Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Tue, 23 Nov 2004 20:00:03 -0600 (CST) 

[***] Results from Oinkmaster started Tue Nov 23 20:00:02 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (1):
        alert tcp any any -> any any (msg:"BLEEDING-EDGE VIRUS Agobot/Phatbot 
Infection Successful"; flow:established; content:"221 Goodbye, have a good 
infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)

     -> Added to bleeding.rules (2):
        alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump 
Session Established Reg-Entry - port 445"; content:"|53 00 4f 00 46 00 54 00 57 
00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; sid:2001543; 
rev:1;)
        alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump.exe Service Started - port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 
70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; sid:2001544; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-p2p.rules (2):
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE Phatbot P2P 
Control Connection"; flow:established; content:"Wonk-"; 
content:"|00|#waste|00|"; within:15; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:2000015; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P Phatbot 
Control Connection"; flow:established; content:"Wonk-"; 
content:"|00|#waste|00|"; within:15; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:2000015; rev:2;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET any  (msg:"BLEEDING-EDGE 
Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset:0; 
depth:6; classtype:policy-violation;threshold: type limit, track by_dst, count 
1 , seconds 600; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; 
rev:1;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET any  (msg:"BLEEDING-EDGE 
P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; 
offset:0; depth:6; classtype:policy-violation;threshold: type limit, track 
by_dst, count 1 , seconds 600; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; 
rev:2;)

     -> Modified active in bleeding-virus.rules (4):
        old: alert ip any any -> any any (msg:"BLEEDING-EDGE Win32/Small.AR 
outbound activity"; uricontent:"/zosman/cia/index.php"; 
classtype:trojan-activity; sid:2001234; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE 
Win32/Small.AR outbound activity"; uricontent:"/zosman/cia/index.php"; 
classtype:trojan-activity; sid:2001234; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( 
msg:"BLEEDING_EDGE VIRUS Psyme Trojan Download"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html;
 uricontent:"/download/IEService215.chm"; nocase; sid:2000365; rev:2; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( 
msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html;
 uricontent:"/download/IEService215.chm"; nocase; sid:2000365; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE 
Virus Possible Sober.j Outbound"; 
reference:url,http://vil.mcafeesecurity.com/vil/content/v_130130.htm; 
classtype:trojan-activity; sid:2001542; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE 
Virus Possible Sober.j Outbound"; 
reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; 
classtype:trojan-activity; sid:2001542; rev:2;)
        old: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM 
MyDoom.AI Victim Accessing Reactor Page"; classtype:trojan-activity; 
flow:established,to_server; content:"/reactor"; nocase; 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 sid:2001430; rev:2;)
        new: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM 
Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET 
/"; nocase; content:"reactor"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 sid:2001430; rev:3;)

     -> Modified active in bleeding.rules (9):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
Serv-U FTP directory traversal vulnerability"; pcre:"/\\[\.]+%20/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; 
classtype:misc-activity; sid:2001211; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP Serv-U directory traversal vulnerability"; pcre:"/\\[\.]+%20/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; 
classtype:misc-activity; sid:2001211; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 
(msg:"BLEEDING-EDGE IRC -  DCC chat request on non-std port"; 
flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; 
content:" \:.DCC CHAT chat"; nocase; tag:session,300,seconds; 
classtype:policy-violation; sid:2000350; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 
(msg:"BLEEDING-EDGE IRC - DCC chat request on non-std port"; 
flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; 
content:" \:.DCC CHAT chat"; nocase; tag:session,300,seconds; 
classtype:policy-violation; sid:2000350; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
Serv-U Local Privilege Escalation Vulnerability"; content:"site exec"; nocase; 
rawbytes; reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; 
classtype:misc-activity; sid:2001210; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP Serv-U Local Privilege Escalation Vulnerability"; content:"site exec"; 
nocase; rawbytes; 
reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; 
classtype:misc-activity; sid:2001210; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNukegeneral XSS attemp"; content:"/modules.php?"; 
content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; 
reference:url,www.waraxe.us/?modname=sa&id=030; 
classtype:web-application-attack; sid:2001218; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNuke general XSS attemp"; content:"/modules.php?"; 
content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; 
reference:url,www.waraxe.us/?modname=sa&id=030; 
classtype:web-application-attack; sid:2001218; rev:2;)
        old: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; 
content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; 
distance:100; nocase; sid:2001342; rev:9;)
        new: alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; 
content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; 
distance:100; nocase; sid:2001342; rev:10;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
Serv-U FTP directory traversal vulnerability"; pcre:"/%20[\.]+\//Bi"; 
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; 
classtype:misc-activity; sid:2001212; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP Serv-U directory traversal vulnerability"; pcre:"/%20[\.]+\//Bi"; 
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; 
classtype:misc-activity; sid:2001212; rev:2;)
        old: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; 
flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; 
content:"aspx"; distance:100; sid:2001343; rev:8;)
        new: alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE 
WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; 
flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; 
content:"aspx"; distance:100; sid:2001343; rev:9;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE Serv-U FTP Server 
Long Filename Stack Overflow Vulnerability"; 
pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; 
classtype:misc-activity; sid:2001215; rev:1;)
        new: alert tcp any any -> any any (msg:"BLEEDING-EDGE FTP Serv-U Server 
Long Filename Stack Overflow Vulnerability"; 
pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; 
classtype:misc-activity; sid:2001215; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
Serv-U LIST -l Parameter Buffer Overflow"; content:"LIST -l\:"; nocase; 
isdataat:134,relative;reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html;
 classtype:misc-activity; sid:2001213; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE 
FTP Serv-U LIST -l Parameter Buffer Overflow"; content:"LIST -l\:"; nocase; 
isdataat:134,relative;reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html;
 classtype:misc-activity; sid:2001213; rev:2;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-malware.rules (1):
        old: #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Comet Cursor spyware detection"; content:"|53 65 72 76 65 
72|"; content:"|43 6F 6D 65 74|"; 
reference:url,simplythebest.net/info/spyware/comet_cursor_spyware.html; 
classtype:policy-violation; sid:2000551; rev:5;)
        new: #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Comet Cursor spyware detection"; content:"|53 65 72 
76 65 72|"; content:"|43 6F 6D 65 74|"; 
reference:url,simplythebest.net/info/spyware/comet_cursor_spyware.html; 
classtype:policy-violation; sid:2000551; rev:6;)

