[***] Results from Oinkmaster started Mon Sep 13 00:05:42 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-malware.rules (15):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Traffic Syndicate Add/Remove";
uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype:trojan-activity;
sid:2001313; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Wild Tangent Agent"; uricontent:"/CDAFiles/";
nocase; classtype:trojan-activity; sid:2001314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Wild Tangent Agent Checking In";
uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype:trojan-activity;
sid:2001309; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Speedera Agent"; uricontent:"/io/downloads";
nocase; classtype:trojan-activity; sid:2001320; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Wild Tangent New Install";
uricontent:"/NewUser/Checkin.aspx"; nocase; classtype:trojan-activity;
sid:2001322; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Unknown Spyware Agent Traffic";
uricontent:"/sitereview.asmx/GetReview"; nocase; classtype:trojan-activity;
sid:2001323; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware Webhancer Data Upload"; content:"WebHancer
Authority Server"; nocase; classtype:trojan-activity; sid:2001317; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Wild Tangent Agent Traffic";
uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype:trojan-activity;
sid:2001310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Traffic Syndicate Agent Updating";
uricontent:"/TbInstConfig.asmx"; nocase; classtype:trojan-activity;
sid:2001316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Rdxrp.com Traffic"; uricontent:"/rdxr020304.dat";
nocase; classtype:trojan-activity; sid:2001311; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Traffic Syndicate Agent Updating";
uricontent:"/TbLinkConfig.asmx"; nocase; classtype:trojan-activity;
sid:2001315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)"; uricontent:"/rdxr";
nocase; uricontent:".dat"; nocase; classtype:trojan-activity; sid:2001312;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Unknown Spyware Agent Upload";
uricontent:"/conf/xml/"; nocase; classtype:trojan-activity; sid:2001324; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Speedera Agent (Specific)";
uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype:trojan-activity;
sid:2001321; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Adwave Agent Access";
uricontent:"/search_404.aspx?aff="; nocase; classtype:trojan-activity;
sid:2001318; rev:1;)
[---] Removed rules: [---]
-> Removed from bleeding-malware.rules (2):
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE IE spyware downloader get.php"; content:"script";
content:"language"; content:"JavaScript"; content:"src"; content:"http\:\/\/";
content:".php"; content:"\/"; content:"script"; reference: url,
http.www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; nocase;
classtype:misc-attack; sid:2000511; rev:2;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE IE spyware downloader prompt.php";
pcre:"/document\.write[\s]*\([\s]*["'](%[0-9a-fA-F]{1,2}){20}/i"; reference:
url, http.www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf;
classtype:misc-attack; sid:2000512; rev:3;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (15):
2001309 || BLEEDING-EDGE Malware Wild Tangent Agent Checking In
2001310 || BLEEDING-EDGE Malware Wild Tangent Agent Traffic
2001311 || BLEEDING-EDGE Malware Rdxrp.com Traffic
2001312 || BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)
2001313 || BLEEDING-EDGE Malware Traffic Syndicate Add/Remove
2001314 || BLEEDING-EDGE Malware Wild Tangent Agent
2001315 || BLEEDING-EDGE Malware Traffic Syndicate Agent Updating
2001316 || BLEEDING-EDGE Malware Traffic Syndicate Agent Updating
2001317 || BLEEDING-EDGE Malware Webhancer Data Upload
2001318 || BLEEDING-EDGE Malware Adwave Agent Access
2001320 || BLEEDING-EDGE Malware Speedera Agent
2001321 || BLEEDING-EDGE Malware Speedera Agent (Specific)
2001322 || BLEEDING-EDGE Malware Wild Tangent New Install
2001323 || BLEEDING-EDGE Malware Unknown Spyware Agent Traffic
2001324 || BLEEDING-EDGE Malware Unknown Spyware Agent Upload
[*] Added files: [*]
None.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
