[***] Results from Oinkmaster started Tue Feb 15 20:00:04 2005 [***]
[+++] Added rules: [+++]
-> Added to bleeding-exploit.rules (1):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Exploit MS05-005 Office XP Remote Code Attempt";
pcre:"/(\x2ertf|\x2edoc)\x250a.{500,}?/mi"; flow:established,to_server;
classtype:attempted-admin; sid:2001727; rev:2;)
[///] Modified active rules: [///]
-> Modified active in bleeding-virus.rules (1):
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download";
content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d
11 af af 45 c7 72 ac 5f 3138 d0|"; classtype:trojan-activity; sid:2001726;
rev:1;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download";
content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d
11 af af 45 c7 72 ac 5f 3138 d0|"; flow:established,from_server;
classtype:trojan-activity; sid:2001726; rev:2;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-exploit.rules (1):
#By Shirkdog
-> Added to bleeding-sid-msg.map (1):
2001727 || BLEEDING-EDGE Exploit MS05-005 Office XP Remote Code Attempt
-> Added to bleeding-virus.rules (24):
# Akak Trojan
#Submitted by Joe Stewart, Akak Trojan
# Bofra Worm
#submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm
# IE Ilookup Trojan
#Submitted by Joseph Gama, for IE Ilookup Trojan
# IRC Trojan Reporting
#Unknown Writer - IRC Trojan
# Psyme Trojan
#Submitted by Matt Jonkman for the Psyme Trojan
# Agobot/Phatbot
#Taken from lurhq.com
# Zafi Virus
#submitted by Mark Scott, 6/13/2004 for Zafi.B
#submitted by Chris Harrington, for Zafi.D
#submitted by Mark Scott 12/14/2004 for Zafi.D, variant attachments
# MyDoom variants
#Submitted by Matt Jonkman for MyDoom.AH
#Submitted by colforbin5 for MyDoom.AH/I
#From the Netsquid Rules for MyDoom.F
#Submitted by Mark Scott, 1/5/2005, for MyDoom.I
#From the Netsquid Rules for MyDoom/MiMail
#Submitted by Joel Esler for MyDoom.P
#Submitted by Matt Jonkman for MyDoom.S
-> Added to bleeding-web.rules (2):
# Submitted by Chris Norton
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB PHP vBulletin Remote Command Execution Attempt";
flow:established,to_server; uricontent:"forumdisplay.php?"; nocase;
uricontent:"comma="; nocase; classtype:web-application-attack;
reference:bugtraq,12542; rev:1;)
[---] Removed non-rule lines: [---]
-> Removed from bleeding-virus.rules (11):
#Submitted by Joe Stewart
#Matt Jonkman, additions by David Maciejak
#Unknown Writer
#Submitted by colforbin5
# Zafi.D
#added by Mark Scott, Mark.Scott@mtgroup.com, 6/13/2004 for incoming
Zafi.B
#added by Mark Scott, Mark.Scott@mtgroup.com, 6/13/2004 for outgoing
Zafi.B
#by Chris Harrington
#added by Mark Scott 12/14/2004 for Zafi.D, variant .zip attachment
#Submitted by Joel Esler
# MyDoom.I created by Mark Scott, 1/5/2005
[*] Added files: [*]
None.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
