[***] Results from Oinkmaster started Sat Dec 18 21:00:02 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-policy.rules (1):
alert udp any any -> any any (msg:"BLEEDING-EDGE Policy Netop Remote
Control Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2001597; rev:1;)
-> Added to bleeding-virus.rules (4):
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm
[.zip] - outgoing detected ";
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold:
type limit, track by_src, count 10 , seconds 60 ; nocase;
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity;
sid:2001599; rev:1;)
alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D
Worm [.cmd, .com, .pif or .bat] - incoming detected ";
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase;
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity;
sid:2001600; rev:1;)
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D Worm
[.cmd, .com, .pif or .bat] - outgoing detected ";
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type
limit, track by_src, count 10 , seconds 60 ; nocase;
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity;
sid:2001601; rev:1;)
alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D
Worm [.zip] - incoming detected ";
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase;
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity;
sid:2001598; rev:1;)
[///] Modified active rules: [///]
-> Modified active in bleeding-policy.rules (1):
old: alert udp any any -> any any (msg:"BLEEDING-EDGE Policy Netop
Remote Control Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2001596; rev:1;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Policy Skype VOIP Reporting Install"; uricontent:"/ui/";
nocase; uricontent:"/installed"; nocase; classtype:policy-violation;
reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf;
flow:to_server,established; sid:2001596; rev:4;)
-> Modified active in bleeding-virus.rules (4):
old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi.B Worm -
incoming ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
nocase; classtype:misc-activity; flow:from_server,established; sid:2001572;
rev:2;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm -
incoming ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
nocase; classtype:misc-activity; flow:from_server,established; sid:2001572;
rev:3;)
old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi.B Worm outgoing
detected ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase;
flow:to_server,established; classtype:misc-activity; sid:2001573; rev:2;)
new: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing
detected ";
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA";
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase;
flow:to_server,established; classtype:misc-activity; sid:2001573; rev:3;)
old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus
Bagel.AX - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA";
nocase; classtype:trojan-activity; flow:to_server,established; sid:2001568;
rev:2;)
new: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus
Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase;
classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:3;)
old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus
Bagel.AX - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA";
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001567;
rev:2;)
new: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel
- outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase;
flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:3;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (9):
2001567 || BLEEDING-EDGE Virus Bagel - outbound
2001568 || BLEEDING-EDGE Virus Bagel - incoming
2001572 || Zafi Worm - incoming
2001573 || Zafi Worm outgoing detected
2001597 || BLEEDING-EDGE Policy Netop Remote Control Usage ||
url,www.netop.com
2001598 || BLEEDING-EDGE Virus Zafi.D Worm [.zip] - incoming detected
|| url,secunia.com/virus_information/13874/
2001599 || BLEEDING-EDGE Virus Zafi.D Worm [.zip] - outgoing detected
|| url,secunia.com/virus_information/13874/
2001600 || BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] -
incoming detected || url,secunia.com/virus_information/13874/
2001601 || BLEEDING-EDGE Virus Zafi.D Worm [.cmd, .com, .pif or .bat] -
outgoing detected || url,secunia.com/virus_information/13874/
-> Added to bleeding-virus.rules (2):
# Zafi.D
#added by Mark Scott 12/14/2004 for Zafi.D, variant .zip attachment
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (4):
2001567 || BLEEDING-EDGE Virus Bagel.AX - outbound
2001568 || BLEEDING-EDGE Virus Bagel.AX - incoming
2001572 || Zafi.B Worm - incoming
2001573 || Zafi.B Worm outgoing detected
[*] Added files: [*]
None.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
