Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Thu, 11 Nov 2004 20:00:03 -0600 (CST) 

[***] Results from Oinkmaster started Thu Nov 11 20:00:03 2004 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (35):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE 180solutions Spyware"; uricontent:"/actionurls/ActionUrl"; 
nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001399; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Spyware"; 
uricontent:"/actionurls/ActionUrl"; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001399; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Avres.net Downloading cpr_mm2.exe"; 
uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; sid:2001419; 
rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; 
uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; sid:2001419; 
rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE E2give Related Reporting"; 
uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; 
sid:2001423; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting"; 
uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; 
sid:2001423; rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
CometSystems Spyware"; uricontent:"/comet/request"; nocase; 
classtype:policy-violation; 
reference:url,www.pestpatrol.com/pestinfo/c/cometsystems.asp; sid:2001050; 
rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware CometSystems Spyware"; uricontent:"/comet/request"; nocase; 
classtype:policy-violation; 
reference:url,www.pestpatrol.com/pestinfo/c/cometsystems.asp; sid:2001050; 
rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Regnow.com Access"; reference:url,www.regnow.com; 
classtype:trojan-activity; uricontent:"/softsell/visitor.cgi?affiliate="; 
nocase; sid:2001223; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Regnow.com Access"; reference:url,www.regnow.com; 
classtype:trojan-activity; uricontent:"/softsell/visitor.cgi?affiliate="; 
nocase; sid:2001223; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MAlware Amex.Ipsrime.com Unknown Malware Download"; 
classtype:trojan-activity; reference:url,amex.isprime.com; 
reference:url,www.isprime.com; uricontent:"/bpc/"; content:".zip"; sid:2000904; 
rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Amex.Ipsrime.com Unknown Malware Download"; 
classtype:trojan-activity; reference:url,amex.isprime.com; 
reference:url,www.isprime.com; uricontent:"/bpc/"; content:".zip"; sid:2000904; 
rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000306; 
rev:7;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000306; 
rev:8;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE E2give Related Downloading IeBHOs.dll"; 
uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; 
sid:2001415; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; 
uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; 
sid:2001415; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings Download"; 
uricontent:"/pointsmanager/seettings.cab?"; nocase; classtype:policy-violation; 
sid:2000907; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Settings Download"; 
uricontent:"/pointsmanager/seettings.cab?"; nocase; classtype:policy-violation; 
sid:2000907; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE 180solutions Spyware Reporting"; 
uricontent:"/showme.aspx?keyword="; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001400; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Spyware Reporting"; 
uricontent:"/showme.aspx?keyword="; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001400; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE 180solutions Spyware"; 
uricontent:"/TrackedEvent.aspx?eid="; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001397; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Spyware"; 
uricontent:"/TrackedEvent.aspx?eid="; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001397; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Regnow.com Gamehouse.com Access"; 
reference:url,www.gamehouse.com; classtype:trojan-activity; 
uricontent:"/affiliates/template.jsp?AID="; nocase; sid:2001224; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Regnow.com Gamehouse.com Access"; 
reference:url,www.gamehouse.com; classtype:trojan-activity; 
uricontent:"/affiliates/template.jsp?AID="; nocase; sid:2001224; rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bargain Buddy"; uricontent:"/download/bargin_buddy"; nocase; 
classtype:trojan-activity; 
reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:2000574; rev:3;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Bargain Buddy"; uricontent:"/download/bargin_buddy"; nocase; 
classtype:trojan-activity; 
reference:url,www.doxdesk.com/parasite/BargainBuddy.html; sid:2000574; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data Submission"; 
uricontent:"/backoffice.net/stats/Add.aspx"; nocase; 
classtype:policy-violation; sid:2000598; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Data Submission"; 
uricontent:"/backoffice.net/stats/Add.aspx"; nocase; 
classtype:policy-violation; sid:2000598; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Mastermind Related Downloading mm20.ocx"; 
uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; sid:2001411; 
rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; 
uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; sid:2001411; 
rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Yesadvertising Banking Spyware RETRIEVE"; uricontent:"/img1big.gif"; nocase; 
