[Snort-sigs] Bleedingsnort.com Daily Update

[***] Results from Oinkmaster started Mon Dec 13 21:00:01 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm 
outbound detected"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
classtype:misc-activity; flow:established,to_server; sid:2001578; rev:1;)
        alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm 
- incoming"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 nocase; classtype:misc-activity; flow:established,to_server; sid:2001577; 
rev:1;)

     -> Added to bleeding.rules (6):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; threshold: 
type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Virus 
Rogue Port 445 traffic"; threshold: type limit, track by_src, count 100 , 
seconds 600; sid:2001569; rev:3;)

     -> Removed from bleeding.rules (2):
        alert tcp any any -> any 65506 (msg:"BLEEDING-EDGE Unknown activity 
port 65506"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: 
"|00 00 43|"; window: 16616; fragbits: D+; sid:2001232; rev:1;)
        alert tcp any any -> any 559 (msg:"BLEEDING-EDGE ISC Unknown activity 
port 559"; reference:url,isc.sans.org/diary.php?date=2004-08-21; content: "|04 
01 00 50 D9 6A E8 11|"; flow:to_server,established; sid:2001231; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (8):
        2001569 || BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential 
Scan or Infection
        2001577 || BLEEDING-EDGE Sober.I Worm - incoming
        2001578 || BLEEDING-EDGE Sober.I Worm outbound detected
        2001579 || BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential 
Scan or Infection
        2001580 || BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential 
Scan or Infection
        2001581 || BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential 
Scan or Infection
        2001582 || BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, 
Potential Scan or Infection
        2001583 || BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, 
Potential Scan or Infection

     -> Added to bleeding-virus.rules (1):
        #added 11/19/2004 Sober.I - created by Mark Scott

     -> Added to bleeding.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause 
significant
        # False positives if you just turn them on everywhere. You're been 
warned.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2001231 || BLEEDING-EDGE ISC Unknown activity port 559 || 
url,isc.sans.org/diary.php?date=2004-08-21
        2001232 || BLEEDING-EDGE Unknown activity port 65506 || 
url,isc.sans.org/diary.php?date=2004-08-21
        2001569 || BLEEDING-EDGE Virus Rogue Port 445 traffic

     -> Removed from bleeding-virus.rules (2):
        #These are general tools to detect worm outbreaks - enable at your own 
risk
        #Turn this on only if your external_net is not set to ANY.

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs