Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Wed, 2 Feb 2005 20:00:03 -0500 (EST) 

[***] Results from Oinkmaster started Wed Feb  2 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-policy.rules (3):
        alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS 
(msg:"BLEEDING-EDGE MyWebEx Installation"; flow:to_server,established; 
content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 
1, seconds 30; classtype:policy-violation; 
reference:url,www.mywebexpc.com/how.php; sid:2001713; rev:1;)
        alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 
(msg:"BLEEDING-EDGE MyWebEx Server Traffic"; flow:to_server,established; 
dsize:<50; content:"|17|"; offset:0; depth:1; threshold: type limit,track 
by_src, count 1, seconds 360; classtype:policy-violation; 
reference:url,www.mywebexpc.com/how.php; sid:2001712; rev:1;)
        alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any 
(msg:"BLEEDING-EDGE MyWebEx Incoming Connection"; flow:to_client,established; 
content:"|16 03|"; offset:0; depth:2; content:"Comodo"; nocase; depth:240; 
content:"accessanywhere.com"; nocase; offset:592; depth:48; 
classtype:policy-violation; reference:url,www.mywebexpc.com/how.php; 
sid:2001714; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (9):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; content:"POST /s/l/firstping"; 
offset:0; depth:19; nocase; content:"Host\: srv.peopleonpage.com"; nocase; 
reference:url,www.peopleonpage.com; 
reference:url,www.safer-networking.org/en/threats/602.html; 
classtype:policy-violation; flow:to_server,established; sid:2001446; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware PeopleOnPage Ping"; content:"POST "; offset:0; 
depth:5; nocase; content:"/s/l/firstping"; within:100; nocase; content:"Host\: 
srv.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; 
reference:url,www.safer-networking.org/en/threats/602.html; 
classtype:policy-violation; flow:to_server,established; sid:2001446; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; 
classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST 
/downloads/record_download.asp"; nocase; flow:to_server,established; 
sid:2000588; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; 
classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST "; 
nocase; content:"/downloads/record_download.asp"; nocase; 
flow:to_server,established; sid:2000588; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Abox Install Report"; content:"GET 
/new_install?id="; offset:25; depth:25; nocase; content:"&time="; nocase; 
content:"Host\: 209.58.80.244"; nocase; classtype:trojan-activity; 
flow:to_server,established; sid:2001441; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Abox Install Report"; content:"GET "; nocase; 
offset:0; depth:4; content:"/new_install?id="; within:100; nocase; 
content:"&time="; nocase; content:"Host\: 209.58.80.244"; nocase; 
classtype:trojan-activity; flow:to_server,established; sid:2001441; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; content:"GET /install/pop"; 
offset:0; depth:16; nocase; content:"Host\: www.peopleonpage.com"; nocase; 
reference:url,www.peopleonpage.com; 
reference:url,www.safer-networking.org/en/threats/602.html; 
classtype:policy-violation; flow:to_server,established; sid:2001445; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware PeopleOnPage Install"; content:"GET "; offset:0; 
depth:4; nocase; content:"/install/pop"; within:100; nocase; content:"Host\: 
www.peopleonpage.com"; nocase; reference:url,www.peopleonpage.com; 
reference:url,www.safer-networking.org/en/threats/602.html; 
classtype:policy-violation; flow:to_server,established; sid:2001445; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; content:"GET 
/memorywatcher.exe"; offset:0; depth:22; nocase; content:"Host\: 
www.memorywatcher.com"; nocase; classtype:trojan-activity; 
reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; 
sid:2001442; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; content:"GET 
"; offset:0; depth:4; nocase; content:"/memorywatcher.exe"; within:100; nocase; 
content:"Host\: www.memorywatcher.com"; nocase; classtype:trojan-activity; 
reference:url,www.memorywatcher.com/eula.aspx; flow:to_server,established; 
sid:2001442; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; content:"POST 
/"; nocase; content:"e_g_StatisticsUploadDelay"; nocase; 
content:"g_AffiliateID"; nocase; content:"virtumonde.com"; 
flow:to_server,established; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; content:"POST 
"; nocase; content:"e_g_StatisticsUploadDelay"; nocase; 
content:"g_AffiliateID"; nocase; content:"virtumonde.com"; 
flow:to_server,established; classtype:trojan-activity; 
reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; sid:2000308; 
rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST 
/gs_trickler" ;depth:32; nocase; classtype:policy-violation; 
flow:to_server,established; sid:2000596; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Gator/Claria Data Submission"; content:"POST "; 
offset:0; depth:5; nocase; content:"/gs_trickler"; within:100; nocase; 
classtype:policy-violation; flow:to_server,established; sid:2000596; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware MediaTickets Download"; content:"GET 
/MediaTicketsInstaller.cab"; offset:0; depth:30; nocase; content:"Host\: 
www.mt-download.com"; classtype:trojan-activity; flow:to_server,established; 
sid:2001448; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware MediaTickets Download"; content:"GET "; offset:0; 
depth:4; nocase; content:"/MediaTicketsInstaller.cab"; within:100; nocase; 
content:"Host\: www.mt-download.com"; classtype:trojan-activity; 
flow:to_server,established; sid:2001448; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET 
/WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: 
download.overpro.com"; nocase; reference:url,www.wildarcade.com; 
flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET "; 
nocase; offset:0; depth:4; content:"/WildApp.cab"; within:100; nocase; 
content:"Host\: download.overpro.com"; nocase; 
reference:url,www.wildarcade.com; flow:to_server,established; 
classtype:trojan-activity; sid:2001444; rev:4;)

     -> Modified active in bleeding-policy.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; content:"POST 
/cgi-bin/premail"; nocase; content:"hotmail.msn.com"; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000038; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Compose Message Submit"; uricontent:"POST "; 
nocase; uricontent:"/cgi-bin/premail"; nocase; content:"hotmail.msn.com"; 
nocase; flow:to_server,established; classtype: policy-violation; sid:2000038; 
rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET 
/cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com"; 
flow:to_server,established; classtype: policy-violation; sid:2000036; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Message Access"; uricontent:"GET "; nocase; 
uricontent:"/cgi-bin/getmsg?msg=MSG"; nocase; content:"hotmail.msn.com"; 
flow:to_server,established; classtype: policy-violation; sid:2000036; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET 
/cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com"; 
flow:to_server,established; classtype: policy-violation; sid:2000035; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Inbox Access"; uricontent:"GET "; nocase; 
uricontent:"/cgi-bin/HoTMaiL?curmbox="; nocase; content:"hotmail.msn.com"; 
flow:to_server,established; classtype: policy-violation; sid:2000035; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET 
/cgi-bin/compose?"; nocase; content:"curmbox="; nocase; 
content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: 
policy-violation; sid:2000037; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Hotmail Compose Message Access"; uricontent:"GET "; nocase; 
uricontent:"/cgi-bin/compose?"; nocase; content:"curmbox="; nocase; 
content:"hotmail.msn.com"; nocase; flow:to_server,established; classtype: 
policy-violation; sid:2000037; rev:6;)

     -> Modified active in bleeding-virus.rules (8):
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET /search|3f|"; 
nocase; content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within:10; 
pcre:"/&start=\d+/i"; classtype: trojan-activity; flow:to_server,established; 
sid:2001618; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; 
content:"/search|3f|"; nocase; content: "q=inurl|3a|"; nocase; 
content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: 
trojan-activity; flow:to_server,established; sid:2001618; rev:3;)
        old: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET /error.jpg"; 
nocase; reference:url,secunia.com/virus_information/14877/; 
classtype:trojan-activity; flow:established; sid: 2001695; rev:1;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET "; nocase; 
content:"/error.jpg"; nocase; 
reference:url,secunia.com/virus_information/14877/; threshold:type limit, track 
by_src, count 5, seconds 660; classtype:trojan-activity; flow:established; sid: 
2001695; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"W32/Bagle.z@MM Requesting 5.php"; content:"GET /5.php"; 
reference:mcafee,122415; classtype:trojan-activity; flow:to_server,established; 
sid:2001556; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"W32/Bagle.z@MM Requesting 5.php"; content:"GET "; nocase; 
content:"/5.php"; nocase; reference:mcafee,122415; classtype:trojan-activity; 
flow:to_server,established; sid:2001556; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; content:"GET 
/zoo.jpg"; nocase; reference:url,secunia.com/virus_information/13085/; 
classtype:misc-activity; flow:established; sid: 2001638; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE W32/Bagle.dldr Trojan - download attempt"; content:"GET "; 
nocase; content:"/zoo.jpg"; nocase; 
reference:url,secunia.com/virus_information/13085/; classtype:misc-activity; 
flow:established; sid: 2001638; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; 
reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; 
flow:established; classtype:trojan-activity; sid:2001061; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; 
reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET "; nocase; 
content:"/2.jpg"; nocase; flow:established; classtype:trojan-activity; 
sid:2001061; rev:7;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET 
/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|="; 
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; 
nocase; pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; 
sid:2001619; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET "; 
nocase; content:"/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; 
content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; 
content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; 
flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:3;)
        old: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM 
Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET 
/"; nocase; content:"reactor"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 flow:from_client,established; sid:2001430; rev:4;)
        new: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM 
Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET 
"; nocase; content:"reactor"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 flow:from_client,established; sid:2001430; rev:5;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET 
/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; 
classtype: trojan-activity; flow:to_server,established; sid:2001617; rev:2;)
        new: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; 
content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; 
pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; 
flow:to_server,established; sid:2001617; rev:3;)

     -> Modified active in bleeding-web.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET /"; 
nocase; content: ".php|3f|"; nocase; within: 64; pcre: 
"/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; 
flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET "; 
nocase; content: ".php|3f|"; nocase; within: 64; pcre: 
"/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; 
flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # Submitted by Jason Alvarado

     -> Added to bleeding-sid-msg.map (3):
        2001712 || BLEEDING-EDGE MyWebEx Server Traffic || 
url,www.mywebexpc.com/how.php
        2001713 || BLEEDING-EDGE MyWebEx Installation || 
url,www.mywebexpc.com/how.php
        2001714 || BLEEDING-EDGE MyWebEx Incoming Connection || 
url,www.mywebexpc.com/how.php

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Why the large updates: [Snort-sigs] Bleedingsnort.com Daily Update, Matt Jonkman
Next by Date:  Re: [Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt), Frank Knobbe
Previous by Thread:  Why the large updates: [Snort-sigs] Bleedingsnort.com Daily Update, Matt Jonkman
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]