classtype:trojan-activity; 
reference:url,isc.sans.org/presentations/banking_malware.pdf; sid:2000336; 
rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Yesadvertising Banking Spyware RETRIEVE"; uricontent:"/img1big.gif"; 
nocase; classtype:trojan-activity; 
reference:url,isc.sans.org/presentations/banking_malware.pdf; sid:2000336; 
rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Avres.net Downloading ab1.exe"; 
uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; sid:2001420; 
rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; 
uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; sid:2001420; 
rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE E2give Related Downloading Code"; 
uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; 
sid:2001418; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading Code"; 
uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; 
sid:2001418; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE MALWARE Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
sid:2001413; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
sid:2001413; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE HTTP Spyware 2020"; flags:A+; content:"|48 6F 73 74 3A 20 
77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 
64 72|"; classtype:trojan-activity; sid:2000327; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyware 2020"; flags:A+; content:"|48 6F 73 74 3A 
20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 
64 64 72|"; classtype:trojan-activity; sid:2000327; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Media-Motor Related Downloading MediaMotor25.exe"; 
uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; 
sid:2001414; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; 
uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; 
sid:2001414; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start"; 
uricontent:"/pm/start.asp"; nocase; classtype:policy-violation; sid:2000906; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Altnet PeerPoints Manager Start"; 
uricontent:"/pm/start.asp"; nocase; classtype:policy-violation; sid:2000906; 
rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Avres.net Downloading tvm_bundle.exe"; 
uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; 
sid:2001421; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; 
uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; 
sid:2001421; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE MALWARE Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; sid:2001412; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; sid:2001412; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE 
MALWARE Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; 
nocase; flow:to_server,established; sid:2001410; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE 
Malware Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; 
nocase; flow:to_server,established; sid:2001410; rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Yesadvertising Banking Spyware INFORMATION SUBMIT"; 
uricontent:"/cgi-bin/yes.pl"; nocase; classtype:trojan-activity; 
reference:url,isc.sans.org/presentations/banking_malware.pdf; sid:2000337; 
rev:2; )
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Yesadvertising Banking Spyware INFORMATION SUBMIT"; 
uricontent:"/cgi-bin/yes.pl"; nocase; classtype:trojan-activity; 
reference:url,isc.sans.org/presentations/banking_malware.pdf; sid:2000337; 
rev:3; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Update Engine"; 
flow:to_server,established; content:"GET"; depth:3; 
content:"Host|3a|";within:300;content:"ping.180solutions.com";within:40;classtype:trojan-activity;
 reference:url,www.safer-networking.org/index.php?page=threats&detail=212; 
sid:2000930; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Update Engine"; 
flow:to_server,established; content:"GET"; depth:3; 
content:"Host|3a|";within:300;content:"ping.180solutions.com";within:40;classtype:trojan-activity;
 reference:url,www.safer-networking.org/index.php?page=threats&detail=212; 
sid:2000930; rev:2;)
        old: alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Virtumonde 
Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000307; 
rev:4;)
        new: alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Malware 
Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000307; 
rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE 180solutions Spyware"; uricontent:"180solutions.com"; 
nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001051; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware 180solutions Spyware"; 
uricontent:"180solutions.com"; nocase; classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
 sid:2001051; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE E2give Related Receiving Config"; 
uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; 
sid:2001417; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Receiving Config"; 
uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; 
sid:2001417; rev:2;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virtumonde Spyware Information Post"; content:"POST /"; nocase; 
content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; 
content:"virtumonde.com"; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:3;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Virtumonde Spyware Information Post"; content:"POST /"; nocase; 
