[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Wed Oct 3 20:00:34 EDT 2007


[***] Results from Oinkmaster started Thu Oct  4 00:00:33 2007 [***]

[///]     Modified active rules:     [///]

 2003254 - BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003255 - BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003256 - BLEEDING-EDGE MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003257 - BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003258 - BLEEDING-EDGE MALWARE SOCKSv5 DNS Inbound Request (Windows Source) (bleeding-malware.rules)
 2003259 - BLEEDING-EDGE MALWARE SOCKSv5 DNS Inbound Request (Linux Source) (bleeding-malware.rules)
 2003260 - BLEEDING-EDGE MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source) (bleeding-malware.rules)
 2003261 - BLEEDING-EDGE MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source) (bleeding-malware.rules)
 2003262 - BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source) (bleeding-malware.rules)
 2003263 - BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source) (bleeding-malware.rules)
 2003264 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source) (bleeding-malware.rules)
 2003265 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source) (bleeding-malware.rules)
 2003266 - BLEEDING-EDGE MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003267 - BLEEDING-EDGE MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003268 - BLEEDING-EDGE MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003269 - BLEEDING-EDGE MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003270 - BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003271 - BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003272 - BLEEDING-EDGE MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003273 - BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003274 - BLEEDING-EDGE MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003275 - BLEEDING-EDGE MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003276 - BLEEDING-EDGE MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003277 - BLEEDING-EDGE MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003278 - BLEEDING-EDGE MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003279 - BLEEDING-EDGE MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003280 - BLEEDING-EDGE MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source) (bleeding-malware.rules)
 2003281 - BLEEDING-EDGE MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source) (bleeding-malware.rules)
 2003282 - BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003283 - BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003284 - BLEEDING-EDGE MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003285 - BLEEDING-EDGE MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003286 - BLEEDING-EDGE MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source) (bleeding-malware.rules)
 2003287 - BLEEDING-EDGE MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source) (bleeding-malware.rules)
 2003933 - BLEEDING-EDGE TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
 2006380 - BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (bleeding-policy.rules)
 2006402 - BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted (bleeding-policy.rules)


[///]    Modified inactive rules:    [///]

 2003288 - BLEEDING-EDGE MALWARE SOCKSv4 Bind Inbound (Windows Source) (bleeding-malware.rules)
 2003289 - BLEEDING-EDGE MALWARE SOCKSv4 Bind Inbound (Linux Source) (bleeding-malware.rules)
 2003290 - BLEEDING-EDGE MALWARE SOCKSv5 Bind Inbound (Linux Source) (bleeding-malware.rules)
 2003291 - BLEEDING-EDGE MALWARE SOCKSv5 Bind Inbound (Windows Source) (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (2):
        # Details and updates available here http://handlers.sans.org/wsalusky/rants/
        #Cleanup and updates by John Pritchard

     -> Added to bleeding-sid-msg.map (58):
        2003254 || BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003255 || BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003256 || BLEEDING-EDGE MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003257 || BLEEDING-EDGE MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003258 || BLEEDING-EDGE MALWARE SOCKSv5 DNS Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003259 || BLEEDING-EDGE MALWARE SOCKSv5 DNS Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003260 || BLEEDING-EDGE MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003261 || BLEEDING-EDGE MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003262 || BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003263 || BLEEDING-EDGE MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003264 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003265 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003266 || BLEEDING-EDGE MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003267 || BLEEDING-EDGE MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003268 || BLEEDING-EDGE MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003269 || BLEEDING-EDGE MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003270 || BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003271 || BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003272 || BLEEDING-EDGE MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003273 || BLEEDING-EDGE MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003274 || BLEEDING-EDGE MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003275 || BLEEDING-EDGE MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003276 || BLEEDING-EDGE MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003277 || BLEEDING-EDGE MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003278 || BLEEDING-EDGE MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003279 || BLEEDING-EDGE MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003280 || BLEEDING-EDGE MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003281 || BLEEDING-EDGE MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003282 || BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003283 || BLEEDING-EDGE MALWARE SOCKSv4 Inbound Connect Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003284 || BLEEDING-EDGE MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003285 || BLEEDING-EDGE MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003286 || BLEEDING-EDGE MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003287 || BLEEDING-EDGE MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003288 || BLEEDING-EDGE MALWARE SOCKSv4 Bind Inbound (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003289 || BLEEDING-EDGE MALWARE SOCKSv4 Bind Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003290 || BLEEDING-EDGE MALWARE SOCKSv5 Bind Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2003291 || BLEEDING-EDGE MALWARE SOCKSv5 Bind Inbound (Windows Source) || url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || url,handlers.sans.org/wsalusky/rants/
        2500507 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (508) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (509) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (510) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (511) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (512) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (513) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (514) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500514 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (515) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (516) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (517) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (508) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (509) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (510) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (511) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (512) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (513) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (514) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (515) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (516) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (517) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (1):
        # Details and updates available here http://handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules

     -> Removed from bleeding-sid-msg.map (38):
        2003254 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003255 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003256 || BLEEDING-EDGE MALWARE Socksv4 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003257 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003258 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003259 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003260 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003261 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003262 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003263 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003264 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003265 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003266 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003267 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003268 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003269 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003270 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003271 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003272 || BLEEDING-EDGE MALWARE Socksv4 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003273 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003274 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003275 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003276 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003277 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003278 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003279 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003280 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003281 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003282 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003283 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003284 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003285 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003286 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003287 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003288 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003289 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003290 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
        2003291 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules





More information about the Snort-sigs mailing list