Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Sun, 21 Nov 2004 20:00:01 -0600 (CST) 

[***] Results from Oinkmaster started Sun Nov 21 20:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (19):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Oenji.com Install"; 
uricontent:"/Bundled/OemjiInstall"; nocase; classtype:trojan-activity; 
sid:2001538; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; 
pcre:"/Host\: \w*.searchmiracle.com/im"; sid:2001532; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*.ak-networks.com/im"; sid:2001529; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.spyspotter.com/im"; sid:2001537; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware Code Download mmdom.exe"; 
uricontent:"/mmdom.exe"; nocase; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2001525; 
rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe 
Download"; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 
69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; 
nocase; sid:2001533; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Install"; 
uricontent:"/SpySpotterInstall.cab"; nocase; classtype:trojan-activity; 
sid:2001536; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.oemji.com/im"; sid:2001539; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.c4tdownload.com/im"; sid:2001531; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/silent_install.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; sid:2001534; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; 
sid:2001540; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; content:"Host\: 
static.callinghome.biz"; nocase; sid:2001521; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware"; 
content:"Host\: app.desktop.ak-networks.com"; nocase; sid:2001528; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Install Report"; 
pcre:"//user\d+/counter.htm/im"; sid:2001541; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware Code Download bkinst.exe"; 
uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; 
classtype:trojan-activity; reference:url,www.lurhq.com/iframeads.html; 
sid:2001526; rev:5;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Spyware Code Download"; 
uricontent:"/SyncAkSoft.da_"; nocase; sid:2001530; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; sid:2001535; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; 
nocase; sid:2001520; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*\.casalemedia.com/im"; sid:2001527; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (3):
        old: alert tcp $HOME_NET any -> any 8081 (msg:"BLEEDING-EDGE Malware 
Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000307; 
rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE 
Malware Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000307; 
rev:6;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Virtumonde Spyware siae3123.exe GET"; content:"siae3123.exe"; nocase; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000306; 
rev:8;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET"; 
content:"siae3123.exe"; nocase; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000306; 
rev:9;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Virtumonde Spyware Information Post"; content:"POST /"; nocase; 
content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; 
content:"virtumonde.com"; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; content:"POST 
/"; nocase; content:"e_g_StatisticsUploadDelay"; nocase; 
content:"g_AffiliateID"; nocase; content:"virtumonde.com"; 
classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:5;)

