[***] Results from Oinkmaster started Wed Feb 16 20:00:03 2005 [***]
[///] Modified active rules: [///]
-> Modified active in bleeding-virus.rules (2):
old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(content:"Content-Disposition\: attachment\; filename=";
content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280;
flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound";
classtype:trojan-activity; sid:2001284; rev:3; )
new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE
VIRUS Sober.F Outbound"; content:"Content-Disposition\: attachment\;
filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280;
flow:established,to_server; classtype:trojan-activity; sid:2001284; rev:3; )
old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(content:"Content-Disposition\: attachment\; filename=";
content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280;
flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound";
classtype:trojan-activity; sid:2001285; rev:3; )
new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE
VIRUS Sober.F Outbound"; content:"Content-Disposition\: attachment\;
filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280;
flow:established,to_server; classtype:trojan-activity; sid:2001285; rev:3; )
[+++] Added non-rule lines: [+++]
-> Added to bleeding-virus.rules (23):
# Sober
#Taken from the Netsquid Rules for Sober.F
#Submitted by David Maciejak for Sober.J
#Submitted by Mark Scott, 11/19/2004, for Sober.I
# Sobig
#Unknown submitter - Sobig E-F downloading goodies
# Spy.Win32.Bancos Trojan
#Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan
# Webber/Berbew
#Submitted by Michael Sconzo for Webber/Berbew
# Atak Worm
#Submitted by Michael Sconzo for Atak worm
# Bagle variants
#Submitted by Matt Jonkman for Bagel variant 2.jpg
#Submitted by Michael Sconzo for Bagle.AI
#Submitted by Matt Jonkman for Bagle.AQ
#Submitted by Matt Jonkman for Bagle.AV
#Submitted by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005
#Taken from the Netsquid Rules for Bagle.I and other variants
#Submitted by Mark Mcdonagh for W32/Bagle.z@MM
#Submitted by Mark Scott for Bagle Trojan - W32/Bagle.dldr, updated by
Frank Knobbe
#Submitted by Mark Scott for generic Bagle (this seems to trip on most
Bagles)
# Bropia Worm
[---] Removed non-rule lines: [---]
-> Removed from bleeding-virus.rules (10):
#From David Maciejak
#added 11/19/2004 Sober.I - created by Mark Scott
# Sobig E-F downloading goodies
#Submitted by Michael Sconzo
#Submitted by Michael Sconzo
#Submitted by Mark Mcdonagh
#Submitted by Michael Sconzo
#Submitted by Mark Scott
# Bagle Trojan - W32/Bagle.dldr from Mark Scott
#added by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005
[*] Added files: [*]
None.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
