[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Mar 29 19:00:11 EDT 2008


[***] Results from Oinkmaster started Sat Mar 29 19:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008048 - ET MALWARE Suspicious User-Agent (Version 1.23) (bleeding-malware.rules)
 2008049 - ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via HTTP (bleeding-virus.rules)
 2008050 - ET POLICY Likely Google Groups pr0n Access (bleeding-policy.rules)
 2008051 - ET POLICY Dell MyWay Remote control agent (bleeding-policy.rules)
 2008052 - ET MALWARE Suspicious User Agent (Internet Explorer) (bleeding-malware.rules)
 2008053 - ET MALWARE InternetSpeedMonitor Related Spyware User-Agent (parchmnt loader v1.8) (bleeding-malware.rules)
 2008054 - ET POLICY Nginx Server in use - Often Hostile Traffic (bleeding-policy.rules)
 2008055 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC (bleeding-virus.rules)
 2008056 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 (bleeding-virus.rules)
 2008057 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response (bleeding-virus.rules)
 2008058 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443 (bleeding-virus.rules)
 2008059 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443 (bleeding-virus.rules)
 2008060 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response port 443 (bleeding-virus.rules)
 2008061 - ET TROJAN LDPinch Checkin (4) (bleeding-virus.rules)
 2008062 - ET WEB Univeral HTTP File Upload Remote File Deletetion (bleeding-web.rules)
 2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit (bleeding-exploit.rules)
 2008064 - ET POLICY Nginx Server with no version string - Often Hostile Traffic (bleeding-policy.rules)
 2008065 - ET POLICY Nginx Server with modified version string - Often Hostile Traffic (bleeding-policy.rules)
 2008066 - ET MALWARE Suspicious Blank User-Agent (descriptor but no string) (bleeding-malware.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (bleeding-botcc.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2001663 - ET MALWARE Malware MyWebSearch Toolbar Traffic (host) (bleeding-malware.rules)
 2002030 - ET TROJAN BOT - potential scan/exploit command (bleeding-virus.rules)
 2006435 - ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool (bleeding-scan.rules)
 2006546 - ET SCAN LibSSH Based Frequent SSH Connections -- Likely BruteForce Attack! (bleeding-scan.rules)
 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (bleeding-virus.rules)
 2008041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (bleeding-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (bleeding-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (5) (bleeding-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (6) (bleeding-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (7) (bleeding-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (8) (bleeding-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (9) (bleeding-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (10) (bleeding-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (11) (bleeding-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (12) (bleeding-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (13) (bleeding-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (14) (bleeding-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (15) (bleeding-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (16) (bleeding-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (17) (bleeding-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (18) (bleeding-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (19) (bleeding-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (20) (bleeding-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (21) (bleeding-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (22) (bleeding-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (23) (bleeding-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (24) (bleeding-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (25) (bleeding-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (26) (bleeding-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (27) (bleeding-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (28) (bleeding-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (29) (bleeding-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (30) (bleeding-rbn.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (31) (bleeding-rbn.rules)
 2406036 - ET RBN Known Russian Business Network Monitored Domains (32) (bleeding-rbn.rules)
 2406037 - ET RBN Known Russian Business Network Monitored Domains (33) (bleeding-rbn.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (bleeding-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (bleeding-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (bleeding-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (bleeding-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (bleeding-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (bleeding-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (bleeding-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (bleeding-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (bleeding-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (bleeding-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (bleeding-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (bleeding-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (bleeding-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (bleeding-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (bleeding-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (bleeding-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (bleeding-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (bleeding-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (bleeding-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (bleeding-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (bleeding-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (bleeding-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (bleeding-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (bleeding-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (bleeding-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (bleeding-rbn-BLOCK.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (bleeding-rbn-BLOCK.rules)
 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (bleeding-rbn-BLOCK.rules)
 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (bleeding-rbn-BLOCK.rules)


[---]         Disabled rules:        [---]

 2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report (bleeding.rules)


[---]         Removed rules:         [---]

 2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
 2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) (bleeding.rules)
 2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) (bleeding.rules)
 2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1101
        #  Generated 2008-03-28 01:03:01 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1101
        #  Generated 2008-03-28 01:03:01 EDT

     -> Added to bleeding-policy.rules (5):
        #by will metcalf
        #by matt jonkman
        #nginx is an open http server. It's quite good, but seems an extremely high number of it's
        # installs are malicious. Storm, rbn, etc. Use this rule if you are interested
        # disabling by default, falses a lot but may be of interest to some folks

     -> Added to bleeding-rbn-BLOCK.rules (2):
        #  VERSION 40
        #  Updated 2008-03-25 00:13:20

     -> Added to bleeding-rbn.rules (2):
        #  VERSION 40
        #  Updated 2008-03-25 00:13:20

     -> Added to bleeding-sid-msg.map (21):
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
        2008049 || ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via HTTP
        2008050 || ET POLICY Likely Google Groups pr0n Access
        2008051 || ET POLICY Dell MyWay Remote control agent
        2008052 || ET MALWARE Suspicious User Agent (Internet Explorer)
        2008053 || ET MALWARE InternetSpeedMonitor Related Spyware User-Agent (parchmnt loader v1.8)
        2008054 || ET POLICY Nginx Server in use - Often Hostile Traffic
        2008055 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC
        2008056 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2
        2008057 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response
        2008058 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443
        2008059 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443
        2008060 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response port 443
        2008061 || ET TROJAN LDPinch Checkin (4)
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-sid-msg.map.txt (21):
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
        2008049 || ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via HTTP
        2008050 || ET POLICY Likely Google Groups pr0n Access
        2008051 || ET POLICY Dell MyWay Remote control agent
        2008052 || ET MALWARE Suspicious User Agent (Internet Explorer)
        2008053 || ET MALWARE InternetSpeedMonitor Related Spyware User-Agent (parchmnt loader v1.8)
        2008054 || ET POLICY Nginx Server in use - Often Hostile Traffic
        2008055 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC
        2008056 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2
        2008057 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response
        2008058 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443
        2008059 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443
        2008060 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response port 443
        2008061 || ET TROJAN LDPinch Checkin (4)
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-virus.rules (3):
        #re Trojan.Win32.Inject.ajq, by matt jonkman
        # 5bb2b20d012cfe541f1173881be28729
        #also seeing the same on 443

     -> Added to bleeding-web.rules (1):
        #by akash mahajan of stillsecure

     -> Added to bleeding.rules (1):
        #disabling by default. Is used in some legit places as well. Use this if you have a need

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1095
        #  Generated 2008-03-22 01:03:02 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1095
        #  Generated 2008-03-22 01:03:02 EDT

     -> Removed from bleeding-rbn-BLOCK.rules (2):
        #  VERSION 39
        #  Updated 2008-03-16 00:25:31

     -> Removed from bleeding-rbn.rules (2):
        #  VERSION 39
        #  Updated 2008-03-16 00:25:31

     -> Removed from bleeding-sid-msg.map (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding-sid-msg.map.txt (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding.rules (2):
        # by matt jonkman, to be removed/reconsidered on feb 20 08
        #keeping this, still getting reports of hits





More information about the Snort-sigs mailing list