Re: [Snort-sigs] Bleedingsnort.com Daily Update

The first version up did do that. The current version has the ; escaped 
and should be good.

These emails are for information, but I'd still always pull rules from 
the website. They'll always be more up to date.

Matt

Graeme Rider wrote:
> l don't know if anyone else had the same problem but when l loaded the
> signature for MYDOOM.s the semicolon on the content caused snort not to
> reload....
> l did a /usr/local/bin/snort -c snort.conf -o and it complained about the
> content not being enclosed in semi-colons...
> maybe it is the way l am doing it..any ideas???
> regard
> graeme
>
> -----Original Message-----
> From: matt@infotex.com [mailto:matt@infotex.com]
> Sent: Monday, 16 August 2004 11:05 PM
> To: snort-sigs@lists.sourceforge.net
> Subject: [Snort-sigs] Bleedingsnort.com Daily Update
>
>
> Todays changes from Bleedingsnort.com:
>
> [***] Results from Oinkmaster started Mon Aug 16 08:05:20 2004 [***]
>
> [+++]          Added rules:          [+++]
>
>      -> Added to bleeding.rules (7):
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width
> exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
> byte_test:4,>=,0x80000000,8,relative,big,string,hex;
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001191; rev:1;)
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
> Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
> byte_test:4,=,0x00000000,8,relative,big,string,hex;
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001193; rev:1;)
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
> integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D
> 0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative;
> content:!"|00|";
> distance:0;reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001195; rev:1;)
>         alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
> MyDoom.S Outbound"; content:"LOL!;))))"; nocase;
> content:"filename=photos_arc.exe"; nocase;
> reference:url,www.f-secure.com/v-descs/mydoom_s.shtml;
> reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:1;)
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
> Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
> byte_test:4,=,0x00000000,12,relative,big,string,hex;
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001194; rev:1;)
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height
> exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
> byte_test:4,>=,0x80000000,12,relative,big,string,hex;
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001192; rev:1;)
>         alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
> NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|";
> offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex;
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> classtype:misc-activity; sid:2001190; rev:1;)
>
> [///]     Modified active rules:     [///]
>
>      -> Modified active in bleeding.rules (1):
>         old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
> uricontent:"aim\:goaway?message=";
> reference:www.idefense.com/application/poi/display?id=121;
> classtype:misc-activity; sid:2001189; rev:2;)
>         new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
> uricontent:"aim\:goaway?message=";
> reference:url,www.idefense.com/application/poi/display?id=121;
> classtype:misc-activity; sid:2001189; rev:3;)
>
> [+++]      Added non-rule lines:     [+++]
>
>      -> Added to bleeding-sid-msg.map (8):
>         2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
> Handler || url,www.idefense.com/application/poi/display?id=121
>         2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in
> png_handle_iCCP || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001191 || BLEEDING-EDGE libPNG - Width exceeds limit ||
> url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001192 || BLEEDING-EDGE libPNG - Height exceeds limit ||
> url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001193 || BLEEDING-EDGE libPNG - zero Width ||
> url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001194 || BLEEDING-EDGE libPNG - zero Height ||
> url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in
> allocation in png_handle_sPLT ||
> url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>         2001196 || BLEEDING-EDGE WORM MyDoom.S Outbound ||
> url,isc.sans.org/diary.php?date=2004-08-16 ||
> url,www.f-secure.com/v-descs/mydoom_s.shtml
>
> [---]     Removed non-rule lines:    [---]
>
>      -> Removed from bleeding-sid-msg.map (1):
>         2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
> Handler || www.idefense.com/application/poi/display?id=121
>
> [*] Added files: [*]
>     None.
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> This email and any attachments may contain privileged and confidential 
> information and are intended for the named addressee only. If you have received 
> this e-mail in error, please notify the sender and delete this e-mail 
> immediately. Any confidentiality, privilege or copyright is not waived or lost 
> because this e-mail has been sent to you in error. It is your responsibility to 
> check this e-mail and any attachments for viruses.  No warranty is made that 
> this material is free from computer virus or any other defect or error.  Any 
> loss/damage incurred by using this material is not the sender's responsibility. 
>  The sender's entire liability will be limited to resupplying the material.
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs