[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Wed Jan 9 17:00:07 EST 2008


[***] Results from Oinkmaster started Wed Jan  9 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007745 - BLEEDING-EDGE TROJAN Parite.B HTTP Download Detected (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2002082 - BLEEDING-EDGE POLICY Unusual User Agent (Client) (bleeding-policy.rules)
 2003484 - BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of DDOS (bleeding-virus.rules)
 2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) (bleeding-malware.rules)
 2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (bleeding-malware.rules)
 2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) (bleeding-malware.rules)
 2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules)
 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report (bleeding-virus.rules)
 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes (bleeding-virus.rules)
 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command (bleeding-virus.rules)
 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active (bleeding-virus.rules)
 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off (bleeding-virus.rules)
 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply (bleeding-virus.rules)
 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report (bleeding-virus.rules)
 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send (bleeding-virus.rules)
 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply (bleeding-virus.rules)
 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send (bleeding-virus.rules)
 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send (bleeding-virus.rules)
 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send (bleeding-virus.rules)
 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply (bleeding-virus.rules)
 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send (bleeding-virus.rules)
 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (bleeding-virus.rules)
 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (bleeding-virus.rules)
 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply (bleeding-virus.rules)
 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) (bleeding-malware.rules)
 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) (bleeding-malware.rules)
 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (bleeding-malware.rules)
 2003583 - BLEEDING-EDGE MALWARE Suspicious User-Agent (update) (bleeding-malware.rules)
 2003585 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) (bleeding-malware.rules)
 2003586 - BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) (bleeding-malware.rules)
 2003588 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) (bleeding-virus.rules)
 2003589 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) (bleeding-virus.rules)
 2003590 - BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...) (bleeding-virus.rules)
 2003599 - BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install/Startup Report (bleeding-policy.rules)
 2003600 - BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install Report (bleeding-policy.rules)
 2003601 - BLEEDING-EDGE POLICY Groove.net Virtual Office In Use (bleeding-policy.rules)
 2003602 - BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service Discovery Broadcast (bleeding-policy.rules)
 2003614 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound (bleeding-virus.rules)
 2003615 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound (bleeding-virus.rules)
 2006382 - BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent Detected (bleeding-virus.rules)
 2006395 - BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet (bleeding-virus.rules)
 2006396 - BLEEDING-EDGE TROJAN Socks666 Connect Command Packet (bleeding-virus.rules)
 2006397 - BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet Packet (bleeding-virus.rules)
 2006398 - BLEEDING-EDGE TROJAN Socks666 Checkin Packet (bleeding-virus.rules)
 2006399 - BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet (bleeding-virus.rules)
 2006414 - BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to Controller (pr2.cgi) (bleeding-virus.rules)
 2007588 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection Checkin (bleeding-virus.rules)
 2007589 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 (bleeding-virus.rules)
 2007590 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 (bleeding-virus.rules)
 2007591 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress (bleeding-virus.rules)
 2007669 - BLEEDING-EDGE TROJAN Nulprot Checkin Response (bleeding-virus.rules)
 2007673 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1) (bleeding.rules)
 2007674 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2) (bleeding.rules)
 2007675 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3) (bleeding.rules)
 2007676 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4) (bleeding.rules)
 2007677 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5) (bleeding.rules)
 2007678 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1) (bleeding.rules)
 2007679 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2) (bleeding.rules)
 2007680 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3) (bleeding.rules)
 2007681 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4) (bleeding.rules)
 2007682 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5) (bleeding.rules)
 2007683 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 (bleeding.rules)
 2007684 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 (bleeding.rules)
 2007685 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 (bleeding.rules)
 2007686 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND (bleeding.rules)
 2007687 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND (bleeding.rules)
 2007695 - BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)


[///]    Modified inactive rules:    [///]

 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules)
 2007640 - BLEEDING-EDGE TROJAN Storm Making initial outbound connection (bleeding-virus.rules)
 2007641 - BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (70):
        2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || url,doc.emergingthreats.net/2002082
        2003484 || BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of DDOS || url,isc.sans.org/diary.html?storyid=2451 || url,doc.emergingthreats.net/2003483
        2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) || url,doc.emergingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.emergingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.emergingthreats.net/2003513
        2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.emergingthreats.net/2003530
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.emergingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.emergingthreats.net/2003567
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.emergingthreats.net/2003567
        2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || url,doc.emergingthreats.net/2003583
        2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || url,doc.emergingthreats.net/2003584
        2003585 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) || url,doc.emergingthreats.net/2003585
        2003586 || BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) || url,doc.emergingthreats.net/2003586
        2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) || url,doc.emergingthreats.net/2003588
        2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) || url,doc.emergingthreats.net/2003589
        2003590 || BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...) || url,doc.emergingthreats.net/2003590
        2003599 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install/Startup Report || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003600 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install Report || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003601 || BLEEDING-EDGE POLICY Groove.net Virtual Office In Use || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003602 || BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service Discovery Broadcast || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003614 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound || url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders
        2003615 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound || url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders
        2006382 || BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent Detected || url,doc.emergingthreats.net/2006382
        2006395 || BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet || url,doc.emergingthreats.net/2006396
        2006396 || BLEEDING-EDGE TROJAN Socks666 Connect Command Packet || url,doc.emergingthreats.net/2006396
        2006397 || BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet Packet || url,doc.emergingthreats.net/2006396
        2006398 || BLEEDING-EDGE TROJAN Socks666 Checkin Packet || url,doc.emergingthreats.net/2006396
        2006399 || BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet || url,doc.emergingthreats.net/2006396
        2006414 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to Controller (pr2.cgi) || url,doc.emergingthreats.net/2006414
        2007588 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection Checkin || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007589 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007590 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007591 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007640 || BLEEDING-EDGE TROJAN Storm Making initial outbound connection || url,doc.emergingthreats.net/bin/view/Main/StormWorm
        2007641 || BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp || url,doc.emergingthreats.net/bin/view/Main/StormWorm
        2007669 || BLEEDING-EDGE TROJAN Nulprot Checkin Response || url,doc.emergingthreats.net/2007669
        2007673 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007674 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007675 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007676 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007677 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007678 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007679 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007680 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007681 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007682 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007683 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007684 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007685 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007686 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007687 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System || url,doc.emergingthreats.net/bin/view/Main/Windows98UA
        2007745 || BLEEDING-EDGE TROJAN Parite.B HTTP Download Detected

     -> Added to bleeding-virus.rules (1):
        #based on clamav info, by matt Jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (4):
        # These are user agent string from the user agents project:
        # http://www.bleedingsnort.com/article.php?story=20050303190103553
        # These will hit on traffic generated by spyware agents and installers
        # The user agent sigs from all types of spyware are consolidated here

     -> Removed from bleeding-sid-msg.map (69):
        2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || url,doc.bleedingthreats.net/2002082
        2003484 || BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of DDOS || url,isc.sans.org/diary.html?storyid=2451 || url,doc.bleedingthreats.net/2003483
        2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
        2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.bleedingthreats.net/2003530
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.bleedingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.bleedingthreats.net/2003567
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567
        2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || url,doc.bleedingthreats.net/2003583
        2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || url,doc.bleedingthreats.net/2003584
        2003585 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) || url,doc.bleedingthreats.net/2003585
        2003586 || BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) || url,doc.bleedingthreats.net/2003586
        2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) || url,doc.bleedingthreats.net/2003588
        2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
        2003590 || BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...) || url,doc.bleedingthreats.net/2003590
        2003599 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install/Startup Report || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003600 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install Report || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003601 || BLEEDING-EDGE POLICY Groove.net Virtual Office In Use || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003602 || BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service Discovery Broadcast || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003614 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound || url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2003615 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound || url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2006382 || BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent Detected || url,doc.bleedingthreats.net/2006382
        2006395 || BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet || url,doc.bleedingthreats.net/2006396
        2006396 || BLEEDING-EDGE TROJAN Socks666 Connect Command Packet || url,doc.bleedingthreats.net/2006396
        2006397 || BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet Packet || url,doc.bleedingthreats.net/2006396
        2006398 || BLEEDING-EDGE TROJAN Socks666 Checkin Packet || url,doc.bleedingthreats.net/2006396
        2006399 || BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet || url,doc.bleedingthreats.net/2006396
        2006414 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to Controller (pr2.cgi) || url,doc.bleedingthreats.net/2006414
        2007588 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection Checkin || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007589 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007590 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007591 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007640 || BLEEDING-EDGE TROJAN Storm Making initial outbound connection || url,doc.bleedingthreats.net/bin/view/Main/StormWorm
        2007641 || BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp || url,doc.bleedingthreats.net/bin/view/Main/StormWorm
        2007669 || BLEEDING-EDGE TROJAN Nulprot Checkin Response || url,doc.bleedingthreats.net/2007669
        2007673 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007674 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007675 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007676 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007677 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007678 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007679 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007680 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007681 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007682 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007683 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007684 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007685 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007686 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007687 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System || url,doc.bleedingthreats.net/bin/view/Main/Windows98UA





More information about the Snort-sigs mailing list