Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Thu, 10 Feb 2005 20:00:03 -0500 (EST) 

[***] Results from Oinkmaster started Thu Feb 10 20:00:03 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (8):
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; 
flowbits:isset,icolor_png; content: "PLTE"; byte_test: 4,>,768,-8,relative; 
sid:2001721; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; 
flowbits:isset,icolor_png; content: "PLTE"; byte_test: 4,>,768,-8,relative; 
classtype:misc-attack; sid:2001721; rev:3;)
        old: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; classtype:suspicious-login; sid:2000565; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e 
Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 
00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 
68|"; flow:to_server,established; classtype:suspicious-login; sid:2000565; 
rev:4;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; classtype:suspicious-login; sid:2000566; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e 
Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 
00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 
68|"; flow:to_server,established; classtype:suspicious-login; sid:2000566; 
rev:4;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,256,17,relative;  content: "tRNS"; distance: 4; sid:2001723; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,256,17,relative;  content: "tRNS"; distance: 4; classtype:misc-attack; 
sid:2001723; rev:2;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-1244 PNG with bad height"; flow: to_client, established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,10000,4,relative; sid:2001719; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-1244 PNG with bad height"; flow: to_client, established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,10000,4,relative; classtype:misc-attack; sid:2001719; rev:2;)
        old: log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with indexed color"; flow: to_client,established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
1,=,3,10,relative; flowbits: set,icolor_png; sid:2001720; rev:1;)
        new: log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with indexed color"; flow: to_client,established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
1,=,3,10,relative; flowbits: set,icolor_png; classtype:misc-attack; 
sid:2001720; rev:2;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; 
flowbits:isset,icolor_png; content: "hIST"; byte_test: 4,>,512,-8,relative; 
sid:2001722; rev:2;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; 
flowbits:isset,icolor_png; content: "hIST"; byte_test: 4,>,512,-8,relative; 
classtype:misc-attack; sid:2001722; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-1244 PNG with bad width"; flow: to_client, established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,10000,0,relative; sid:2001718; rev:1;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE 
Exploit CAN-2004-1244 PNG with bad width"; flow: to_client, established; 
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
4,>,10000,0,relative; classtype:misc-attack; sid:2001718; rev:2;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM 
file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; 
content:"|00|M"; depth:2; offset:10; classtype:policy-violation; priority:1; 
sid:2001259; rev:1;)
        new: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; 
depth:4; nocase; content:"|00|M"; depth:2; offset:10; 
classtype:policy-violation; priority:1; sid:2001259; rev:2;)

     -> Modified active in bleeding-virus.rules (47):
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS 
OUTBOUND Suspicious Email Attachment"; flow:to_server,established; 
content:"Content-Disposition|3A|"; nocase; 
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";
 classtype:suspicious-filename-detect; sid:2000562; rev:7;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS OUTBOUND Suspicious Email Attachment"; flow:to_server,established; 
content:"Content-Disposition|3A|"; nocase; 
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";
 classtype:suspicious-filename-detect; sid:2000562; rev:8;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.P Worm detected 
";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; 
classtype:misc-activity; flow:established; sid:2001566; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Netsky.P Worm detected 
";content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ;nocase; 
classtype:misc-activity; flow:established; sid:2001566; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.cmd, .com, .pif or .bat] - outgoing detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type 
limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001601; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi.D Worm [.cmd, .com, .pif or .bat] - outgoing detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; threshold: type 
limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001601; rev:3;)
        old: alert tcp any any -> any any (msg:"BLEEDING-EDGE VIRUS 
Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, 
have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:2000014; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
VIRUS Agobot/Phatbot Infection Successful"; flow:established; content:"221 
Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; 
classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; 
sid:2000014; rev:1;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants serarching for targets (yahoo)"; content:"GET "; 
nocase; content:"/search|3f|"; nocase; content: "p=inurl|3a|"; nocase; 
content:".php|3f2a|="; nocase; within:10; pcre:"/\d+/iR"; 
content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; 
flow:to_server,established; classtype: trojan-activity; sid:2001619; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.B worm variants serarching for targets 
(yahoo)"; content:"GET "; nocase; content:"/search|3f|"; nocase; content: 
"p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within:10; 
pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; 
pcre:"/\d+/iR"; flow:to_server,established; classtype: trojan-activity; 
sid:2001619; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: 
attachment\; filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; 
within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F 
Outbound"; classtype:trojan-activity; sid:2001285; rev:2; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"Content-Disposition\: attachment\; filename="; 
content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280; 
flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; 
classtype:trojan-activity; sid:2001285; rev:3; )
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; 
content:"/search|3f|"; nocase; content: "q=inurl|3a|"; nocase; 
content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: 
trojan-activity; flow:to_server,established; sid:2001618; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; 
content:"GET "; nocase; content:"/search|3f|"; nocase; content: "q=inurl|3a|"; 
nocase; content:".php|3f|"; nocase; within:10; pcre:"/&start=\d+/i"; classtype: 
trojan-activity; flow:to_server,established; sid:2001618; rev:4;)
        old: alert tcp any !$HTTP_PORTS -> any 1639:1640 (msg:"BLEEDING-EDGE 
WORM MyDoom.AH Victim Accessing Infected Page"; classtype:trojan-activity; 
flow:established,to_server; content:"/index.htm"; nocase; 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 sid:2001428; rev:4;)
        new: alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639:1640 
(msg:"BLEEDING-EDGE WORM MyDoom.AH Victim Accessing Infected Page"; 
classtype:trojan-activity; flow:established,to_server; content:"/index.htm"; 
nocase; 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 sid:2001428; rev:6;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi 
Worm outgoing detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:established; classtype:misc-activity; sid:2001573; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi Worm outgoing detected "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
threshold: type limit, track by_src, count 10 , seconds 60 ; nocase; 
flow:established; classtype:misc-activity; sid:2001573; rev:6;)
        old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA 
download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; 
classtype:trojan-activity; sid:2001233; rev:2;)
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
Possible CIA download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; 
classtype:trojan-activity; sid:2001233; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> any 8181 (msg:"BLEEDING-EDGE Virus 
Zafi.d a.exe file upload"; content:"a.exe"; nocase; flow:established; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D;
 classtype:trojan-activity; sid:2001594; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"BLEEDING-EDGE 
Virus Zafi.d a.exe file upload"; content:"a.exe"; nocase; flow:established; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D;
 classtype:trojan-activity; sid:2001594; rev:2;)
        old: alert ip $HOME_NET any -> any any (content:"|FE 26 B9 92 CB 12 FC 
FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; 
msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; 
sid:2001288; rev:3; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|FE 26 B9 92 
CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 
03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; 
classtype:trojan-activity; sid:2001288; rev:4; )
        old: alert tcp any any -> any 6891:6900 (msg:"BLEEDING-EDGE Virus 
Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 
16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF;
 flow:established,to_server; classtype:misc-attack; sid:2001715; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6891:6900 
(msg:"BLEEDING-EDGE Virus Bropia.F Worm Propagation"; content:"|E1 37 A2 BA 6E 
5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 
3A|"; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF;
 flow:established,to_server; classtype:misc-attack; sid:2001715; rev:3;)
        old: alert udp $HOME_NET any -> any 8998 (msg:"BLEEDING-EDGE VIRUS 
Sobig.E-F Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|"; 
dsize:8; classtype:trojan-activity; sid:2001547; rev:1;)
        new: alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"BLEEDING-EDGE 
VIRUS Sobig.E-F Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb 
f1|"; dsize:8; classtype:trojan-activity; sid:2001547; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 25"; classtype:trojan-activity; 
flow:established,to_server; sid:2001283; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 25"; classtype:trojan-activity; 
flow:established,to_server; sid:2001283; rev:5;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Virus Santy.B worm variants searching for targets"; content:"GET "; nocase; 
content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; 
pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; 
flow:to_server,established; sid:2001617; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Virus Santy.B worm variants searching for targets"; 
content:"GET "; nocase; content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; 
pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; 
flow:to_server,established; sid:2001617; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"We are sorry your 
UTF-8 encoding is not supported by the server"; nocase; msg:"BLEEDING-EDGE 
VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity; 
flow:to_server,established; sid:2001277; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"We are sorry 
your UTF-8 encoding is not supported by the server"; nocase; msg:"BLEEDING-EDGE 
VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity; 
flow:to_server,established; sid:2001277; rev:4; )
        old: alert tcp $HOME_NET any -> any 445 (content:"|60 00 00 E0 2E 70 65 
74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky 
message.zip HEX port 445"; classtype:trojan-activity; 
flow:to_server,established; sid:2001281; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (content:"|60 00 00 
E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE 
VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; 
flow:to_server,established; sid:2001281; rev:4; )
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
MyDoom.I worm - outbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; 
nocase; reference:url,secunia.com/virus_information/8818/; 
classtype:misc-activity; flow:established; sid:2001672; rev:1;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus MyDoom.I worm - outbound"; 
content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; 
reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; 
flow:established; sid:2001672; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] 
worm [.cpl extension] - outbound"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001693; rev:2;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias 
.AY, .BC] worm [.cpl extension] - outbound"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001693; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
NetSky.C Worm - outgoing detected"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: 
type limit, track by_src, count 10 , seconds 60 ;nocase; 
reference:url,secunia.com/virus_information/557/;classtype:misc-activity; 
flow:established; sid:2001591; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus NetSky.C Worm - outgoing detected"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; threshold: 
type limit, track by_src, count 10 , seconds 60 ;nocase; 
reference:url,secunia.com/virus_information/557/;classtype:misc-activity; 
flow:established; sid:2001591; rev:3;)
        old: alert tcp $HOME_NET any -> any $HTTP_PORTS (content:"User-Agent\: 
beagle_beagle"; flow:to_server,established;  dsize:< 150; msg:"BLEEDING-EDGE 
VIRUS Bagle Worm"; classtype:trojan-activity; sid:2001269; rev:6; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(content:"User-Agent\: beagle_beagle"; flow:to_server,established;  dsize:< 
150; msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; 
sid:2001269; rev:7; )
        old: alert tcp $HOME_NET any -> any 25 (content:"represented in 7-bit 
ASCII"; nocase; content:"Content-Type\: application/octet-stream"; nocase; 
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS 
MyDoom/MIMAIL.R Outbound 1"; classtype:trojan-activity; 
flow:to_server,established; sid:2001274; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"represented 
in 7-bit ASCII"; nocase; content:"Content-Type\: application/octet-stream"; 
nocase; content:"Content-Transfer-Encoding\: base64"; nocase; 
msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 1"; 
classtype:trojan-activity; flow:to_server,established; sid:2001274; rev:4; )
        old: alert tcp $HOME_NET any -> any 139 (content:"|60 00 00 E0 2E 70 65 
74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky 
message.zip HEX port 139"; classtype:trojan-activity; 
flow:to_server,established; sid:2001280; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (content:"|60 00 00 
E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE 
VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; 
flow:to_server,established; sid:2001280; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (content:"TVqQAAMAAAAEAAAA"; 
content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; 
content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; 
content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; 
within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; 
classtype:trojan-activity; flow:established; sid:2001273; rev:7; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; 
content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; 
content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; 
within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; 
classtype:trojan-activity; flow:established; sid:2001273; rev:8; )
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / 
RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; 
classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
 flow:established;sid:2001220; rev: 2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; 
nocase; classtype:trojan-activity;  
reference:url,www.nitroguard.com/rxbot.html; 
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL;
