Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Tue, 21 Dec 2004 18:25:48 -0500 (EST) 

[***] Results from Oinkmaster started Tue Dec 21 18:25:48 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: 
"BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is 
defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; 
sid:2001607; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets"; 
uricontent:"&q=allinurl%3A+%22viewtopic.php%22+%22"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; 
sid:2001606; rev:1;)

     -> Added to bleeding.rules (2):
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit 
phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; 
nocase; flow:to_server,established; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; 
rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Sanity.A Worm"; 
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
uricontent:"&highlight='.write(fopen("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; 
rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (17):
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.Z Worm - outgoing detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; 
sid:2001603; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.Z Worm - outgoing detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; 
flow:established; sid:2001603; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - 
incoming "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
nocase; classtype:misc-activity; flow:from_server,established; sid:2001572; 
rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - 
incoming "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
nocase; classtype:misc-activity; flow:established; sid:2001572; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.P Worm detected 
";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; 
classtype:misc-activity; flow:established,to_server; sid:2001566; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.P Worm detected 
";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; 
classtype:misc-activity; flow:established; sid:2001566; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I 
Worm - incoming"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 nocase; classtype:misc-activity; flow:established,to_server; sid:2001577; 
rev:1;)
        new: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I 
Worm - incoming"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 nocase; classtype:misc-activity; flow:established; sid:2001577; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
NetSky.C Worm - incoming"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; 
reference:url,secunia.com/virus_information/557/; classtype:misc-activity; 
sid:2001590; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus NetSky.C Worm - incoming"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; 
reference:url,secunia.com/virus_information/557/; classtype:misc-activity; 
flow:established; sid:2001590; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.cmd, .com, .pif or .bat] - outgoing detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type 
limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
sid:2001601; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.cmd, .com, .pif or .bat] - outgoing detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type 
limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001601; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel 
- outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001567; rev:3;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel 
- outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; 
flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Zafi.D Worm [.zip] - incoming detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
sid:2001598; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi.D Worm [.zip] - incoming detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001598; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm 
outbound detected"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
classtype:misc-activity; flow:established,to_server; sid:2001578; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm 
outbound detected"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
classtype:misc-activity; flow:established; sid:2001578; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing 
detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:to_server,established; classtype:misc-activity; sid:2001573; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing 
detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:established; classtype:misc-activity; sid:2001573; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS 
Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; 
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; 
flow:to_server,established; classtype:misc-activity; sid:2000310; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS 
Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; 
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; 
classtype:misc-activity; sid:2000310; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Netsky.P Worm - incoming "; 
content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; 
flow:established,from_server; classtype:misc-activity; sid:2001565; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Netsky.P Worm - incoming "; 
content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; 
flow:established; classtype:misc-activity; sid:2001565; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.zip] - outgoing detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: 
type limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
sid:2001599; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.zip] - outgoing detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: 
type limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001599; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
NetSky.C Worm - outgoing detected"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: 
type limit, track by_src, count 10 , seconds 60 ;nocase; 
reference:url,secunia.com/virus_information/557/;classtype:misc-activity; 
sid:2001591; rev:1;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
NetSky.C Worm - outgoing detected"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: 
type limit, track by_src, count 10 , seconds 60 ;nocase; 
reference:url,secunia.com/virus_information/557/;classtype:misc-activity; 
flow:established; sid:2001591; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.Z Worm - incoming detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 nocase; reference:url,secunia.com/virus_information/8911/; 
classtype:misc-activity; flow:established,to_server; sid:2001602; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Netsky.Z Worm - incoming detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 nocase; reference:url,secunia.com/virus_information/8911/; 
classtype:misc-activity; flow:established; sid:2001602; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
sid:2001600; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001600; rev:2;)
        old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; 
classtype:trojan-activity; flow:to_server,established; sid:2001568; rev:3;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; 
nocase; classtype:trojan-activity; flow:established; sid:2001568; rev:4;)

     -> Modified active in bleeding.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE phpBB Highlighting SQL Injection <2.0.11"; 
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
uricontent:"&highlight='.mysql_query("; nocase; 
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; 
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
uricontent:"&highlight='.mysql_query("; nocase; 
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE phpBB Highlighting Remote Code Execution Attempt 
HowDark.com"; flow:to_server,established; uricontent:"/viewtopic.php?t="; 
nocase; uricontent:"&highlight='.system("; nocase; 
reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; 
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
uricontent:"&highlight='.system("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; 
rev:5;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution 
Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001557 || BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection || 
url,www.securiteam.com/unixfocus/6Z00R2ABPY.html
        2001604 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - 
Sanity.A Worm || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001605 || BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt || 
url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001606 || BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google 
for Targets || 
url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
        2001607 || BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page || 
url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

     -> Added to bleeding-virus.rules (1):
        #From Dshield

     -> Added to bleeding.rules (1):
        #From Dshield

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001457 || BLEEDING-EDGE phpBB Highlighting Remote Code Execution 
Attempt HowDark.com || url,www.howdark.com/poc/phpbb2010_hl.phps
        2001557 || BLEEDING-EDGE phpBB Highlighting SQL Injection <2.0.11 || 
url,www.securiteam.com/unixfocus/6Z00R2ABPY.html

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Compilable SPADE/Snort 2.3.0RC2 Tarball, Matt Jonkman
Next by Date:  [Snort-sigs] Santy/phpBB rules, M. Shirk
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]