[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri May 4 18:00:06 EDT 2007


[***] Results from Oinkmaster started Fri May  4 18:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003617 - BLEEDING-EDGE Malware MyWebSearch Toolbar Posting Activity Report (bleeding-malware.rules)
 2003619 - BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User (bleeding-malware.rules)
 2003620 - BLEEDING-EDGE MALWARE 51yes.com Spyware Reporting User Activity (bleeding-malware.rules)
 2003621 - BLEEDING-EDGE Malware MyWay Spyware Posting Activity Report - Dell Related (bleeding-malware.rules)
 2003622 - BLEEDING-EDGE MALWARE Suspicious User-Agent (bot) (bleeding-malware.rules)
 2003623 - BLEEDING-EDGE POLICY Centralops.net Domain Dossier Utility Probe (bleeding-policy.rules)
 2003624 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules)
 2003625 - BLEEDING-EDGE MALWARE dns-look-up.com Spyware User-Agent (KRSystem) (bleeding-malware.rules)
 2003626 - BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: ) (bleeding-malware.rules)
 2003627 - BLEEDING-EDGE MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI) (bleeding-malware.rules)
 2003630 - BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity (bleeding-malware.rules)
 2003631 - BLEEDING-EDGE POLICY Centralops.net Probe (bleeding-policy.rules)
 2003632 - BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) (bleeding-virus.rules)
 2003633 - BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC (bleeding.rules)
 2003634 - BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan (bleeding-web.rules)
 2003635 - BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected (bleeding-virus.rules)
 2003636 - BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09) (bleeding-virus.rules)
 2003637 - BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx) (bleeding-virus.rules)
 2003639 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown) (bleeding-malware.rules)
 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules)
 2003641 - BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe) (bleeding-virus.rules)
 2003642 - BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol) (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2002682 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution (bleeding-exploit.rules)
 2002734 - BLEEDING-EDGE EXPLOIT WMF Exploit (bleeding-exploit.rules)
 2002860 - BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution (bleeding-exploit.rules)
 2003109 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow (bleeding-exploit.rules)
 2003425 - BLEEDING-EDGE MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module) (bleeding-malware.rules)
 2003587 - BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack (bleeding.rules)
 2003592 - BLEEDING-EDGE CURRENT EVENTS Vulnerable DNS RPC Bind (bleeding.rules)
 2003593 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit (specific to Metasploit Module) (bleeding.rules)
 2003594 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit big endian (specific to Metasploit Module) (bleeding.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2002909 - BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access (bleeding-exploit.rules)


[---]         Disabled rules:        [---]

 2001915 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP) (bleeding-exploit.rules)
 2001916 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP) (bleeding-exploit.rules)
 2001917 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP) (bleeding-exploit.rules)
 2001918 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP) (bleeding-exploit.rules)
 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 173

     -> Added to bleeding-drop.rules (1):
        #  VERSION 173

     -> Added to bleeding-malware.rules (2):
        #from spyware listening post data, by matt Jonkman
        #from castlecops research

     -> Added to bleeding-policy.rules (1):
        #online tools

     -> Added to bleeding-sid-msg.map (27):
        2002682 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546
        2002734 || BLEEDING-EDGE EXPLOIT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php
        2002860 || BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196
        2002909 || BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172
        2003109 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868
        2003617 || BLEEDING-EDGE Malware MyWebSearch Toolbar Posting Activity Report
        2003619 || BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User
        2003620 || BLEEDING-EDGE MALWARE 51yes.com Spyware Reporting User Activity
        2003621 || BLEEDING-EDGE Malware MyWay Spyware Posting Activity Report - Dell Related
        2003622 || BLEEDING-EDGE MALWARE Suspicious User-Agent (bot)
        2003623 || BLEEDING-EDGE POLICY Centralops.net Domain Dossier Utility Probe || url,centralops.net
        2003624 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)
        2003625 || BLEEDING-EDGE MALWARE dns-look-up.com Spyware User-Agent (KRSystem)
        2003626 || BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )
        2003627 || BLEEDING-EDGE MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)
        2003630 || BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/
        2003631 || BLEEDING-EDGE POLICY Centralops.net Probe || url,centralops.net
        2003632 || BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618
        2003633 || BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC || url,www.cert.org/current/archive/2003/06/25/archive.html || url,isc.sans.org/diary.html?n&storyid=2717
        2003634 || BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan
        2003635 || BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected
        2003636 || BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09)
        2003637 || BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx)
        2003639 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown)
        2003640 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel)
        2003641 || BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe)
        2003642 || BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol)

     -> Added to bleeding-virus.rules (5):
        #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
        #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
        #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
        #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
        #by axn jxn

     -> Added to bleeding-web.rules (2):
        #Seen being used for vuln scanning.
        # The original script it's modified from is legitimate, so there may be some falses

     -> Added to bleeding.rules (2):
        #by Matt Jonkman
        #From ISC post here: isc.sans.org/diary.html?n&storyid=2717

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 166

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 166

     -> Removed from bleeding-sid-msg.map (5):
        2002682 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546
        2002734 || BLEEDING-EDGE CURRENT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php
        2002860 || BLEEDING-EDGE WEB CLIENT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196
        2002909 || BLEEDING-EDGE WEB CLIENT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172
        2003109 || BLEEDING-EDGE Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868





More information about the Snort-sigs mailing list