[Snort-sigs] Bleedingsnort.com Daily Update

[***] Results from Oinkmaster started Sat Dec 25 21:00:03 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (4):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION--"; 
uricontent:"/spy.gif?&cmd=cd /tmp\;wget"; nocase; 
reference:url,www.k-otik.com/exploits/20041225.SantyC.php; 
flow:to_server,established; sid:2001615; rev:3;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus 
Santy.B worm variants searching for targets"; content:"GET /search|3f|"; 
nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; 
pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; 
sid:2001618; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.C Inbound Attack"; uricontent:"/spy.gif?&cmd=cd 
/tmp\;wget"; nocase; reference:url,www.k-otik.com/exploits/20041225.SantyC.php; 
flow:to_server,established; sid:2001614; rev:3;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE Virus 
Santy.B worm variants searching for targets"; content:"GET 
/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; 
classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:2;)

     -> Added to bleeding.rules (3):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET /"; 
nocase; content: ".php|3f|"; nocase; within: 64; pcre: 
"/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; 
flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:2;)
        alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS 
(msg:"BLEEDING-EDGE Attack Response Zone-H.org defacement notification"; pcre: 
"/notify_(defacer|domain|hackmode|reason)=/i"; flow:established,to_server; 
classtype: trojan-activity; sid:2001616; rev:3;)
        alert tcp $HOME_NET any -> any 6667 (msg:"BLEEDING-EDGE Attack Response 
Likely Botnet Activity"; tag:session,50,packets; content: "PRIVMSG"; nocase; 
pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total 
bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; 
flow:to_server,established; sid:2001620; rev:2;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (1):
        old: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: 
"BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is 
defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; 
sid:2001607; rev:1;)
        new: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: 
"BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is 
defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; 
flow:from_server,established; sid:2001607; rev:2;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google for Targets"; 
uricontent:"&q=allinurl%3A+%22viewtopic.php%22+%22"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; 
sid:2001606; rev:1;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (7):
        2001614 || BLEEDING-EDGE Virus Santy.C Inbound Attack || 
url,www.k-otik.com/exploits/20041225.SantyC.php
        2001615 || BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL 
INFECTION-- || url,www.k-otik.com/exploits/20041225.SantyC.php
        2001616 || BLEEDING-EDGE Attack Response Zone-H.org defacement 
notification
        2001617 || BLEEDING-EDGE Virus Santy.B worm variants searching for 
targets
        2001618 || BLEEDING-EDGE Virus Santy.B worm variants searching for 
targets
        2001620 || BLEEDING-EDGE Attack Response Likely Botnet Activity
        2001621 || BLEEDING-EDGE Exploit Suspected PHP Injection Attack

     -> Added to bleeding-virus.rules (3):
        #By Erik Fichtner
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:BLEEDING-EDGE Virus 
Santy.B worm variants serarching for targets (yahoo)"; content:"GET 
/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; 
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; 
nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; 
sid:2001619; rev:1;)
        #Matt Jonkman for .C

     -> Added to bleeding.rules (2):
        #Erik Fichtner
        #By Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001606 || BLEEDING-EDGE Virus Possible Santy.A Worm Searching Google 
for Targets || 
url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs