[***] Results from Oinkmaster started Mon Sep 27 20:00:01 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-virus.rules (2):
alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Akak
trojan protocol response from infected host"; content:"|6f 17 00 00|";
dsize:4;flow:established,to_client; reference:url,www.lurhq.com/akak.html;
classtype:trojan-activity; sid:2001237; rev:1;)
alert tcp any any -> any 4321 (msg:"BLEEDING-EDGE Akak trojan protocol
hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server;
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; sid:2001236;
rev:1;)
[---] Removed rules: [---]
-> Removed from bleeding.rules (110):
alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"BLEEDING-EDGE P2P
Soulseek Filesearch Results"; classtype:policy-violation; content:"|09 00 00 00
78|"; sid:2001187; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Yahoo Mail Message Send"; flow:to_server,established;
uricontent:"/ym/Compose"; nocase; classtype: policy-violation; sid:2000044;
rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE AOL Webmail Login"; uricontent:"/login/login.psp?siteId=";
content:"triedAimAuth"; sid:2000572; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
classtype:policy-violation; priority:1; sid:2001244; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; content:"POST
/cgi-bin/premail"; nocase; content:"hotmail.msn.com"; nocase;
flow:to_server,established; classtype: policy-violation; sid:2000038; rev:5;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|";
offset:0; nocase; classtype:policy-violation; priority:1; sid:2001249; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference request"; flow:to_server,established; content:"<R";
depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation;
priority:1; sid:2001263; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P
Ares traffic"; content:"User-Agent\: Ares"; reference:url,www.aresgalaxy.org;
classtype:policy-violation; sid:2001059; rev:1;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"BLEEDING-EDGE DNS -
Standard query response, Name Error";
pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; classtype:not-suspicious;
sid:2001117; rev:1;)
#alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"80"; content:" HTTP/1."; nocase;
classtype:misc-activity; sid:2000547; rev:3; )
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE KitCo
Kcast Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype:
policy-violation; sid:2000570; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Download
Windows Help File CHM"; content:"ITSF|03|"; isdataat:19,relative; content:"|7C
01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00
A0 C9 22 E6 EC|"; distance:0; reference: url,
http.www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,
http.www.securiteam.com/windowsntfocus/6V00N000AU.html;
classtype:misc-activity; sid:2000489; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC nick change"; flow:to_server,established; content:"NICK "; offset:0;
classtype:policy-violation; priority:1; sid:2001246; rev:1;)
alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k
connection to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|";
offset:2; depth:4; classtype:policy-violation;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2;
sid:2000330;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG";
depth:4; nocase; content:"|00 18|"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001256; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference offer invitation"; flow:to_server,established;
content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001262; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Dameware
Remote Control Service Install"; flow:to_server,established;
content:"DWRCK.DLL"; nocase; classtype:successful-admin; sid:2001294; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP
connection request"; content: "|03|"; offset: 0; depth: 1; content: "|E0|";
offset:5; depth: 1; flags: A+; priority:1; sid:2001329; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet";
classtype:policy-violation; sid:2001188; rev:2;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Yahoo Mail Inbox View"; flow:to_server,established;
uricontent:"/ym/ShowFolder"; nocase; content:"rb=Inbox"; nocase; classtype:
policy-violation; sid:2000041; rev:8;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG files
version 4 download"; content:"REGEDIT4"; content:"|0D 0A|"; content:"[";
content:"HKEY_"; reference: url, http.www.ss64.com/nt/regedit.html; nocase;
classtype:misc-activity; sid:2000420; rev:3;)
alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k file
search"; content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2;
depth:4; classtype:policy-violation;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2;
sid:2000331;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN message"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1;
classtype:policy-violation; priority:1; sid:2001265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P
BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:6;
flow:established; classtype:policy-violation;
reference:url,bitconjurer.org/BitTorrent/protocol.html; sid:2000334; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Yahoo Mail Message Compose Open";
flow:to_server,established; uricontent:"/ym/Compose"; nocase; classtype:
policy-violation; sid:2000043; rev:7;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:
"BLEEDING-EDGE P2P eDonkey Hello Request"; content: "|e3|"; content: "|01|";
offset:0; depth: 7; classtype:policy-violation; sid:2001300; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
P2P eDonkey File Status"; content: "|e3 14|"; offset: 0; depth: 2;
classtype:policy-violation; sid:2001296; rev:1;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE Phatbot P2P Control
Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|";
within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html;
sid:2000015; rev:1;)
#alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:" HTTP/1.";
nocase; classtype:misc-activity; sid:2000548; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Kaaza
Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset:0;
depth:6; classtype:policy-violation;threshold: type limit, track by_dst, count
1 , seconds 600;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340;
rev:1;)
#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo
Mail Login"; flow:to_server,established; uricontent:"/ym/login"; nocase;
content:".rand="; nocase; classtype: policy-violation; sid:2000341; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Yahoo Briefcase Upload"; content:"briefcase.yahoo.com";
uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation;
sid:2001044; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG files
version 5 Unicode download"; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00|
|00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00|
|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D
0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; reference: url,
http.www.ss64.com/nt/regedit.html; nocase; classtype:misc-activity;
sid:2000422; rev:3;)
alert tcp $HOME_NET 23 -> any any (msg:"BLEEDING-EDGE Cisco Device New
Config Built"; classtype:not-suspicious; flow:established; content:"Building
configuration..."; nocase; sid:2001240; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase;
content:"|00 12|"; depth:2; offset:10; classtype:policy-violation;
priority:1;sid:2001255; rev:2;)
alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE RDP
connection confirm"; content: "|03|"; offset: 0; depth: 1; content: "|D0|";
offset:5; depth: 1; flags: A+; priority:1; sid:2001330; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P
Ares GET"; content:"GET /ares/"; reference:url,www.aresgalaxy.org;
classtype:policy-violation; sid:2001060; rev:1;)
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
iroffer IRC Bot help message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20
66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500;
flow:from_server,established; classtype:trojan-activity; sid:2000338; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN login attempt"; flow:to_server,established; content:"USR "; depth:4;
nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation;
priority:1; sid:2001245; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
P2P eDonkey Server Status Request"; content: "|e3 96|"; offset:0; depth:2;
rawbytes; classtype:policy-violation; sid:2001298; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG";
depth:4; nocase; content:"|00 98|"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001261; rev:1;)
#alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in Clear
Text"; pcre:"/\b\d{3}-\d{2}-\d{4}\b/"; sid:2001328; rev:2;)
alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard
SSH Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Yahoo Mail Message View"; flow:to_server,established;
uricontent:"/ym/ShowLetter"; nocase; content:"MsgId"; nocase; classtype:
policy-violation; sid:2000042; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE P2P Morpheus Update Request";
reference:url,www.morpheus.com; uricontent:"/gwebcache/gcache.asg?hostfile=";
nocase; sid:2001037; rev:1;)
#alert tcp any any <> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM
message"; flow:established; content:"YMSG"; depth:4;
classtype:policy-violation; priority:1; sid:2001260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE P2P Morpheus Install ini Download";
reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus_sm.ini"; nocase;
sid:2001036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET
/cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com";
flow:to_server,established; classtype: policy-violation; sid:2000035; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P
BitTorrent Traffic"; reference:url,bitconjurer.org/BitTorrent/protocol.html;
content:"|0000400907000000|"; offset:0; depth:8; flow:established;
classtype:policy-violation; sid:2000357; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"BLEEDING-EDGE RDP
disconnect request"; content: "|03|"; offset: 0; depth: 1; content: "|80|";
offset:5; depth: 1; flags: A+; priority:1; sid:2001331; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE P2P Morpheus Install"; reference:url,www.morpheus.com;
uricontent:"/morpheus/morpheus.exe"; nocase; sid:2001035; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM successful logon"; flow:from_server,established; content:"YMSG";
depth:4; nocase; content:"|00 01|"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001253; rev:1;)
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
iroffer IRC Bot offered files advertisement"; content:"|54 6F 74 61 6C 20 4F 66
66 65 72 65 64 3A|"; depth:500; flow:from_server,established;
classtype:trojan-activity; sid:2000339; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY
IRC connection"; content:"Welcome to the "; content:"IRC Network"; nocase;
flow:established; sid:2000356; rev:1; )
alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
P2P eDonkey Search"; content: "|e3 0e|"; offset: 0; depth: 2; rawbytes;
classtype:policy-violation; sid:2001305; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY
IRC authorization message"; content:"NOTICE AUTH"; content:"Looking up your
hostname..."; nocase; flow: established; sid:2000355; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Hotmail Compose Message Submit Data"; content:"curmbox=";
nocase; content:"login="; nocase; content:"msghdrid"; nocase;
content:"sigflag="; nocase; flow:to_server,established; classtype:
policy-violation; sid:2000039; rev:5;)
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE
TELNET access"; flow:from_server,established; content:"|FF FD 18|"; rawbytes;
content:"|FF FD 27|"; rawbytes; reference:arachnids,08;
reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:2000002; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN file transfer accept"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1;
classtype:policy-violation; priority:1; sid:2001242; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0;
content:" 302 "; content:"=+"; classtype:policy-violation; priority:1;
sid:2001252; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXE
compressed PKWARE Windows file download"; content:"MZ"; isdataat:28,relative;
content:"PKLITE"; distance:0; reference: url,
http.www.program-transformation.org/Transform/PcExeFormat;
classtype:misc-activity; sid:2000426; rev:3;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE LX EXE
OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This program
cannot be run in a DOS session."; isdataat:6,relative; content:"LX";
distance:0; reference: url,
http.www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
classtype:misc-activity; sid:2000424; rev:3;)
alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE
P2P eDonkey Server Status"; content: "|e3 97|"; offset:0; depth:2; rawbytes;
classtype:policy-violation; sid:2001299; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P
BitTorrent Announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html;
uricontent:"/announce"; flow:to_server,established; classtype:policy-violation;
sid:2000369; rev:1;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE Agobot/Phatbot
Infection Successful"; flow:established; content:"221 Goodbye, have a good
infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;
reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE EXE
Windows 3.x file download"; content:"MZ"; isdataat:76,relative; content:"This
program requires Microsoft Windows."; isdataat:10,relative; content:"NE";
distance:0; reference: url,
http.www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
classtype:misc-activity; sid:2000425; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG ";
offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation;
priority:1;sid:2001247; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
P2P eDonkey File Status Request"; content: "|e3 11|"; offset: 0; depth:2;
classtype:policy-violation; sid:2001297; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"BLEEDING-EDGE MISC
HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established;
uricontent:"/plugins/framework/script/content.hts"; nocase;
content:"ExecuteFile"; nocase; reference:bugtraq,10224;
classtype:attempted-admin; sid:2001055; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET
/cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com";
flow:to_server,established; classtype: policy-violation; sid:2000036; rev:5;)
alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"BLEEDING-EDGE P2P
Soulseek traffic"; classtype:policy-violation; sid:2001185; rev:2;)
#pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel";
content:"CONNECT "; nocase; content:"443"; content:" HTTP/1."; nocase;
classtype:misc-activity; sid:2000550; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE EXE
Install Windows file download"; content:"MZ"; isdataat:76,relative;
content:"This program must be run under Win32"; distance:0;
isdataat:140,relative; content:"PE"; distance:0; reference: url,
http.www.program-transformation.org/Transform/PcExeFormat;
classtype:misc-activity; sid:2000427; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug Capture"; content:"GET"; content:"Host\:";
content:"weatherbug.com"; nocase; sid:2001267; rev:2;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
Executable and linking format (ELF) file download"; content:"|7F|ELF";
content:"|00 00 00 00 00 00 00 00|"; reference: url,
http.www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
classtype:misc-activity; sid:2000418; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0;
nocase; classtype:policy-violation; priority:1; sid:2001251; rev:1;)
#alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel
Attempt"; content:"CONNECT "; nocase; content:"|0d 0a|"; distance:0;
within:1024; content:"HTTP/1."; distance:-10; within:8; nocase;
content:!"\:80"; distance:-11; within:4; content:"CONNECT "; nocase;
content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; distance:-10;
within:8; nocase; content:!"\:443"; distance:-12; within:5;
flow:to_server,established; sid:2000560; rev:4; )
alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k file
request answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|";
offset:2; depth:4; classtype:policy-violation;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2;
sid:2000333;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE EXE
OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This program
cannot be run in a DOS session."; isdataat:6,relative; content:"NE";
distance:0; reference: url,
http.www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
classtype:misc-activity; sid:2000423; rev:3;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE KitCo
Kcast Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype:
policy-violation; sid:2000569; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4;
nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation;
priority:1; sid:2001254; rev:1;)
#pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel";
content:"CONNECT "; nocase; content:"80"; content:" HTTP/1."; nocase;
classtype:misc-activity; sid:2000549; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase;
sid:2001235; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET
/cgi-bin/compose?"; nocase; content:"curmbox="; nocase;
content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype:
policy-violation; sid:2000037; rev:5;)
alert udp $DNS_SERVERS 53 -> any any (msg:"BLEEDING-EDGE DNS - Standard
query response, Format error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x81/";
classtype:not-suspicious; sid:2001116; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05
00|"; depth:4; classtype:policy-violation; priority:1; sid:2001264; rev:1;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Download
Windows Help File CHM 2"; content:"ITSF|03|"; isdataat:19,relative;
content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0
11 9E 0C 00 A0 C9 22 E6 EC|"; distance:0; reference: url,
http.www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,
http.www.securiteam.com/windowsntfocus/6V00N000AU.html;
classtype:misc-activity; sid:2000429; rev:3;)
alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE
Multiple Non-SMTP Server Emails";flags: S; threshold: type threshold, track
by_src,count 10, seconds 120; classtype:misc-activity; rev:3; sid:2000328;)
#alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE ZIP file
download"; content:"PK|0304|"; byte_test: 1, <=, 0x14, 0, string, hex;
distance: 0; content:"|00 00 00|"; distance: 0; reference: url,
http.zziplib.sourceforge.net/zzip-parse.print.html;classtype:misc-activity;
sid:2000428; rev:3;)
alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k request
part"; content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2;
depth:4; classtype:policy-violation;
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2;
sid:2000332;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Yahoo
Mail Message Send Info Capture"; flow:to_server,established; content:"crumb=";
nocase; content:"Subject="; nocase; classtype: policy-violation; sid:2000045;
rev:6;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN file transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite";
distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer";
distance:0; nocase; classtype:policy-violation; priority:1; sid:2001241; rev:1;)
alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE
GotoMyPC Polling Client"; rev:1; sid:2000309;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE AOL Webmail Message Send"; uricontent:"/compose_frame.adp";
content:"POST"; sid:2000571; rev:1;)
#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC message"; flow:established; content:"PRIVMSG "; nocase;
classtype:policy-violation; priority:1;sid:2001250; rev:1;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"BLEEDING-EDGE DNS -
Standard query response, Refused";
pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; classtype:not-suspicious;
sid:2001119; rev:1;)
alert udp any any -> any any (msg:"BLEEDING-EDGE P2P Overnet Server
Announce"; content:"|00000203006c6f63|"; offset:36; content:"|006263703a2f2f|";
distance:1; classtype:policy-violation; rev:1; sid:2000335;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG ";
offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase;
classtype:policy-violation; priority:1; sid:2001248; rev:1;)
alert tcp $HOME_NET 23 -> any any (msg:"BLEEDING-EDGE Cisco Device in
Config Mode"; classtype:not-suspicious; flow:established; content:"Enter
configuration commands, one per line"; nocase; nocase; sid:2001239; rev:3;)
alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"BLEEDING-EDGE P2P
Soulseek traffic"; classtype:policy-violation; sid:2001186; rev:2;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG files
version 5 download"; content:"Windows Registry Editor Version 5.00";
content:"|0D 0A|"; content:"["; content:"HKEY_"; reference: url,
http.www.ss64.com/nt/regedit.html; nocase; classtype:misc-activity;
sid:2000421; rev:3;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM file
transfer request"; flow:established; content:"YMSG"; depth:4; nocase;
content:"|00|M"; depth:2; offset:10; classtype:policy-violation; priority:1;
sid:2001259; rev:1;)
#alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE EXE
or DLL Windows file download"; content:"MZ"; isdataat:76,relative;
content:"This program cannot be run in DOS mode."; distance: 0;
isdataat:10,relative; content:"PE"; distance: 0; reference: url,
http.hyatus.dune2.info/Miscellanous/exe_header.html; classtype:misc-activity;
sid:2000419; rev:3;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
MSN file transfer reject"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command|3A|"; content:"CANCEL"; distance:0;
content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; nocase;
classtype:policy-violation; priority:1; sid:2001243; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference message"; flow:to_server,established; content:"YMSG";
depth:4; nocase; content:"|00 1D|"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001258; rev:1;)
alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Akak
trojan protocol response from infected host"; content:"|6f 17 00 00|";
dsize:4;flow:established,to_client; reference:url,www.lurhq.com/akak.html;
classtype:trojan-activity; sid:2001237; rev:1;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"BLEEDING-EDGE DNS -
Standard query response, Not Implemented";
pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; classtype:not-suspicious;
sid:2001118; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CHAT
Yahoo IM conference logon success"; flow:from_server,established;
content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10;
classtype:policy-violation; priority:1; sid:2001257; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE MSI
(microsoft installer file) download"; content:"|D0 CF 11 E0 A1 B1 1A E1|";
classtype:bad-unknown; sid:2001115; rev:1;)
alert tcp any any -> any 4321 (msg:"BLEEDING-EDGE Akak trojan protocol
hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server;
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; sid:2001236;
rev:1;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-virus.rules (1):
#Submitted by Joe Stewart
[---] Removed non-rule lines: [---]
-> Removed from bleeding.rules (21):
#Submitted by Marcamone
# By Chich Thierry
# By Chich Thierry
#Submitted by Sam Evans
#Thanks to Kevin Kolk
# By Chich Thierry
#Submitted by marcamone
#Good rules, turn them on if you are interested. They are accurate.
#Submitted by Ole-Martin
#Submitted by Thomas Alex
#Submitted by Brandon Barnes
#Submitted by Jason
#Originally posted by Matt Jonkman, major tweaks by Matt Watchinski.
#Less useful rules are disabled, feel free to enable if you require the
information. They are functional and accurate
#Submitted by Jonathan Miner
#Submitted by Vernon Stark
#Submitted by Jonathan Miner
#Submitted by Patrick Harper
#This rule is disabled by default. It should generally be run on the
outside of your network, not internally. Enable it where useful.
#You MUST add the SMTP_SERVERS var to your snort.conf!!!!
# Weatherbug - Dale Handy, PE
[+] Added files (consider updating your snort.conf to include them): [+]
-> bleeding-p2p.rules
-> bleeding-policy.rules
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