     -> Modified active in bleeding.rules (13):
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM1"; content:"\/"; content:"COM1"; 
content:"\/"; nocase; classtype:string-detect; sid:2000499; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM1"; content:"/COM1/"; nocase; 
classtype:string-detect; sid:2000499; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT2"; content:"\/"; content:"LPT2"; 
content:"\/"; nocase; classtype:string-detect; sid:2000504; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT2"; content:"/LPT2/"; nocase; 
classtype:string-detect; sid:2000504; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT1"; content:"\/"; content:"LPT1"; 
content:"\/"; nocase; classtype:string-detect; sid:2000503; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT1"; content:"/LPT1/"; nocase; 
classtype:string-detect; sid:2000503; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access NULL"; content:"\/"; content:"NULL"; 
content:"\/"; nocase; classtype:string-detect; sid:2000508; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access NULL"; content:"/NULL/"; nocase; 
classtype:string-detect; sid:2000508; rev:2;)
        old: alert tcp any any -> $HOME_NET 80 (msg:"BLEEDING-EDGE WEB-IIS 
ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; 
content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; 
distance:100; nocase; sid:2001342; rev:8;)
        new: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; 
content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; 
distance:100; nocase; sid:2001342; rev:9;)
        old: alert tcp any any -> $HOME_NET 80 (msg:"BLEEDING-EDGE WEB-IIS 
ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; 
content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; 
sid:2001343; rev:7;)
        new: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; 
flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; 
content:"aspx"; distance:100; sid:2001343; rev:8;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access AUX"; content:"\/"; content:"AUX"; 
content:"\/"; nocase; classtype:string-detect; sid:2000507; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access AUX"; content:"/AUX/"; nocase; 
classtype:string-detect; sid:2000507; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM3"; content:"\/"; content:"COM3"; 
content:"\/"; nocase; classtype:string-detect; sid:2000501; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM3"; content:"/COM3/"; nocase; 
classtype:string-detect; sid:2000501; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS MDAC Content-Type overflow attempt"; 
flow:to_server,established; uricontent:"/msadcs.dll"; content:"Content-Type\:"; 
nocase; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; 
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;classtype:web-application-attack;
 sid:2000003; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS MDAC Content-Type overflow attempt"; 
flow:to_server,established; uricontent:"/msadcs.dll"; content:"Content-Type\:"; 
nocase; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; 
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;classtype:web-application-attack;
 sid:2000003; rev:3;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT3"; content:"\/"; content:"LPT3"; 
content:"\/"; nocase; classtype:string-detect; sid:2000505; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT3"; content:"/LPT3/"; nocase; 
classtype:string-detect; sid:2000505; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT4"; content:"\/"; content:"LPT4"; 
content:"\/"; nocase; classtype:string-detect; sid:2000506; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access LPT4"; content:"/LPT4/"; nocase; 
classtype:string-detect; sid:2000506; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM4"; content:"\/"; content:"COM4"; 
content:"\/"; nocase; classtype:string-detect; sid:2000502; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM4"; content:"/COM4/"; nocase; 
classtype:string-detect; sid:2000502; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM2"; content:"\/"; content:"COM2"; 
content:"\/"; nocase; classtype:string-detect; sid:2000500; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP inaccessible directory access COM2"; content:"/COM2/"; nocase; 
classtype:string-detect; sid:2000500; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Websearch.com Related Outbound Dialer Trojan 
Download"; content:"|00 6e 00 74 00 65 00 72  00 6e 00 61 00 74 00 69 00 6f 00 
6e 00 61 00 6c  00 20 00 43 00 68 00 61 00 72 00 67 00 65 00 73  00 20 00 61 00 
70 00 70|"; content:"|1a 30 18 82 16 77 77 77  2e 64 69 61 6c 65 72 70 6c 61 74 
66 6f 72 6d 2e  63 6f 6d 30 0c 06 03 55|"; 
reference:url,www.dialerplatform.com; 
reference:url,213.159.117.150/1/rdgUS10.exe; classtype:trojan-activity; 
sid:2001518; rev:2;)

     -> Removed from bleeding.rules (2):
        alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP 
hidden directory access"; content:"\/"; content:" "; content:"\/"; 
classtype:string-detect; sid:2000497; rev:1;)
        alert udp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP 
hidden directory access 2"; content:"\/"; content:"."; content:"\/"; 
classtype:string-detect; sid:2000498; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (19):
        2001520 || BLEEDING-EDGE Malware Spywaremover Activity
        2001521 || BLEEDING-EDGE Malware Spywaremover Activity
        2001525 || BLEEDING-EDGE Malware Virtumonde Spyware Code Download 
mmdom.exe || url,sarc.com/avcenter/venc/data/adware.virtumonde.html
        2001526 || BLEEDING-EDGE Malware Virtumonde Spyware Code Download 
bkinst.exe || url,www.lurhq.com/iframeads.html
        2001527 || BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware
        2001528 || BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware
        2001529 || BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware
        2001530 || BLEEDING-EDGE Malware ak-networks.com Spyware Code Download
        2001531 || BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware
        2001532 || BLEEDING-EDGE Malware Searchmiracle.com Access, Likely 
Spyware
        2001533 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer 
silent.exe Download || url,www.searchmiracle.com/silent.exe
        2001534 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || 
url,www.searchmiracle.com
        2001535 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || 
url,www.searchmiracle.com
        2001536 || BLEEDING-EDGE Malware Spyspotter.com Install
        2001537 || BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware
        2001538 || BLEEDING-EDGE Malware Oenji.com Install
        2001539 || BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware
        2001540 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || 
url,www.searchmiracle.com
        2001541 || BLEEDING-EDGE Malware Xpire.info Install Report

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2000497 || BLEEDING-EDGE FTP hidden directory access
        2000498 || BLEEDING-EDGE FTP hidden directory access 2
        2001518 || BLEEDING-EDGE Malware Websearch.com Related Outbound Dialer 
Trojan Download || url,213.159.117.150/1/rdgUS10.exe || 
url,www.dialerplatform.com

     -> Removed from bleeding-virus.rules (1):
        #By Matt Jonkman

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] The rule 1054 fires up false positives!, Matthew Watchinski
Next by Date:  Re: [Snort-sigs] The rule 1054 fires up false positives!, Victor Meghesan
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]