[Snort-sigs] Bleedingsnort.com Daily Update

[***] Results from Oinkmaster started Thu Sep  9 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Browseraid.com Agent Updating"; 
classtype:trojan-activity; reference:url,www.browseraid.com; 
uricontent:"/perl/uptodate.pl"; nocase; content:"User-Agent\: Windows 
UpToDate"; nocase; sid:2001304; rev:1;)

     -> Added to bleeding-virus.rules (4):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Webber/Berbew Trojan keystroke log upload"; 
flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; 
classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; 
sid:2001303; rev:2;)
        alert tcp $HOME_NET any -> any 25 (content:"Mail transaction failed"; 
nocase; content:"Content-Type\: application/octet-stream"; nocase; 
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS 
MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; sid:2001275; rev:3; )
        alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE VIRUS 
Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; 
within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; 
byte_test:4,>,256,-8,relative; reference:cve,CAN-2003-0352; 
reference:bugtraq,8205; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; 
classtype:attempted-admin; sid:2001302; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE VIRUS 
Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; 
within:1; byte_test:1,&,16,3,relative; content:"|5c 00 5c 00|"; 
byte_test:4,>,256,-8,little,relative; reference:cve,CAN-2003-0352; 
reference:bugtraq,8205; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; 
classtype:attempted-admin; sid:2001301; rev:3;)

     -> Added to bleeding.rules (2):
        alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey Search"; content: "|e3 0e|"; offset: 0; depth: 2; rawbytes; 
classtype:policy-violation; sid:2001305; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Yahoo Briefcase Upload"; content:"briefcase.yahoo.com"; 
uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation; 
sid:2001044; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (3):
        old: alert tcp any any -> any 80 (content:"GET HTTP/1.1|0d0a|Host\: 
www.sco.com|0d0a0d0a|"; offset:0; dsize:37; msg:"BLEEDING-EDGE VIRUS 
W32.Novarg.A SCO DOS"; classtype:trojan-activity; sid:2001278; rev:1; )
        new: alert tcp any any -> any $HTTP_PORTS (content:"GET 
HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; 
msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; 
sid:2001278; rev:2; )
        old: alert tcp $HOME_NET any -> any 80 (content:"User-Agent\: 
beagle_beagle"; flags:ap; dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; 
classtype:trojan-activity; sid:2001269; rev:4; )
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (content:"User-Agent\: 
beagle_beagle"; flags:ap; dsize:< 150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; 
classtype:trojan-activity; sid:2001269; rev:5; )
        old: alert tcp $HOME_NET any -> any 25 
(content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh";
 flags:ap; msg:"BLEEDING-EDGE VIRUS Beagle Worm"; classtype:trojan-activity; 
sid:2001270; rev:2; )
        new: alert tcp $HOME_NET any -> any 25 
(content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh";
 flags:ap; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; 
sid:2001270; rev:2; )

[---]  Disabled and modified rules:  [---]

     -> Disabled and modified in bleeding.rules (1):
        old: alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: 
"BLEEDING-EDGE P2P eDonkey Search"; content: "|e3 0e|"; offset: 0; depth: 2; 
rawbytes; classtype:policy-violation; sid:2001300; rev:1;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: 
"BLEEDING-EDGE P2P eDonkey Hello Request"; content: "|e3|"; content: "|01|"; 
offset:0; depth: 7; classtype:policy-violation; sid:2001300; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (5):
        alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE VIRUS 
Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; 
within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; 
byte_test:4,>,256,-8,relative; reference:cve,CAN-2003-0352; 
reference:bugtraq,8205; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; 
classtype:attempted-admin; sid:2352; rev:3;)
        alert tcp $HOME_NET any -> any 25 (content:"Mail transaction failed"; 
nocase; content:"Content-Type\: application/octet-stream"; nocase; 
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS 
MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; sid:201275; rev:3; )
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; 
content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; 
content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 
00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; 
content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; 
flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; 
reference:bugtraq,10108; reference:cve,2003-0533; 
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; 
classtype:protocol-command-decode; sid:2513; rev:7;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE VIRUS 
Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; 
within:1; byte_test:1,&,16,3,relative; content:"|5c 00 5c 00|"; 
byte_test:4,>,256,-8,little,relative; reference:cve,CAN-2003-0352; 
reference:bugtraq,8205; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; 
classtype:attempted-admin; sid:2351; rev:3;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; 
content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; 
content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 
D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; 
flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; 
reference:bugtraq,10108; reference:cve,2003-0533; 
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; 
classtype:protocol-command-decode; sid:2526; rev:6;)

     -> Removed from bleeding.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Yahoo Briefcase Upload"; content:"briefcase.yahoo.com"; 
uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation; 
sid:1001044; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001044 || BLEEDING-EDGE Yahoo Briefcase Upload
        2001270 || BLEEDING-EDGE VIRUS Bagle Worm
        2001275 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2
        2001301 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        2001302 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        2001303 || BLEEDING-EDGE Webber/Berbew Trojan keystroke log upload || 
url,www.lurhq.com/berbew.html
        2001304 || BLEEDING-EDGE Malware Browseraid.com Agent Updating || 
url,www.browseraid.com
        2001305 || BLEEDING-EDGE P2P eDonkey Search

     -> Added to bleeding-virus.rules (10):
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From Michael Sconzo and Netsquid
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From the Netsquid Rules
        #From the Netsquid rules

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (22):
        2351 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        2352 || BLEEDING-EDGE VIRUS Nachi/Phatbot Worm || 
url,www.microsoft.com/technet/security/bulletin/MS03-026.asp || bugtraq,8205 || 
cve,CAN-2003-0352
        100036 || MS-SQL SQL Injection - /* || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100037 || MS-SQL SQL Injection - */ || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100038 || Oracle SQL Injection - /* || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100039 || Oracle SQL Injection - */ || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100040 || MySQL SQL Injection - /* || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100041 || MySQL SQL Injection - */ || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100042 || MS-SQL SQL Injection - UNION SELECT || 
url,http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100043 || Oracle SQL Injection 6 || url, 
http.www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
        100044 || Oracle SQL Injection || url, 
http.www.securityfocus.com/infocus/1644
        100045 || Oracle SQL Injection 2 || url, 
http.www.securityfocus.com/infocus/1644
        100046 || Oracle SQL Injection 3 || url, 
http.www.securityfocus.com/infocus/1644
        100047 || Oracle SQL Injection 4 || url, 
http.www.securityfocus.com/infocus/1644
        100048 || Oracle SQL Injection 5 || url, 
http.www.securityfocus.com/infocus/1644
        100049 || Oracle access to system objects || url, 
http.www.securityfocus.com/infocus/1644
        100050 || Oracle access to system tables || url, 
http.www.securityfocus.com/infocus/1768 || url, 
http.www.securityfocus.com/infocus/1644
        100051 || MS-SQL INFORMATION_SCHEMA access || 
url,http.securiteam.com/securityreviews/5DP0N1P76E.html
        201275 || BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2
        1001044 || BLEEDING-EDGE Yahoo Briefcase Upload
        2001270 || BLEEDING-EDGE VIRUS Beagle Worm
        2001300 || BLEEDING-EDGE P2P eDonkey Hello Request

     -> Removed from bleeding-virus.rules (4):
        #These rules are direct from Netsquid 
(http://netsquid.tamu.edu/main.html)
        #They are designed for blocking infected hosts. We recommend that 
project highly. We will attempt to keep these rules sync'd with theirs.
        # The following are support rules, so we can use flowbits to reduce 
false positives
        ## End of netsquid Rules

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs