Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [matt] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Wed, 8 Sep 2004 20:00:01 -0500 

[***] Results from Oinkmaster started Wed Sep  8 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (2):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; 
classtype:trojan-activity; reference:url,www.featured-results.com; 
content:"POST "; nocase; content:"/perl/fr.pl"; nocase; content:"action=any"; 
nocase; content:"country="; nocase; sid:2001293; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Browseraid.com Agent "; classtype:trojan-activity; 
reference:url,www.browseraid.com; content:"User-Agent\: Browser Adv"; nocase; 
sid:2001295; rev:1;)

     -> Added to bleeding.rules (6):
        alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey Search"; content: "|e3 0e|"; offset: 0; depth: 2; rawbytes; 
classtype:policy-violation; sid:2001300; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey File Status"; content: "|e3 14|"; offset: 0; depth: 2; 
classtype:policy-violation; sid:2001296; rev:1;)
        alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Dameware 
Remote Control Service Install"; flow:to_server,established; 
content:"DWRCK.DLL"; nocase; classtype:successful-admin; sid:2001294; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey File Status Request"; content: "|e3 11|"; offset: 0; depth:2; 
classtype:policy-violation; sid:2001297; rev:2;)
        alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE 
P2P eDonkey Server Status"; content: "|e3 97|"; offset:0; depth:2; rawbytes; 
classtype:policy-violation; sid:2001299; rev:1;)
        alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey Server Status Request"; content: "|e3 96|"; offset:0; depth:2; 
rawbytes; classtype:policy-violation; sid:2001298; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (1):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Browseraid.com Agent Reporting Data"; 
classtype:trojan-activity; reference:url,www.browseraid.com; uricontent:"POST 
"; nocase; uricontent:"/perl/ads.pl"; nocase; uricontent:"action=any"; nocase; 
uricontent:"county="; nocase; sid:2001266; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Browseraid.com Agent Reporting Data"; 
classtype:trojan-activity; reference:url,www.browseraid.com; content:"POST "; 
nocase; content:"/perl/ads.pl"; nocase; content:"action=any"; nocase; 
content:"county="; nocase; sid:2001266; rev:3;)

     -> Modified active in bleeding.rules (1):
        old: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential 
SSH Brute Force Attack"; flow:to_server,established; flags:S; threshold:type 
limit, track by_src, count 5, seconds 60; classtype:attempted-dos; sid:2001219; 
rev:3;)
        new: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential 
SSH Brute Force Attack"; flow:to_server,established; flags:S; threshold:type 
threshold, track by_src, count 5, seconds 60; classtype:attempted-dos; 
sid:2001219; rev:4;)

