[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Sun Mar 9 17:00:07 EDT 2008


[***] Results from Oinkmaster started Sun Mar  9 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007611 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-virus.rules)
 2007612 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-virus.rules)
 2007613 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-virus.rules)
 2007614 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-virus.rules)
 2007949 - ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis (bleeding-virus.rules)
 2007950 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body (bleeding-virus.rules)
 2007951 - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware (bleeding-malware.rules)
 2007952 - ET TROJAN Downloader.49651 Checkin (bleeding-virus.rules)
 2007953 - ET TROJAN Downloader.49651 Install Report (bleeding-virus.rules)
 2007954 - ET TROJAN Downloader.49651 Online Report (bleeding-virus.rules)
 2007955 - ET TROJAN Cygo Checkin (bleeding-virus.rules)
 2007956 - ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater) (bleeding-malware.rules)
 2007957 - ET TROJAN Banker.ike UDP C&C (bleeding-virus.rules)
 2007958 - ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN) (bleeding-malware.rules)
 2007959 - ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2000035 - ET POLICY Hotmail Inbox Access (bleeding-policy.rules)
 2000036 - ET POLICY Hotmail Message Access (bleeding-policy.rules)
 2000037 - ET POLICY Hotmail Compose Message Access (bleeding-policy.rules)
 2000038 - ET POLICY Hotmail Compose Message Submit (bleeding-policy.rules)
 2000039 - ET POLICY Hotmail Compose Message Submit Data (bleeding-policy.rules)
 2001197 - ET WEB_SPECIFIC PHPNuke SQL injection attempt (bleeding-web_sql_injection.rules)
 2001202 - ET WEB_SPECIFIC PHPNuke general SQL injection attempt (bleeding-web_sql_injection.rules)
 2001218 - ET WEB_SPECIFIC PHPNuke general XSS attempt (bleeding-web_sql_injection.rules)
 2001342 - ET WEB IIS ASP.net Auth Bypass / Canonicalization (bleeding-web.rules)
 2001343 - ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C (bleeding-web.rules)
 2001344 - ET WEB PHP EasyDynamicPages exploit (bleeding-web.rules)
 2002160 - ET MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules)
 2002164 - ET MALWARE Hotbar Spyware User-Agent (bleeding-malware.rules)
 2002166 - ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) (bleeding-malware.rules)
 2002167 - ET MALWARE Possible Malware - Wise User Agent (Wise) (bleeding-malware.rules)
 2002169 - ET MALWARE iWon Spyware (iWonSearchAssistant) (bleeding-malware.rules)
 2002394 - ET MALWARE Adwave/MarketScore User Agent (WTA) (bleeding-malware.rules)
 2002395 - ET MALWARE Miva User Agent (TPSystem) (bleeding-malware.rules)
 2002396 - ET MALWARE Miva Spyware User Agent (Travel Update) (bleeding-malware.rules)
 2002397 - ET MALWARE Precision Targeting User Agent (XC) (bleeding-malware.rules)
 2002398 - ET MALWARE DelFin Project User Agent (Dpi) (bleeding-malware.rules)
 2002399 - ET MALWARE DelFin Project User Agent (PromulGate) (bleeding-malware.rules)
 2002401 - ET MALWARE Web Search User Agent (ST3PS) (bleeding-malware.rules)
 2002402 - ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) (bleeding-malware.rules)
 2002403 - ET MALWARE Context Plus User Agent (PTS) (bleeding-malware.rules)
 2002404 - ET MALWARE Movies etc User Agent (IOInstall) (bleeding-malware.rules)
 2002405 - ET MALWARE Internet Optimizer User Agent (ROGUE) (bleeding-malware.rules)
 2002731 - ET WEB PHP Generic phpbb arbitrary command attempt (bleeding-web_sql_injection.rules)
 2002996 - ET WEB PHP GeekLog Remote File Include Vulnerability (bleeding-web_sql_injection.rules)
 2003474 - ET VOIP Asterisk Register with no URI or Version DOS Attempt (bleeding-voip.rules)
 2007712 - ET TROJAN Srizbi requesting template (bleeding-virus.rules)
 2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
 2007742 - ET TROJAN Storm C&C with typo'd User-Agent (Windoss) (bleeding-virus.rules)
 2007781 - ET TROJAN Zapchast Bot User-Agent (bleeding-virus.rules)
 2007906 - ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (bleeding-game.rules)
 2007924 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded) (bleeding-virus.rules)
 2007925 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames) (bleeding-virus.rules)
 2007926 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0) (bleeding-virus.rules)


[///]    Modified inactive rules:    [///]

 2001328 - ET POLICY SSN Detected in Clear Text (bleeding-policy.rules)
 2001375 - ET POLICY Credit Card Number Detected in Clear (16 digit spaced) (bleeding-policy.rules)
 2001376 - ET POLICY Credit Card Number Detected in Clear (16 digit dashed) (bleeding-policy.rules)
 2001377 - ET POLICY Credit Card Number Detected in Clear (16 digit) (bleeding-policy.rules)
 2001378 - ET POLICY Credit Card Number Detected in Clear (15 digit) (bleeding-policy.rules)
 2001379 - ET POLICY Credit Card Number Detected in Clear (15 digit spaced) (bleeding-policy.rules)
 2001380 - ET POLICY Credit Card Number Detected in Clear (15 digit dashed) (bleeding-policy.rules)
 2001381 - ET POLICY Credit Card Number Detected in Clear (14 digit) (bleeding-policy.rules)
 2001382 - ET POLICY Credit Card Number Detected in Clear (14 digit spaced) (bleeding-policy.rules)
 2001383 - ET POLICY Credit Card Number Detected in Clear (14 digit dashed) (bleeding-policy.rules)
 2001384 - ET POLICY SSN Detected in Clear Text (bleeding-policy.rules)


[---]         Removed rules:         [---]

 2002161 - ET MALWARE CoolWebSearch Spyware (feat2) (bleeding-malware.rules)
 2002163 - ET MALWARE Ezula Update Engine (bleeding-malware.rules)
 2002165 - ET MALWARE IESearch Spyware (bleeding-malware.rules)
 2002168 - ET MALWARE Svcmm Parasite (bleeding-malware.rules)
 2007611 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-policy.rules)
 2007612 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-policy.rules)
 2007613 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-policy.rules)
 2007614 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-policy.rules)
 2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #many malware packages use hex to obscure an IP

     -> Added to bleeding-sid-msg.map (53):
        2000035 || ET POLICY Hotmail Inbox Access
        2000036 || ET POLICY Hotmail Message Access
        2000037 || ET POLICY Hotmail Compose Message Access
        2000038 || ET POLICY Hotmail Compose Message Submit
        2000039 || ET POLICY Hotmail Compose Message Submit Data
        2001197 || ET WEB_SPECIFIC PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
        2001202 || ET WEB_SPECIFIC PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
        2001218 || ET WEB_SPECIFIC PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
        2001342 || ET WEB IIS ASP.net Auth Bypass / Canonicalization
        2001343 || ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
        2001344 || ET WEB PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
        2001375 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001376 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001377 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001378 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001379 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001380 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001381 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001382 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001383 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2002164 || ET MALWARE Hotbar Spyware User-Agent || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
        2002166 || ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) || url,www.spywareguide.com/product_show.php?id=418
        2002167 || ET MALWARE Possible Malware - Wise User Agent (Wise) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002169 || ET MALWARE iWon Spyware (iWonSearchAssistant) || url,www.spywareguide.com/product_show.php?id=461
        2002394 || ET MALWARE Adwave/MarketScore User Agent (WTA) || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
        2002395 || ET MALWARE Miva User Agent (TPSystem) || url,www.findwhat.com || url,www.miva.com
        2002396 || ET MALWARE Miva Spyware User Agent (Travel Update) || url,www.miva.com
        2002397 || ET MALWARE Precision Targeting User Agent (XC) || url,www.precisiontargeting.com
        2002398 || ET MALWARE DelFin Project User Agent (Dpi) || url,www.delfinproject.com
        2002399 || ET MALWARE DelFin Project User Agent (PromulGate) || url,www.delfinproject.com
        2002401 || ET MALWARE Web Search User Agent (ST3PS) || url,www.websearch.com
        2002402 || ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) || url,www.websearch.com
        2002403 || ET MALWARE Context Plus User Agent (PTS) || url,www.contextplus.net
        2002404 || ET MALWARE Movies etc User Agent (IOInstall) || url,www.movies-etc.com
        2002405 || ET MALWARE Internet Optimizer User Agent (ROGUE) || url,www.internet-optimizer.com
        2002731 || ET WEB PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
        2002996 || ET WEB PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body
        2007951 || ET MALWARE Hex Encoded IP HTTP Request - Likely Malware
        2007952 || ET TROJAN Downloader.49651 Checkin
        2007953 || ET TROJAN Downloader.49651 Install Report
        2007954 || ET TROJAN Downloader.49651 Online Report
        2007955 || ET TROJAN Cygo Checkin
        2007956 || ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)
        2007957 || ET TROJAN Banker.ike UDP C&C
        2007958 || ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)
        2007959 || ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx)

     -> Added to bleeding-sid-msg.map.txt (53):
        2000035 || ET POLICY Hotmail Inbox Access
        2000036 || ET POLICY Hotmail Message Access
        2000037 || ET POLICY Hotmail Compose Message Access
        2000038 || ET POLICY Hotmail Compose Message Submit
        2000039 || ET POLICY Hotmail Compose Message Submit Data
        2001197 || ET WEB_SPECIFIC PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
        2001202 || ET WEB_SPECIFIC PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
        2001218 || ET WEB_SPECIFIC PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
        2001342 || ET WEB IIS ASP.net Auth Bypass / Canonicalization
        2001343 || ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
        2001344 || ET WEB PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
        2001375 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001376 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001377 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001378 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001379 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001380 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001381 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001382 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001383 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2002164 || ET MALWARE Hotbar Spyware User-Agent || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
        2002166 || ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) || url,www.spywareguide.com/product_show.php?id=418
        2002167 || ET MALWARE Possible Malware - Wise User Agent (Wise) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002169 || ET MALWARE iWon Spyware (iWonSearchAssistant) || url,www.spywareguide.com/product_show.php?id=461
        2002394 || ET MALWARE Adwave/MarketScore User Agent (WTA) || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
        2002395 || ET MALWARE Miva User Agent (TPSystem) || url,www.findwhat.com || url,www.miva.com
        2002396 || ET MALWARE Miva Spyware User Agent (Travel Update) || url,www.miva.com
        2002397 || ET MALWARE Precision Targeting User Agent (XC) || url,www.precisiontargeting.com
        2002398 || ET MALWARE DelFin Project User Agent (Dpi) || url,www.delfinproject.com
        2002399 || ET MALWARE DelFin Project User Agent (PromulGate) || url,www.delfinproject.com
        2002401 || ET MALWARE Web Search User Agent (ST3PS) || url,www.websearch.com
        2002402 || ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) || url,www.websearch.com
        2002403 || ET MALWARE Context Plus User Agent (PTS) || url,www.contextplus.net
        2002404 || ET MALWARE Movies etc User Agent (IOInstall) || url,www.movies-etc.com
        2002405 || ET MALWARE Internet Optimizer User Agent (ROGUE) || url,www.internet-optimizer.com
        2002731 || ET WEB PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
        2002996 || ET WEB PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
        2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis
        2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body
        2007951 || ET MALWARE Hex Encoded IP HTTP Request - Likely Malware
        2007952 || ET TROJAN Downloader.49651 Checkin
        2007953 || ET TROJAN Downloader.49651 Install Report
        2007954 || ET TROJAN Downloader.49651 Online Report
        2007955 || ET TROJAN Cygo Checkin
        2007956 || ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)
        2007957 || ET TROJAN Banker.ike UDP C&C
        2007958 || ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)
        2007959 || ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx)

     -> Added to bleeding-virus.rules (3):
        # A large number of trojans report an infection by sending a blank email to a gmail or other free provider
        # They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
        # This sig should catch them outbound

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (4):
        # Seeing several bits of malware that are creating their http get's
        #  incorrectly. They're adding an http://domain.com/url to the GET string,
        #  which should be just the uri. This will catch those
        #Extra content check for snort <2.4.3 doesn't support pure not rules

     -> Removed from bleeding-policy.rules (3):
        # A large number of trojans report an infection by sending a blank email to a gmail or other free provider
        # They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
        # This sig should catch them outbound

     -> Removed from bleeding-sid-msg.map (47):
        2000035 || ET Hotmail Inbox Access
        2000036 || ET Hotmail Message Access
        2000037 || ET Hotmail Compose Message Access
        2000038 || ET Hotmail Compose Message Submit
        2000039 || ET Hotmail Compose Message Submit Data
        2001197 || ET PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
        2001202 || ET PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
        2001218 || ET PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
        2001342 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization
        2001343 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C
        2001344 || ET WEB-PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
        2001375 || ET Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001376 || ET Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001377 || ET Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001378 || ET Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001379 || ET Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001380 || ET Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001381 || ET Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001382 || ET Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001383 || ET Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2002161 || ET MALWARE CoolWebSearch Spyware (feat2) || url,www.doxdesk.com/parasite/CoolWebSearch.html || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759 || url,www.spywareguide.com/product_show.php?id=599
        2002163 || ET MALWARE Ezula Update Engine || url,www.spywareguide.com/product_show.php?id=9
        2002164 || ET MALWARE Hotbar Spyware || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
        2002165 || ET MALWARE IESearch Spyware || url,www.spywareguide.com/product_show.php?id=982
        2002166 || ET MALWARE Alexa Search Toolbar || url,www.spywareguide.com/product_show.php?id=418
        2002167 || ET MALWARE Possible Spyware - Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002168 || ET MALWARE Svcmm Parasite || url,doxdesk.com/parasite/SvcMM.html || url,castlecops.com/startuplist-5862.html
        2002169 || ET MALWARE iWon Spyware || url,www.spywareguide.com/product_show.php?id=461
        2002394 || ET MALWARE Adwave/MarketScore User Agent || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
        2002395 || ET MALWARE Miva User Agent || url,www.findwhat.com || url,www.miva.com
        2002396 || ET MALWARE Miva User Agent 2 || url,www.miva.com
        2002397 || ET MALWARE Precision Targeting User Agent || url,www.precisiontargeting.com
        2002398 || ET MALWARE DelFin Project User Agent || url,www.delfinproject.com
        2002399 || ET MALWARE DelFin Project User Agent 2 || url,www.delfinproject.com
        2002401 || ET MALWARE Web Search User Agent 2 || url,www.websearch.com
        2002402 || ET MALWARE Web Search User Agent 3 || url,www.websearch.com
        2002403 || ET MALWARE Context Plus User Agent 2 || url,www.contextplus.net
        2002404 || ET MALWARE Movies etc User Agent || url,www.movies-etc.com
        2002405 || ET MALWARE Internet Optimizer User Agent 2 || url,www.internet-optimizer.com
        2002731 || ET WEB-PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
        2002996 || ET WEB-PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
        2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941

     -> Removed from bleeding-sid-msg.map.txt (47):
        2000035 || ET Hotmail Inbox Access
        2000036 || ET Hotmail Message Access
        2000037 || ET Hotmail Compose Message Access
        2000038 || ET Hotmail Compose Message Submit
        2000039 || ET Hotmail Compose Message Submit Data
        2001197 || ET PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
        2001202 || ET PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
        2001218 || ET PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
        2001342 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization
        2001343 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C
        2001344 || ET WEB-PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
        2001375 || ET Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001376 || ET Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001377 || ET Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001378 || ET Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001379 || ET Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001380 || ET Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2001381 || ET Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
        2001382 || ET Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
        2001383 || ET Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
        2002161 || ET MALWARE CoolWebSearch Spyware (feat2) || url,www.doxdesk.com/parasite/CoolWebSearch.html || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759 || url,www.spywareguide.com/product_show.php?id=599
        2002163 || ET MALWARE Ezula Update Engine || url,www.spywareguide.com/product_show.php?id=9
        2002164 || ET MALWARE Hotbar Spyware || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
        2002165 || ET MALWARE IESearch Spyware || url,www.spywareguide.com/product_show.php?id=982
        2002166 || ET MALWARE Alexa Search Toolbar || url,www.spywareguide.com/product_show.php?id=418
        2002167 || ET MALWARE Possible Spyware - Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
        2002168 || ET MALWARE Svcmm Parasite || url,doxdesk.com/parasite/SvcMM.html || url,castlecops.com/startuplist-5862.html
        2002169 || ET MALWARE iWon Spyware || url,www.spywareguide.com/product_show.php?id=461
        2002394 || ET MALWARE Adwave/MarketScore User Agent || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
        2002395 || ET MALWARE Miva User Agent || url,www.findwhat.com || url,www.miva.com
        2002396 || ET MALWARE Miva User Agent 2 || url,www.miva.com
        2002397 || ET MALWARE Precision Targeting User Agent || url,www.precisiontargeting.com
        2002398 || ET MALWARE DelFin Project User Agent || url,www.delfinproject.com
        2002399 || ET MALWARE DelFin Project User Agent 2 || url,www.delfinproject.com
        2002401 || ET MALWARE Web Search User Agent 2 || url,www.websearch.com
        2002402 || ET MALWARE Web Search User Agent 3 || url,www.websearch.com
        2002403 || ET MALWARE Context Plus User Agent 2 || url,www.contextplus.net
        2002404 || ET MALWARE Movies etc User Agent || url,www.movies-etc.com
        2002405 || ET MALWARE Internet Optimizer User Agent 2 || url,www.internet-optimizer.com
        2002731 || ET WEB-PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
        2002996 || ET WEB-PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
        2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
        2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
        2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
        2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
        2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941





More information about the Snort-sigs mailing list