Furthermore sid:2001377, (:"BLEEDING-EDGE Credit Card
Number Detected in Clear (16 digit)), needs to be fixed so that it at
least has both a space before and after. Right now it is picking up all
sorts of numbers in number sequences greater than or equal to 16 digits.
If that isn't fixed the rule is practically useless because it picks up
way too many FP's.
-----Original Message-----
From: Esler, Joel - Contractor [mailto:joel.esler@rcert-s.army.mil]
Sent: Monday, October 25, 2004 11:12 AM
To: matt@infotex.com; snort-sigs@lists.sourceforge.net
Subject: RE: [Snort-sigs] Bleedingsnort.com Daily Update
On a side note, these rules won't detect American Express ;)
J
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of
matt@infotex.com
Sent: Sunday, October 24, 2004 9:00 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
[***] Results from Oinkmaster started Sun Oct 24 20:00:02 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-policy.rules (10):
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (15 digit dashed)";
pcre:"/(3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001380;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (15 digit)";
pcre:"/(3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001378;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (14 digit dashed)";
pcre:"/(30[0|1|2|3|4|5]\d{1}|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001383;
rev:2;)
#alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected
in Clear Text"; pcre:"/\b(00[1-9]|010-733|750-772) \d{2} \d{4}\b/";
sid:2001384; rev:3;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (16 digit)";
pcre:"/(6011|5[1|2|3|4|5]\d{2}|4\d{3}|3\d{3})\d{12} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001377;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (16 digit spaced)";
pcre:"/(6011|5[1|2|3|4|5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001375;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (16 digit dashed)";
pcre:"/(6011|5[1|2|3|4|5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001376;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (14 digit spaced)";
pcre:"/(30[0|1|2|3|4|5]\d{1}|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001382;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (14 digit)";
pcre:"/(30[0|1|2|3|4|5]\d{1}|36\d{2}|38\d{2})\d{10} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001381;
rev:2;)
#alert ip any any -> any any (msg:"BLEEDING-EDGE Credit Card
Number Detected in Clear (15 digit spaced)";
pcre:"/(3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /";
reference:url,www.beachnet.com/~hstiles/cardtype.html; sid:2001379;
rev:2;)
[///] Modified inactive rules: [///]
-> Modified inactive in bleeding-policy.rules (1):
old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN
Detected in Clear Text"; pcre:"/\b\d{3}-\d{2}-\d{4}\b/"; sid:2001328;
rev:2;)
new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN
Detected in Clear Text";
pcre:"/\b(00[1-9]|010-733|750-772)-\d{2}-\d{4}\b/"; sid:2001328; rev:3;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (2):
#Thees rules are disabled by default. They should generally be
run on the outside of your network, not internally. Enable it where
useful.
#Submitted by Patrick Harper. pcre by Matt Jonkman
-> Added to bleeding-sid-msg.map (89):
2000041 || BLEEDING-EDGE Yahoo Mail Inbox View
2000042 || BLEEDING-EDGE Yahoo Mail Message View
2000341 || BLEEDING-EDGE Yahoo Mail Login
2000374 || BLEEDING-EDGE MS-SQL SQL Injection trying to guess
the column name ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000375 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or
wrong inputwith an OR ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000376 || BLEEDING-EDGE MS-SQL SQL Injection running SQL
statements NO line comment ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000418 || BLEEDING-EDGE Executable and linking format (ELF)
file download ||
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
2000419 || BLEEDING-EDGE PE EXE or DLL Windows file download ||
url,hyatus.dune2.info/Miscellanous/exe_header.html
2000420 || BLEEDING-EDGE REG files version 4 download ||
url,www.ss64.com/nt/regedit.html
2000421 || BLEEDING-EDGE REG files version 5 download ||
url,www.ss64.com/nt/regedit.html
2000422 || BLEEDING-EDGE REG files version 5 Unicode download ||
url,www.ss64.com/nt/regedit.html
2000425 || BLEEDING-EDGE NE EXE Windows 3.x file download ||
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm
2000426 || BLEEDING-EDGE EXE compressed PKWARE Windows file
download || url,www.program-transformation.org/Transform/PcExeFormat
2000427 || BLEEDING-EDGE PE EXE Install Windows file download ||
url,www.program-transformation.org/Transform/PcExeFormat
2000428 || BLEEDING-EDGE ZIP file download ||
url,zziplib.sourceforge.net/zzip-parse.print.html
2000490 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or
wrong inputwith an OR 2 ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000491 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or
wrong inputwith an OR 3 ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000492 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or
wrong inputwith an OR 4 ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000493 || BLEEDING-EDGE MS-SQL SQL Injection allowing empty or
wrong inputwith an OR 5 ||
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html ||
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf
2000517 || BLEEDING-EDGE IE Object Data vulnerability ||
url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm
