[***] Results from Oinkmaster started Wed Nov 3 20:00:03 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-policy.rules (4):
alert tcp any any -> any any (msg:"BLEEDING-EDGE ZIPPED XLS in
transit"; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase;
classtype:not-suspicious; flow:established; sid:1001403;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE ZIPPED PPT in
transit"; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase;
classtype:not-suspicious; flow:established; sid:1001405;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE ZIPPED DOC in
transit"; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase;
classtype:not-suspicious; flow:established; sid:1001402;)
alert tcp any any -> any any (msg:"BLEEDING-EDGE ZIPPED EXE in
transit"; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase;
classtype:not-suspicious; flow:established; sid:1001404;)
[///] Modified active rules: [///]
-> Modified active in bleeding-policy.rules (2):
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug Capture"; content:"GET"; content:"Host\:";
content:"weatherbug.com"; nocase; sid:2001267; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug Capture"; content:"GET"; content:"Host\:";
content:"weatherbug.com"; nocase; threshold:type limit, track by_src, count 10,
seconds 3600; sid:2001267; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase;
sid:2001235; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Weatherbug"; uricontent:"WxAlertIsapi"; nocase;
threshold:type limit, track by_src, count 10, seconds 3600; sid:2001235; rev:3;)
-> Modified active in bleeding.rules (1):
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (
msg:"BLEEDING-EDGE EXPLOIT IE Iframe Exploit"; flow:established,from_server;
content:"<IFRAME "; nocase; content:"SRC=file"; nocase; offset:500;
content:"NAME="; offset:1000; content:"<\/IFRAME>"; nocase; sid:2001401; rev:1;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (
msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; flow:established,from_server;
pcre:"/SRC[\s]*=[\s]*["']*?file\://\w{578}/im";
pcre:"/NAME[\s]*=[\s]*["']\w{2086}/im"; content:"\/IFRAME"; nocase;
sid:2001401; rev:3;)
[///] Modified inactive rules: [///]
-> Modified inactive in bleeding-policy.rules (2):
old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in
Clear Text"; pcre:"/\b(00[1-9]|010-733|750-772)-\d{2}-\d{4}\b/"; sid:2001328;
rev:3;)
new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in
Clear Text"; pcre:"/ (00[1-9]|010-733|750-772)-\d{2}-\d{4} /"; sid:2001328;
rev:4;)
old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in
Clear Text"; pcre:"/\b(00[1-9]|010-733|750-772) \d{2} \d{4}\b/"; sid:2001384;
rev:3;)
new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE SSN Detected in
Clear Text"; pcre:"/ (00[1-9]|010-733|750-772) \d{2} \d{4} /"; sid:2001384;
rev:4;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (5):
1001402 || BLEEDING-EDGE ZIPPED DOC in transit
1001403 || BLEEDING-EDGE ZIPPED XLS in transit
1001404 || BLEEDING-EDGE ZIPPED EXE in transit
1001405 || BLEEDING-EDGE ZIPPED PPT in transit
2001401 || BLEEDING-EDGE EXPLOIT IE IFRAME Exploit
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (1):
2001401 || BLEEDING-EDGE EXPLOIT IE Iframe Exploit
[*] Added files: [*]
None.
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