     -> Modified inactive in bleeding.rules (1):
        old: #alert tcp any any -> any any (msg:"BLEEDING-EDGE Serv-U MDTM 
Command Buffer Overflow Vulnerability"; 
pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; 
classtype:misc-activity; sid:2001214; rev:1;)
        new: #alert tcp any any -> any any (msg:"BLEEDING-EDGE FTP Serv-U MDTM 
Command Buffer Overflow Vulnerability"; 
pcre:"/MDTM[\s]+[\d]+[\s\S]*[\w]{45}/Bi"; 
reference:url,www.securiteam.com/windowsntfocus/5HP010ACAS.html; 
classtype:misc-activity; sid:2001214; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-p2p.rules (1):
        alert tcp any any -> any any (msg:"BLEEDING-EDGE Agobot/Phatbot 
Infection Successful"; flow:established; content:"221 Goodbye, have a good 
infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (17):
        2000014 || BLEEDING-EDGE VIRUS Agobot/Phatbot Infection Successful || 
url,www.lurhq.com/phatbot.html
        2000015 || BLEEDING-EDGE P2P Phatbot Control Connection || 
url,www.lurhq.com/phatbot.html
        2000340 || BLEEDING-EDGE P2P Kaaza Media desktop p2pnetworking.exe 
Activity || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf
        2000350 || BLEEDING-EDGE IRC - DCC chat request on non-std port
        2000365 || BLEEDING-EDGE VIRUS Psyme Trojan Download || 
url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html
        2000551 || BLEEDING-EDGE Malware Comet Cursor spyware detection || 
url,simplythebest.net/info/spyware/comet_cursor_spyware.html
        2001210 || BLEEDING-EDGE FTP Serv-U Local Privilege Escalation 
Vulnerability || url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html
        2001211 || BLEEDING-EDGE FTP Serv-U directory traversal vulnerability 
|| url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001212 || BLEEDING-EDGE FTP Serv-U directory traversal vulnerability 
|| url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001213 || BLEEDING-EDGE FTP Serv-U LIST -l Parameter Buffer Overflow 
|| url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html
        2001214 || BLEEDING-EDGE FTP Serv-U MDTM Command Buffer Overflow 
Vulnerability || url,www.securiteam.com/windowsntfocus/5HP010ACAS.html
        2001215 || BLEEDING-EDGE FTP Serv-U Server Long Filename Stack Overflow 
Vulnerability || url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html
        2001218 || BLEEDING-EDGE PHPNuke general XSS attemp || 
url,www.waraxe.us/?modname=sa&id=030
        2001430 || BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page || 
url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631 || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html
        2001542 || BLEEDING-EDGE Virus Possible Sober.j Outbound || 
url,vil.mcafeesecurity.com/vil/content/v_130130.htm
        2001543 || BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry - 
port 445
        2001544 || BLEEDING-EDGE EXPLOIT NTDump.exe Service Started - port 445

     -> Added to bleeding-virus.rules (1):
        #Matt Jonkman, additions by David Maciejak

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (15):
        2000014 || BLEEDING-EDGE Agobot/Phatbot Infection Successful || 
url,www.lurhq.com/phatbot.html
        2000015 || BLEEDING-EDGE Phatbot P2P Control Connection || 
url,www.lurhq.com/phatbot.html
        2000340 || BLEEDING-EDGE Kaaza Media desktop p2pnetworking.exe Activity 
|| url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf
        2000350 || BLEEDING-EDGE IRC -  DCC chat request on non-std port
        2000365 || BLEEDING_EDGE VIRUS Psyme Trojan Download || 
url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html
        2000551 || BLEEDING-EDGE Comet Cursor spyware detection || 
url,simplythebest.net/info/spyware/comet_cursor_spyware.html
        2001210 || BLEEDING-EDGE Serv-U Local Privilege Escalation 
Vulnerability || url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html
        2001211 || BLEEDING-EDGE Serv-U FTP directory traversal vulnerability 
|| url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001212 || BLEEDING-EDGE Serv-U FTP directory traversal vulnerability 
|| url,www.securiteam.com/windowsntfocus/6C0041F0KO.html
        2001213 || BLEEDING-EDGE Serv-U LIST -l Parameter Buffer Overflow || 
url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html
        2001214 || BLEEDING-EDGE Serv-U MDTM Command Buffer Overflow 
Vulnerability || url,www.securiteam.com/windowsntfocus/5HP010ACAS.html
        2001215 || BLEEDING-EDGE Serv-U FTP Server Long Filename Stack Overflow 
Vulnerability || url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html
        2001218 || BLEEDING-EDGE PHPNukegeneral XSS attemp || 
url,www.waraxe.us/?modname=sa&id=030
        2001430 || BLEEDING-EDGE WORM MyDoom.AI Victim Accessing Reactor Page 
|| url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
        2001542 || BLEEDING-EDGE Virus Possible Sober.j Outbound || 
url,http://vil.mcafeesecurity.com/vil/content/v_130130.htm

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Substitute for removed MS04-028 exploiting jpeg rule?, Chris Kronberg
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]