[***] Results from Oinkmaster started Wed Oct 27 20:00:02 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding.rules (1):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
Possible ShixxNote buffer-overflow + remote shell attempt";
flow:established,to_server; content:"|68 61 63 6b 75|"; offset:126; depth:5;
content:"|68 61 63 6b 90 61 61 61 61|"; offset:519; depth:9;
reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt;
classtype:shellcode-detect; sid:2001385; rev:1;)
[///] Modified active rules: [///]
-> Modified active in bleeding-virus.rules (1):
old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS
OUTBOUND Suspicious Email Attachment"; flow:to_server,established;
content:"Content-Disposition|3A|"; nocase;
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(ps|cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";
classtype:suspicious-filename-detect; sid:2000562; rev:6;)
new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS
OUTBOUND Suspicious Email Attachment"; flow:to_server,established;
content:"Content-Disposition|3A|"; nocase;
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";
classtype:suspicious-filename-detect; sid:2000562; rev:7;)
[---] Disabled rules: [---]
-> Disabled in bleeding-virus.rules (1):
#alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm
Zincite Probing port 1034";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html;
flow:to_server; sid:2001011; threshold: type threshold, track by_src, count
30,seconds 60; rev:4;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (1):
2001385 || BLEEDING-EDGE Possible ShixxNote buffer-overflow + remote
shell attempt || url,aluigi.altervista.org/adv/shixxbof-adv.txt
-> Added to bleeding-virus.rules (2):
# isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc,
msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, rar,
#Too many falses, needs improvement
-> Added to bleeding.rules (1):
#Submitted by Cooljay ref:
http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139
[---] Removed non-rule lines: [---]
-> Removed from bleeding-virus.rules (1):
# isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc,
msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, pps, rar,
[*] Added files: [*]
None.
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
