[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Nov 23 17:00:12 EST 2007


[***] Results from Oinkmaster started Fri Nov 23 22:00:12 2007 [***]

[+++]          Added rules:          [+++]

 2003330 - BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High Count (bleeding-policy.rules)


[///]     Modified active rules:     [///]

 2003588 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) (bleeding-virus.rules)
 2003589 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) (bleeding-virus.rules)
 2003636 - BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (KUKU v3.09) (bleeding-virus.rules)
 2003651 - BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (SPM_ID=) (bleeding-virus.rules)
 2006417 - BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected (bleeding-attack_response.rules)
 2007695 - BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)


[---]         Removed rules:         [---]

 2003330 - BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High Count (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (3):
        #Matt Jonkman, major updates by Chris Byrd
        #Experimenting with this idea. When a bot comes up live and starts spamming, it
        #  does a massive number of dns queries. This may be an extra way to identify infections

     -> Added to bleeding-sid-msg.map (6):
        2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) || url,doc.bleedingthreats.net/2003588
        2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
        2003636 || BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (KUKU v3.09)
        2003651 || BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (SPM_ID=)
        2006417 || BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System || url,doc.bleedingthreats.net/bin/view/Main/Windows98UA

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (6):
        2003588 || BLEEDING-EDGE CURRENT EVENTS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) || url,doc.bleedingthreats.net/2003588
        2003589 || BLEEDING-EDGE CURRENT EVENTS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
        2003636 || BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09)
        2003651 || BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=)
        2006417 || BLEEDING-EDGE ATTACK-RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System || url.doc.bleedingthreats.net/bin/view/Main/Windows98UA

     -> Removed from bleeding-virus.rules (3):
        #Matt Jonkman, major updates by Chris Byrd
        #Experimenting with this idea. When a bot comes up live and starts spamming, it
        #  does a massive number of dns queries. This may be an extra way to identify infections





More information about the Snort-sigs mailing list