content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; 
content:"virtumonde.com"; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Default-homepage-network.com Access"; 
reference:url,default-homepage-network.com/start.cgi?new-hkcu; 
classtype:trojan-activity; content:"wsh.RegWrite"; nocase; 
content:"default-homepage-network.com/start.cgi?"; nocase; sid:2001222; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Default-homepage-network.com Access"; 
reference:url,default-homepage-network.com/start.cgi?new-hkcu; 
classtype:trojan-activity; content:"wsh.RegWrite"; nocase; 
content:"default-homepage-network.com/start.cgi?"; nocase; sid:2001222; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE E2give Related Reporting Install"; 
uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; 
sid:2001416; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting Install"; 
uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; 
sid:2001416; rev:2;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE MALWARE Mastermind Related Reporting"; 
uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; sid:2001409; 
rev:1;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Mastermind Related Reporting"; 
uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; sid:2001409; 
rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE MALWARE Avres.net Reporting Data"; 
uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; 
uricontent:"avatar="; nocase; flow:to_server,established; sid:2001422; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Reporting Data"; 
uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; 
uricontent:"avatar="; nocase; flow:to_server,established; sid:2001422; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (7):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Adtrak.net Tracking Bot Reporting"; 
reference:url,www.adtrak.net; uricontent:"/adlog.php?bannerid="; 
classtype:trojan-activity; sid:2000576; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE IE shell access WSH (Windows Script Host)"; 
content:"wsh.Run"; content:"command"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000516; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE IE 
Encrypted Jscript (Windows Script Encoder)"; content:"JScript.Encode"; 
content:"Start Encode"; 
reference:url,microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en;
 nocase; classtype:misc-attack; sid:2000518; rev:1;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE IE 
Object Data vulnerability"; content:"document.body.innerHTML"; 
content:"object"; content:"data"; content:"show"; content:"document.body"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000517; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE IE 
suspicious access to WSH (Windows Script Host)"; content:"object"; 
content:"id"; content:"wsh"; content:"classid"; content:"clsid\:"; 
content:"\/"; content:"object"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000515; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Unknown Spyware Data Submission 1"; 
classtype:trojan-activity; uricontent:"/cgi/linkconsumer.pl?cluid="; 
sid:2000591; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE IE 
spyware downloader Microsoft VM vulnerability"; content:"document.write"; 
content:"APPLET"; content:"ActiveXComponent"; 
reference:url,www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; nocase; 
classtype:misc-attack; sid:2000513; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (34):
        2000306 || BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000307 || BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000308 || BLEEDING-EDGE Malware Virtumonde Spyware Information Post || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000327 || BLEEDING-EDGE Malware Spyware 2020
        2000336 || BLEEDING-EDGE Malware Yesadvertising Banking Spyware 
RETRIEVE || url,isc.sans.org/presentations/banking_malware.pdf
        2000337 || BLEEDING-EDGE Malware Yesadvertising Banking Spyware 
INFORMATION SUBMIT || url,isc.sans.org/presentations/banking_malware.pdf
        2000574 || BLEEDING-EDGE Malware Bargain Buddy || 
url,www.doxdesk.com/parasite/BargainBuddy.html
        2000598 || BLEEDING-EDGE Malware Altnet PeerPoints Manager Data 
Submission
        2000904 || BLEEDING-EDGE Malware Amex.Ipsrime.com Unknown Malware 
Download || url,www.isprime.com || url,amex.isprime.com
        2000906 || BLEEDING-EDGE Malware Altnet PeerPoints Manager Start
        2000907 || BLEEDING-EDGE Malware Altnet PeerPoints Manager Settings 
Download
        2001050 || BLEEDING-EDGE Malware CometSystems Spyware || 
url,www.pestpatrol.com/pestinfo/c/cometsystems.asp
        2001051 || BLEEDING-EDGE Malware 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001222 || BLEEDING-EDGE Malware Default-homepage-network.com Access || 
url,default-homepage-network.com/start.cgi?new-hkcu
        2001223 || BLEEDING-EDGE Malware Regnow.com Access || url,www.regnow.com
        2001224 || BLEEDING-EDGE Malware Regnow.com Gamehouse.com Access || 
url,www.gamehouse.com
        2001397 || BLEEDING-EDGE Malware 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001399 || BLEEDING-EDGE Malware 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001400 || BLEEDING-EDGE Malware 180solutions Spyware Reporting || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001409 || BLEEDING-EDGE Malware Mastermind Related Reporting
        2001410 || BLEEDING-EDGE Malware Mastermind Related Reporting 8081
        2001411 || BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx
        2001412 || BLEEDING-EDGE Malware Mastermind Related Downloading Daily 
Executable
        2001413 || BLEEDING-EDGE Malware Medis-Motor Related Downloading 
ast_4_mm.exe
        2001414 || BLEEDING-EDGE Malware Media-Motor Related Downloading 
MediaMotor25.exe
        2001415 || BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll
        2001416 || BLEEDING-EDGE Malware E2give Related Reporting Install
        2001417 || BLEEDING-EDGE Malware E2give Related Receiving Config
        2001418 || BLEEDING-EDGE Malware E2give Related Downloading Code
        2001419 || BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe
        2001420 || BLEEDING-EDGE Malware Avres.net Downloading ab1.exe
        2001421 || BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe
        2001422 || BLEEDING-EDGE Malware Avres.net Reporting Data
        2001423 || BLEEDING-EDGE Malware E2give Related Reporting

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (1):
        # Category for bad things we can't put a name on

     -> Removed from bleeding-sid-msg.map (41):
        2000306 || BLEEDING-EDGE Virtumonde Spyware siae3123.exe GET || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000307 || BLEEDING-EDGE Virtumonde Spyware siae3123.exe GET || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000308 || BLEEDING-EDGE Virtumonde Spyware Information Post || 
url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2000327 || BLEEDING-EDGE HTTP Spyware 2020
        2000336 || BLEEDING-EDGE Yesadvertising Banking Spyware RETRIEVE || 
url,isc.sans.org/presentations/banking_malware.pdf
        2000337 || BLEEDING-EDGE Yesadvertising Banking Spyware INFORMATION 
SUBMIT || url,isc.sans.org/presentations/banking_malware.pdf
        2000513 || BLEEDING-EDGE IE spyware downloader Microsoft VM 
vulnerability || url,www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf
        2000515 || BLEEDING-EDGE IE suspicious access to WSH (Windows Script 
Host) || url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm
        2000516 || BLEEDING-EDGE IE shell access WSH (Windows Script Host) || 
url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm
        2000517 || BLEEDING-EDGE IE Object Data vulnerability || 
url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm
        2000518 || BLEEDING-EDGE IE Encrypted Jscript (Windows Script Encoder) 
|| 
url,microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
        2000574 || BLEEDING-EDGE Bargain Buddy || 
url,www.doxdesk.com/parasite/BargainBuddy.html
        2000576 || BLEEDING-EDGE Malware Adtrak.net Tracking Bot Reporting || 
url,www.adtrak.net
        2000591 || BLEEDING-EDGE Unknown Spyware Data Submission 1
        2000598 || BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data 
Submission
        2000904 || BLEEDING-EDGE MAlware Amex.Ipsrime.com Unknown Malware 
Download || url,www.isprime.com || url,amex.isprime.com
        2000906 || BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start
        2000907 || BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings 
Download
        2001050 || BLEEDING-EDGE CometSystems Spyware || 
url,www.pestpatrol.com/pestinfo/c/cometsystems.asp
        2001051 || BLEEDING-EDGE 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001222 || BLEEDING-EDGE Default-homepage-network.com Access || 
url,default-homepage-network.com/start.cgi?new-hkcu
        2001223 || BLEEDING-EDGE Regnow.com Access || url,www.regnow.com
        2001224 || BLEEDING-EDGE Regnow.com Gamehouse.com Access || 
url,www.gamehouse.com
        2001397 || BLEEDING-EDGE 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001399 || BLEEDING-EDGE 180solutions Spyware || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001400 || BLEEDING-EDGE 180solutions Spyware Reporting || 
url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2001409 || BLEEDING-EDGE MALWARE Mastermind Related Reporting
        2001410 || BLEEDING-EDGE MALWARE Mastermind Related Reporting 8081
        2001411 || BLEEDING-EDGE MALWARE Mastermind Related Downloading mm20.ocx
        2001412 || BLEEDING-EDGE MALWARE Mastermind Related Downloading Daily 
Executable
        2001413 || BLEEDING-EDGE MALWARE Medis-Motor Related Downloading 
ast_4_mm.exe
        2001414 || BLEEDING-EDGE MALWARE Media-Motor Related Downloading 
MediaMotor25.exe
        2001415 || BLEEDING-EDGE MALWARE E2give Related Downloading IeBHOs.dll
        2001416 || BLEEDING-EDGE MALWARE E2give Related Reporting Install
        2001417 || BLEEDING-EDGE MALWARE E2give Related Receiving Config
        2001418 || BLEEDING-EDGE MALWARE E2give Related Downloading Code
        2001419 || BLEEDING-EDGE MALWARE Avres.net Downloading cpr_mm2.exe
        2001420 || BLEEDING-EDGE MALWARE Avres.net Downloading ab1.exe
        2001421 || BLEEDING-EDGE MALWARE Avres.net Downloading tvm_bundle.exe
        2001422 || BLEEDING-EDGE MALWARE Avres.net Reporting Data
        2001423 || BLEEDING-EDGE MALWARE E2give Related Reporting

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Re: snort-rules update @ Thu Nov 11 15:27:17 2004, Brian
Next by Date:  Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer, Chich Thierry
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]