 flow:established;sid:2001220; rev: 3;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: 
attachment\; filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; 
within:1280; flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F 
Outbound"; classtype:trojan-activity; sid:2001284; rev:2; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"Content-Disposition\: attachment\; filename="; 
content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280; 
flow:established,to_server; msg:"BLEEDING-EDGE VIRUS Sober.F Outbound"; 
classtype:trojan-activity; sid:2001284; rev:3; )
        old: alert tcp $HOME_NET any -> any any 
(content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 
35 32|"; msg:"BLEEDING-EDGE VIRUS MyDoom.F Worm"; classtype:trojan-activity; 
flow:to_server,established; sid:2001279; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET any 
(content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 
35 32|"; msg:"BLEEDING-EDGE VIRUS MyDoom.F Worm"; classtype:trojan-activity; 
flow:to_server,established; sid:2001279; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Netsky.Z Worm - outgoing detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; 
flow:established; sid:2001603; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Netsky.Z Worm - outgoing detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
reference:url,secunia.com/virus_information/8911/;classtype:misc-activity; 
flow:established; sid:2001603; rev:3;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagel 
- outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; 
flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Bagel - outbound"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; 
nocase; flow:established; classtype:trojan-activity; sid:2001567; rev:4;)
        old: alert tcp $HOME_NET any -> any 25 (content:"The message contains 
Unicode characters"; nocase; content:"Content-Type\: application/octet-stream"; 
nocase; content:"Content-Transfer-Encoding\: base64"; nocase; 
msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3"; 
classtype:trojan-activity; flow:to_server,established; sid:2001276; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"The message 
contains Unicode characters"; nocase; content:"Content-Type\: 
application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: 
base64"; nocase; msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3"; 
classtype:trojan-activity; flow:to_server,established; sid:2001276; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I Worm 
outbound detected"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
classtype:misc-activity; flow:established; sid:2001578; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Sober.I Worm outbound detected"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 threshold: type limit, track by_src, count 10 , seconds 60; nocase; 
classtype:misc-activity; flow:established; sid:2001578; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 
(content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS 
SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; 
sid:2001268; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS 
SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; 
sid:2001268; rev:3;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] 
worm [.com, exe extensions] - outbound"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001691; rev:3;)
        new: alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Bagle.BJ [alias 
.AY, .BC] worm [.com, exe extensions] - outbound"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001691; rev:4;)
        old: alert tcp any any -> any 5554 (msg:"BLEEDING-EDGE Sasser FTP 
exploit attempt"; flow:to_server,established; content:"PORT "; depth:5; 
dsize:>150; classtype:attempted-admin; reference:url,www.lurhq.com/dabber.html; 
sid:2001548; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"BLEEDING-EDGE 
Sasser FTP exploit attempt"; flow:to_server,established; content:"PORT "; 
depth:5; dsize:>150; classtype:attempted-admin; 
reference:url,www.lurhq.com/dabber.html; sid:2001548; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 
(content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh";
 msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; 
flow:established; sid:2001270; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh";
 msg:"BLEEDING-EDGE VIRUS Bagle Worm"; classtype:trojan-activity; 
flow:established; sid:2001270; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS 
Probable Zafi Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; 
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; 
classtype:misc-activity; sid:2000310; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS Probable Zafi Virus Outbound via SMTP"; 
content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; 
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6; flow:to_server; 
classtype:misc-activity; sid:2000310; rev:5;)
        old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Zafi.D 
Worm [.zip] - outgoing detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: 
type limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001599; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
Virus Zafi.D Worm [.zip] - outgoing detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; threshold: 
type limit, track by_src, count 10 , seconds 60 ; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001599; rev:3;)
        old: alert ip $HOME_NET any -> any any (content:"|28 0E 49 8D B5 17 B9 
6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; 
msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; 
sid:2001287; rev:3; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|28 0E 49 8D 
B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 
BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; 
classtype:trojan-activity; sid:2001287; rev:4; )
        old: alert tcp $HOME_NET any -> any 25 (content:"pp-app.zip"; 
msg:"BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment"; 
classtype:trojan-activity; flow:to_server,established; sid:2001272; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"pp-app.zip"; 
msg:"BLEEDING-EDGE VIRUS MiMail.P Worm - Mail Attachment"; 
classtype:trojan-activity; flow:to_server,established; sid:2001272; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher Only"; 
pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; 
content:".zip"; flow:to_server,established; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html;
 classtype:trojan-activity; sid:2001291; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS Possible Atak.mm Worm"; content:"Authorized Researcher Only"; 
pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; 
content:".zip"; flow:to_server,established; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html;
 classtype:trojan-activity; sid:2001291; rev:4;)
        old: alert tcp any any -> any $HTTP_PORTS (content:"GET 
HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; 
msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; 
flow:to_server,established; sid:2001278; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"GET 
HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; 
msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; 
flow:to_server,established; sid:2001278; rev:4; )
        old: alert tcp any !$HTTP_PORTS -> any 1639 (msg:"BLEEDING-EDGE WORM 
Bofra Victim Accessing Reactor Page"; classtype:trojan-activity; content:"GET 
"; nocase; content:"reactor"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 flow:from_client,established; sid:2001430; rev:5;)
        new: alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 
(msg:"BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; 
classtype:trojan-activity; content:"GET "; nocase; content:"reactor"; nocase; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html;
 
reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631;
 flow:from_client,established; sid:2001430; rev:6;)
        old: alert tcp any any -> 
[194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248]
 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: 
type limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; 
sid:2001439; rev:2;)
        new: alert tcp $HOME_NET any -> 
[194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248]
 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: 
type limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; 
sid:2001439; rev:3;)
        old: alert tcp $HOME_NET any -> any 25 (content:"Mail transaction 
failed"; nocase; content:"Content-Type\: application/octet-stream"; nocase; 
content:"Content-Transfer-Encoding\: base64"; nocase; msg:"BLEEDING-EDGE VIRUS 
MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; 
flow:to_server,established; sid:2001275; rev:4; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"Mail 
transaction failed"; nocase; content:"Content-Type\: application/octet-stream"; 
nocase; content:"Content-Transfer-Encoding\: base64"; nocase; 
msg:"BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2"; 
classtype:trojan-activity; flow:to_server,established; sid:2001275; rev:5; )
        old: alert tcp $HOME_NET any -> any 1352 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 1352"; classtype:trojan-activity; 
flow:to_server,established; sid:2001282; rev:3; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 1352 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 1352"; classtype:trojan-activity; 
flow:to_server,established; sid:2001282; rev:4; )
        old: alert tcp any any -> any 4321 (msg:"BLEEDING-EDGE Akak trojan 
protocol hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server; 
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; sid:2001236; 
rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 4321 (msg:"BLEEDING-EDGE 
Akak trojan protocol hello"; content:"|89 13 00 00|"; dsize:4; 
flow:established,to_server; reference:url,www.lurhq.com/akak.html; 
classtype:trojan-activity; sid:2001236; rev:2;)

     -> Modified active in bleeding-web.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE 
Web IDN url seen.."; flow:established; content: "http"; nocase; content: "|3A 
2F 2F|"; within: 1; distance: 3; pcre:"/&#[0-9]+\;/R"; sid:2001716; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE 
Web IDN url seen.."; flow:established; content: "http"; nocase; content: "|3A 
2F 2F|"; within: 1; distance: 3; pcre:"/&#[0-9]+\;/R"; classtype:misc-activity; 
sid:2001716; rev:2;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-policy.rules (3):
        old: #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Yahoo Mail Message Send Info Capture"; flow:to_server,established; 
content:"crumb="; nocase; content:"Subject="; nocase; classtype: 
policy-violation; sid:2000045; rev:6;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Yahoo Mail Message Send Info Capture"; 
flow:to_server,established; content:"crumb="; nocase; content:"Subject="; 
nocase; classtype: policy-violation; sid:2000045; rev:7;)
        old: #alert tcp any any <> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM 
