Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Mon, 27 Dec 2004 21:00:04 -0500 (EST) 

[***] Results from Oinkmaster started Mon Dec 27 21:00:04 2004 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding.rules (7):
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit 
winhlp32 ActiveX control attack, phase 2"; flow:to_client,established; 
flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; 
nocase; content: "command|3B|"; nocase; pcre: 
"/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; 
sid:2001623; rev:2;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 
ActiveX control attack via EMAIL, phase 2"; flow:to_server,established; 
flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; 
nocase; content: "command|3B|"; nocase; pcre: 
"/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; 
sid:2001626; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Attack 
Response Outbound PHP Connection"; flow:established,to_server; content:"From\: 
anon@anon.com"; offset:0; depth:19; nocase; content:"User-Agent\: PHP"; nocase; 
classtype:web-application-activity; sid:2001628; rev:1;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 
ActiveX control attack via EMAIL, phase 1"; flow:to_server,established; 
flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; 
content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; 
nocase; content: "hhctrl.ocx"; nocase; within: 5; classtype: 
web-application-activity; sid:2001625; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit 
winhlp32 ActiveX control attack, phase 3"; flow:to_client, established; 
flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: 
web-application-attack; sid:2001624; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit 
winhlp32 ActiveX control attack, phase 1"; flow:to_client,established; 
flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; 
content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; 
nocase; content: "hhctrl.ocx"; nocase; within: 5;  sid:2001622; classtype: 
web-application-activity; rev:1;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 
ActiveX control attack via EMAIL, phase 3"; flow:to_server,established; 
flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: 
web-application-attack; sid:2001627; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL INFECTION--"; 
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; 
reference:url,www.k-otik.com/exploits/20041225.SantyC.php; 
flow:to_server,established; sid:2001615; rev:8;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; 
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; 
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; 
flow:to_server,established; sid:2001615; rev:8;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.C Inbound Attack"; 
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; 
reference:url,www.k-otik.com/exploits/20041225.SantyC.php; 
flow:to_server,established; sid:2001614; rev:8;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; 
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; 
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; 
flow:to_server,established; sid:2001614; rev:8;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Zafi Worm - 
incoming "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
nocase; classtype:misc-activity; flow:established; sid:2001572; rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi Worm - incoming "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
nocase; classtype:misc-activity; flow:established; sid:2001572; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"Zafi Worm outgoing 
detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:established; classtype:misc-activity; sid:2001573; rev:4;)
        new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi 
Worm outgoing detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:established; classtype:misc-activity; sid:2001573; rev:5;)

     -> Modified active in bleeding.rules (3):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS 
TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001609; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 
BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001609; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS 
TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001611; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 
BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001611; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS 
TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001610; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 
BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:misc-activity; sid:2001610; rev:2;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (14):
        2001572 || BLEEDING-EDGE Virus Zafi Worm - incoming
        2001573 || BLEEDING-EDGE Virus Zafi Worm outgoing detected
        2001609 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1
        2001610 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2
        2001611 || BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3
        2001614 || BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack || 
url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001615 || BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL 
INFECTION-- || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
        2001622 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 
1
        2001623 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 
2
        2001624 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 
3
        2001625 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via 
EMAIL, phase 1
        2001626 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via 
EMAIL, phase 2
        2001627 || BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via 
EMAIL, phase 3
        2001628 || BLEEDING-EDGE Attack Response Outbound PHP Connection

     -> Added to bleeding-virus.rules (1):
        #Matt Jonkman phpinclude.worm

     -> Added to bleeding.rules (2):
        #By Chris Norton
        #Written by Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (7):
        2001572 || Zafi Worm - incoming
        2001573 || Zafi Worm outgoing detected
        2001609 || F5 BIG-IP 3DNS TCP Probe 1
        2001610 || F5 BIG-IP 3DNS TCP Probe 2
        2001611 || F5 BIG-IP 3DNS TCP Probe 3
        2001614 || BLEEDING-EDGE Virus Santy.C Inbound Attack || 
url,www.k-otik.com/exploits/20041225.SantyC.php
        2001615 || BLEEDING-EDGE Virus Santy.C Outbound Attack --LOCAL 
INFECTION-- || url,www.k-otik.com/exploits/20041225.SantyC.php

     -> Removed from bleeding-virus.rules (1):
        #Matt Jonkman for .C

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] flowbits error, Charles Heselton
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]