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (24):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS OUTBOUND 
Suspicious Email Attachment"; flow:to_server,established; 
content:"Content-Disposition|3A|"; nocase; 
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(ps|cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";
 classtype:suspicious-filename-detect; sid:2000562; rev:6;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; 
pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; 
content:".zip"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html;
 sid:2000494; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM 
MyDoom.S Outbound"; content:"LOL!\;)"; nocase; 
content:"filename=photos_arc.exe"; nocase; 
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; 
reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE UPX 
encrypted file download - possible worm"; content:"MZ"; isdataat:76,relative; 
content:"This program cannot be run in DOS mode."; distance: 0; 
isdataat:10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; 
content:"|00 C0|text|00|"; classtype:misc-activity; sid:2001047; rev:1;)
        alert tcp any any -> any 5554 ( msg: "BLEEDING-EDGE Sasser FTP 
Traffic"; content: "up.exe"; flow:to_server,established; classtype: 
misc-activity; sid: 2000040; rev: 2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 
F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
 classtype:misc-activity; sid:2001057; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Mailto domain search possible MyDoom.M,O"; 
uricontent:"/search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+"; depth:45; 
content:"Host\: www.google.com"; reference:url,www.lurhq.com/zindos.html; 
classtype:trojan-activity; sid:2001012; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( 
msg:"BLEEDING_EDGE VIRUS Psyme Trojan Download"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html;
 uricontent:"/download/IEService215.chm"; nocase; sid:2000365; rev:2; )
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE IE Ilookup Trojan"; 
content:"#@~^/gAAAA==@#@&@#@&7lMP\:HVK^P{P[W1Ehn"; 
content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2"; reference:url, 
http.62.131.86.111/analysis.htm; classtype:misc-activity; sid:2001066; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Bagle.AI Worm Outbound"; content:"filename="; 
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/";
 pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ 
Music|Lovely\ animals|Predators|The\ snake)/"; content:"\<html\>"; sid:2000561; 
rev:5;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Evaman Worm Outbound"; content:"filename="; pcre: 
"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/";
 reference:url,secunia.com/virus_information/10429/evaman; sid:2000343; rev:4;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; 
reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET 
/2.jpg"; sid:2001061; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE MyDoom.P Query"; flow:to_server,established; 
content:"/py/psSearch.py|3f|"; nocase; content: "Host|3a| 
EMAIL.PEOPLE.YAHOO.COM"; sid:2001045; rev:4;)
        alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA 
download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; 
classtype:trojan-activity; sid:2001233; rev:2;)
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Probable Zafi 
Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; 
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; 
classtype:misc-activity; sid:2000310; rev:1;)
        alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE RXBOT / RBOT 
Vulnerability Scan";content:"|2E|advscan|20|"; nocase; classtype: 
trojan-activity; reference:url,www.nitroguard.com/rxbot.html; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
 reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; 
sid:2001184; rev: 1;)
        alert tcp any any -> any 9996 ( msg: "BLEEDING-EDGE Sasser Transfer 
up.exe"; content: "|5F75702E657865|"; depth: 250; flow:established,to_server; 
classtype: misc-activity; sid: 2000047; rev: 2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE UPX 
compressed file download - possible worm"; content:"MZ"; isdataat:76,relative; 
content:"This program cannot be run in DOS mode."; distance: 0; 
isdataat:10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; 
content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype:misc-activity; 
sid:2001046; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Bagle.AQ Worm Outbound"; content:"filename="; 
pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/";
 nocase; sid:2001065; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 
E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
 classtype:misc-activity; sid:2001056; rev:1;)
        alert ip any any -> any any (msg:"BLEEDING-EDGE Win32/Small.AR outbound 
activity"; uricontent:"/zosman/cia/index.php"; classtype:trojan-activity; 
sid:2001234; rev:2;)
        alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT 
Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; 
classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
 sid:2001220; rev: 1;)
        alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm 
Zincite Probing port 1034"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html;
 flow:to_server; sid:2001011; threshold: type threshold, track by_src, count 
30,seconds 60; rev:4;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Bagle Variant Checking In"; 
reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; 
sid:2001064; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (35):
        2351 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        2352 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        201275 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2
        2001268 || BLEEDING-EDGE VIRUS SWEN.A Worm detected
        2001269 || BLEEDING-EDGE VIRUS Bagle Worm
        2001270 || BLEEDING-EDGE VIRUS Beagle Worm
        2001271 || BLEEDING-EDGE VIRUS MiMail.P Worm - DNS Query
        2001272 || BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment
        2001273 || BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm
        2001274 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 1
        2001276 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3
        2001277 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Variant Outbound
        2001278 || BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS
        2001279 || BLEEDING-EDGE VIRUS MyDoom.F Worm
        2001280 || BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139
        2001281 || BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445
        2001282 || BLEEDING-EDGE VIRUS Netsky base64 port 1352
        2001283 || BLEEDING-EDGE VIRUS Netsky base64 port 25
        2001284 || BLEEDING-EDGE VIRUS Sober.F Outbound
        2001285 || BLEEDING-EDGE VIRUS Sober.F Outbound
        2001286 || BLEEDING-EDGE VIRUS Sasser/Korgo Worm || 
url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 
|| bugtraq,10108
        2001287 || BLEEDING-EDGE VIRUS W32/Stdbot.worm.a
        2001288 || BLEEDING-EDGE VIRUS W32/Stdbot.worm.b
        2001289 || BLEEDING-EDGE VIRUS Korgo Worm IRC Connection
        2001290 || BLEEDING-EDGE VIRUS Possible Evaman Worm || 
url,secunia.com/virus_information/10429/evaman
        2001291 || BLEEDING-EDGE VIRUS Possible Atak.mm Worm || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html
        2001292 || BLEEDING-EDGE VIRUS Possible Bagle.AI Worm
        2001293 || BLEEDING-EDGE Malware Featured-Results.com Agent Reporting 
Data || url,www.featured-results.com
        2001294 || BLEEDING-EDGE POLICY Dameware Remote Control Service Install
        2001295 || BLEEDING-EDGE Malware Browseraid.com Agent  || 
url,www.browseraid.com
        2001296 || BLEEDING-EDGE P2P eDonkey File Status
        2001297 || BLEEDING-EDGE P2P eDonkey File Status Request
        2001298 || BLEEDING-EDGE P2P eDonkey Server Status Request
        2001299 || BLEEDING-EDGE P2P eDonkey Server Status
        2001300 || BLEEDING-EDGE P2P eDonkey Hello Request

     -> Added to bleeding.rules (2):
        #Submitted by Sam Evans
        #Submitted by Ole-Martin

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding.rules (12):
        #Submitted by Michael Sconzo
        #Submitted by msconzo@tamu.edu
        #Snort.org rule 721 scaled back a bit by Matt Jonkman to not hit on 
xls, vcf, ppt, rtf, dot, or pdf.
        #If you use this rule disable 721 in the snort sets. This rule will hit 
on the following:
        #   ade, adp, asd, asf, asx, bat, bas, chm, cli, cmd, com, crt, cpl, 
cpp, diz, dll, ebs, emf, eml, exe, fol, folder, hlp, hsq, hta, ini, inf, ins,
        #   isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc, 
msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, pps, rar,
        #   reg, scr, sct, shs, swf, sys, url, vb, vbe, vbs, vxd, wmd, wmf, 
wms, wmz, wpm, wps, wpz, wsc, wsf, wsh, xlt, xlw, zip
        #Submitted by Michael Sconzo
        #Written by Chris Norton
        #Submitted by Christopher Harrington
        #Submitted by Lin Zhong
        #From Lurhq

[+] Added files (consider updating your snort.conf to include them): [+]

    -> bleeding-virus.rules



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] false positive for 1:2383 - NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt, Peter A. Peterson II
Next by Date:  Re: [Snort-sigs] PCRE in 1930.4 (IMAP auth literal overflow attempt), Brian caswell
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Indexes:  [Date] [Thread] [Top] [All Lists]