message"; flow:established; content:"YMSG"; depth:4; 
classtype:policy-violation; priority:1; sid:2001260; rev:1;)
        new: #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; 
classtype:policy-violation; priority:1; sid:2001260; rev:2;)
        old: #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE 
Yahoo Mail General Page View"; flow:to_server,established; 
uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: 
policy-violation; sid:2000341; rev:4;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Yahoo Mail General Page View"; flow:to_server,established; 
uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: 
policy-violation; sid:2000341; rev:5;)

     -> Modified inactive in bleeding-virus.rules (1):
        old: #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE 
Worm Zincite Probing port 1034"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html;
 flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, 
track by_src, count 30,seconds 60; rev:6;)
        new: #alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1034 
(msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html;
 flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, 
track by_src, count 30,seconds 60; rev:7;)

[---]  Disabled and modified rules:  [---]

     -> Disabled and modified in bleeding-virus.rules (2):
        old: alert tcp $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Sober.I 
Worm - incoming"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 nocase; classtype:misc-activity; flow:established; sid:2001577; rev:2;)
        new: #alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 25 
(msg:"BLEEDING-EDGE Sober.I Worm - incoming"; 
content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA";
 nocase; classtype:misc-activity; flow:established; sid:2001577; rev:3;)
        old: alert TCP $EXTERNAL_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
MyDoom.I worm - inbound"; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; 
nocase; reference:url,secunia.com/virus_information/8818/; 
classtype:misc-activity; flow:established; sid:2001673; rev:1;)
        new: #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus MyDoom.I worm - inbound"; 
content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; 
reference:url,secunia.com/virus_information/8818/; classtype:misc-activity; 
flow:established; sid:2001673; rev:1;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-virus.rules (11):
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Zafi Worm - incoming "; 
content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; 
nocase; classtype:misc-activity; flow:established; sid:2001572; rev:5;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
NetSky.C Worm - incoming"; 
content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; 
reference:url,secunia.com/virus_information/557/; classtype:misc-activity; 
flow:established; sid:2001590; rev:2;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, 
.BC] worm [.cpl extension] - incoming"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001694; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Zafi.D Worm [.zip] - incoming detected "; 
content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001598; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Netsky.Z Worm - incoming detected"; 
content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4";
 nocase; reference:url,secunia.com/virus_information/8911/; 
classtype:misc-activity; flow:established; sid:2001602; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"BLEEDING-EDGE WORM 
RBOT inbound Bestfriends.scr"; content:"http"; nocase; 
content:"bestfriends.scr"; within:80; nocase; classtype:trojan-activity; 
flow:established; sid:2001367; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
VBSun.A Tsunami Scam Worm INCOMING"; content:"Tsunami Donation! Please help!"; 
nocase; content:"Please help us with your donation and view the attachment 
below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; 
classtype:trojan-activity; 
reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; 
flow:established,to_server; sid:2001680; rev:2;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Zafi.D Worm [.cmd, .com, .pif or .bat] - incoming detected "; 
content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; 
reference:url,secunia.com/virus_information/13874/; classtype:misc-activity; 
flow:established; sid:2001600; rev:2;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Bagel - incoming"; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; 
classtype:trojan-activity; flow:established; sid:2001568; rev:4;)
        #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, 
.BC] worm [.com, .exe extensions] - incoming"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001692; rev:3;)
        #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus 
Netsky.P Worm - incoming "; 
content:"AAAAAAYAAAAA4fug4AtAnNIbgBTM0hV2luZG93cyBQcm9ncmFtDQokUEUA"; nocase; 
flow:established; classtype:misc-activity; sid:2001565; rev:4;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (1):
        #Erik Fichtner

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-exploit.rules (1):
        #Erik Fichtner and Paul Jaramillo

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Windows Messenger/MSN Messenger, Matt Jonkman
Next by Date:  Re: [Snort-sigs] OT: cleanup in Bleeding edge rules, Matt Jonkman
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]