2000521 || BLEEDING-EDGE WEB-IIS ASP source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000522 || BLEEDING-EDGE WEB-IIS ASA source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000523 || BLEEDING-EDGE WEB-IIS STM source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000524 || BLEEDING-EDGE WEB-IIS SHTM source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000525 || BLEEDING-EDGE WEB-IIS SHTML source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000526 || BLEEDING-EDGE WEB-IIS IDC source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000527 || BLEEDING-EDGE WEB-IIS HTW source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000528 || BLEEDING-EDGE WEB-IIS IDQ source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000529 || BLEEDING-EDGE WEB-IIS IDA source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000530 || BLEEDING-EDGE WEB-IIS PL source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000531 || BLEEDING-EDGE WEB-IIS PHP source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000532 || BLEEDING-EDGE WEB-IIS ASPX source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000533 || BLEEDING-EDGE WEB-IIS ASAX source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000534 || BLEEDING-EDGE WEB-IIS CONFIG source exposed with
Alternate Data Stream ||
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent
=1&NoWebContent=1
2000535 || BLEEDING-EDGE SCAN NMAP -sT or TCP incoming
connection || arachnids,162
2000539 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
2000541 || BLEEDING-EDGE SCAN NMAP -sA || arachnids,162
2000542 || BLEEDING-EDGE SCAN NMAP -sU || arachnids,162
2000547 || BLEEDING-EDGE HTTP CONNECT Tunnel
2000548 || BLEEDING-EDGE HTTP CONNECT Tunnel
2000549 || BLEEDING-EDGE HTTP CONNECT Tunnel
2000550 || BLEEDING-EDGE HTTP CONNECT Tunnel
2000560 || BLEEDING-EDGE HTTP CONNECT Tunnel Attempt
2000576 || BLEEDING-EDGE Malware Adtrak.net Tracking Bot
Reporting || url,www.adtrak.net
2000928 || BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar
Activity || url,www.simplythebest.net/info/spyware/istbar_spyware.html
|| url,www.isearchtech.com
2001014 || BLEEDING-EDGE Malware Gator Ad Retrieval
2001098 || BLEEDING-EDGE Attempt to execute Javascript code
2001100 || BLEEDING-EDGE Attempt to access SHELL\:
2001110 || BLEEDING-EDGE Malware SRC=cid - dangerous SPAM or
PHISHING || url,http.www.rickconner.net/spamweb/spam_phishing.html
2001111 || BLEEDING-EDGE Obfuscated URL - typical PHISHING ||
url,http.www.rickconner.net/spamweb/tricks.html
2001112 || BLEEDING-EDGE Redirecting URL - typical PHISHING ||
url,http.www.rickconner.net/spamweb/tricks.html
2001115 || BLEEDING-EDGE MSI (microsoft installer file) download
2001117 || BLEEDING-EDGE DNS - Standard query response, Name
Error
2001118 || BLEEDING-EDGE DNS - Standard query response, Not
Implemented
2001119 || BLEEDING-EDGE DNS - Standard query response, Refused
2001175 || BLEEDING-EDGE Internet Explorer Bitmap Integer
Overflow || url,www.securitytracker.com/alerts/2004/Feb/1009067.html
2001176 || BLEEDING-EDGE Internet Explorer XSS in Unparsable XML
Files || url,www.hnc3k.com/ievulnerabil.htm
2001178 || BLEEDING-EDGE Internet Explorer Malicious htm Unicode
DOS || url,www.hnc3k.com/ievulnerabil.htm
2001179 || BLEEDING-EDGE Internet Explorer Malicious htm
Unhandled exception DOS || url,www.hnc3k.com/ievulnerabil.htm
2001180 || BLEEDING-EDGE Internet Explorer Object Type Property
Overflow || url,www.hnc3k.com/ievulnerabil.htm
2001193 || BLEEDING-EDGE libPNG - zero Width ||
url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
2001194 || BLEEDING-EDGE libPNG - zero Height ||
url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
2001203 || BLEEDING-EDGE libPNG - Remotely exploitable
stack-based buffer overrun in png_handle_tRNS ||
url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
2001214 || BLEEDING-EDGE Serv-U MDTM Command Buffer Overflow
Vulnerability || url,www.securiteam.com/windowsntfocus/5HP010ACAS.html
2001244 || BLEEDING-EDGE CHAT MSN user search
2001246 || BLEEDING-EDGE CHAT IRC nick change
2001247 || BLEEDING-EDGE CHAT IRC DCC file transfer request
2001248 || BLEEDING-EDGE CHAT IRC DCC chat request
2001249 || BLEEDING-EDGE CHAT IRC channel join
2001250 || BLEEDING-EDGE CHAT IRC message
2001251 || BLEEDING-EDGE CHAT IRC dns request
2001252 || BLEEDING-EDGE CHAT IRC dns response
2001260 || BLEEDING-EDGE CHAT Yahoo IM message
2001264 || BLEEDING-EDGE CHAT Yahoo IM conference watch
2001265 || BLEEDING-EDGE CHAT MSN message
2001300 || BLEEDING-EDGE P2P eDonkey Hello Request
2001328 || BLEEDING-EDGE SSN Detected in Clear Text
2001332 || BLEEDING-EDGE GDI Exploit - Worm 1 Successful
Execution || url,www.easynews.com/virus.txt
2001360 || BLEEDING-EDGE Possible Microsoft asycpict.dll 1.0
Remote JPEG DoS Attack Vulnerability Attempt ||
url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html
2001375 || BLEEDING-EDGE Credit Card Number Detected in Clear
(16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001376 || BLEEDING-EDGE Credit Card Number Detected in Clear
(16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001377 || BLEEDING-EDGE Credit Card Number Detected in Clear
(16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001378 || BLEEDING-EDGE Credit Card Number Detected in Clear
(15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001379 || BLEEDING-EDGE Credit Card Number Detected in Clear
(15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001380 || BLEEDING-EDGE Credit Card Number Detected in Clear
(15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001381 || BLEEDING-EDGE Credit Card Number Detected in Clear
(14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001382 || BLEEDING-EDGE Credit Card Number Detected in Clear
(14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001383 || BLEEDING-EDGE Credit Card Number Detected in Clear
(14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001384 || BLEEDING-EDGE SSN Detected in Clear Text
[---] Removed non-rule lines: [---]
-> Removed from bleeding-policy.rules (1):
#Submitted by Patrick Harper
[*] Added files: [*]
None.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give
us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find
out more http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give
us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
