCAN Rapid POP3 Connections - Possible Brute Force Attack (bleeding-scan.rules)
 2002993 - BLEEDING-EDGE SCAN Rapid POP3S Connections - Possible Brute Force Attack (bleeding-scan.rules)
 2002994 - BLEEDING-EDGE SCAN Rapid IMAP Connections - Possible Brute Force Attack (bleeding-scan.rules)
 2002995 - BLEEDING-EDGE SCAN Rapid IMAPS Connections - Possible Brute Force Attack (bleeding-scan.rules)
 2003099 - BLEEDING-EDGE WEB-MISC Poison Null Byte (bleeding-web.rules)
 2003180 - BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to Controller (bleeding-virus.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 56

     -> Added to bleeding-drop.rules (1):
        #  VERSION 56

     -> Added to bleeding-malware.rules (7):
        #by William Salusky of the ISC (www.incidents.org)
        # Details and updates available here http://handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        # If you have any socks proxies being abused in your environment... The following four rules are MONEY.
        # The following rules open ended arbitrary Socks4 detection of ANY port being proxied.  I run this only on occasion when looking for sketchy new activity.  A better rule would do byte tests to exclude common target ports of 25, 80 etc...
        # Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
        # Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
        # I keep these mostly commented, while they are correct according to RFC for BIND actions, in practice I've found only FP's which I still need to dig through and see what's really going on there.

     -> Added to bleeding-sid-msg.map (44):
        2003180 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to Controller || url,www.sophos.com/security/analyses/w32strationbo.html
        2003254 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003255 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003256 || BLEEDING-EDGE MALWARE Socksv4 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003257 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003258 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003259 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003260 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003261 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003262 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003263 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003264 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003265 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003266 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003267 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003268 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003269 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003270 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003271 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003272 || BLEEDING-EDGE MALWARE Socksv4 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003273 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003274 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003275 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003276 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003277 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003278 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003279 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003280 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003281 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003282 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003283 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003284 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003285 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003286 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003287 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003288 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003289 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003290 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003291 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003292 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003293 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003294 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003295 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003296 || BLEEDING-EDGE TROJAN Possible Web-based DDoS-command being issued

     -> Added to bleeding-virus.rules (2):
        #from anonymous
        #by Matt Jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (1):
        # $Id: bleeding-attack_response.rules $

     -> Removed from bleeding-dos.rules (1):
        # $Id: bleeding-dos.rules $

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 53

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 53

     -> Removed from bleeding-exploit.rules (1):
        # $Id: bleeding-exploit.rules $

     -> Removed from bleeding-game.rules (1):
        # $Id: bleeding-game.rules $

     -> Removed from bleeding-inappropriate.rules (1):
        # $Id: bleeding-inappropriate.rules $

     -> Removed from bleeding-malware.rules (1):
        # $Id: bleeding-malware.rules $

     -> Removed from bleeding-p2p.rules (1):
        # $Id: bleeding-p2p.rules $

     -> Removed from bleeding-policy.rules (1):
        # $Id: bleeding-policy.rules $

     -> Removed from bleeding-scan.rules (1):
        # $Id: bleeding-scan.rules $

     -> Removed from bleeding-sid-msg.map (7):
        2003180 || BLEEDING-EDGE TROJAN Warezov/Stration Data Post to Controller || url,www.sophos.com/security/analyses/w32strationbo.html
        2404006 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  || url,www.shadowserver.org
        2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  || url,www.shadowserver.org
        2404008 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  || url,www.shadowserver.org
        2405006 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org
        2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org
        2405008 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Removed from bleeding-virus.rules (1):
        # $Id: bleeding-virus.rules $

     -> Removed from bleeding-web.rules (1):
        # $Id: bleeding-web.rules $





More information about the Snort-sigs mailing list