[Snort-sigs] Bleedingsnort.com Daily Update

[***] Results from Oinkmaster started Mon Feb 21 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET any -> any 11768 (msg:"BLEEDING-EDGE Virus Dipnet 
infected host response"; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; 
reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity; 
sid:2001740; rev:1;)
        alert tcp $HOME_NET any -> any 15118 (msg:"BLEEDING-EDGE Virus Dipnet 
infected host response"; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; 
reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity; 
sid:2001739; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001413; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001413; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:4;)

     -> Modified active in bleeding-p2p.rules (2):
        old: alert udp any any -> any any  (msg:"BLEEDING-EDGE P2P Overnet 
Server Announce"; content:"|00000203006c6f63|"; offset:36; 
content:"|006263703a2f2f|"; distance:1; classtype:policy-violation; rev:1; 
sid:2000335;)
        new: alert udp any any -> any any (msg:"BLEEDING-EDGE P2P Overnet 
Server Announce"; content:"|00000203006c6f63|"; offset:36; 
content:"|006263703a2f2f|"; distance:1; classtype:policy-violation; rev:2; 
sid:2000335;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET any  (msg:"BLEEDING-EDGE 
P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; 
offset:0; depth:6; classtype:policy-violation;threshold: type limit, track 
by_dst, count 1 , seconds 600; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; 
rev:2;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; 
offset:0; depth:6; classtype:policy-violation;threshold: type limit, track 
by_dst, count 1 , seconds 600; 
reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; 
rev:3;)

     -> Modified active in bleeding-virus.rules (7):
        old: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|28 0E 49 8D 
B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 
BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; 
classtype:trojan-activity; sid:2001287; rev:4; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
VIRUS W32/Stdbot.worm.a"; content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 
C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; 
classtype:trojan-activity; sid:2001287; rev:5;)
        old: alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus 
Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; 
reference:url,secunia.com/virus_information/11709/; flow:established; 
classtype: misc-activity;  sid:2001631; rev:1;)
        new: alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus 
Rbot IRC INCOMING activity - Trying to join IRC"; content:"##r00tGiuSe##"; 
reference:url,secunia.com/virus_information/11709/; flow:established; 
classtype: misc-activity;  sid:2001631; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS 
SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; 
sid:2001268; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS SWEN.A Worm detected"; content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; 
classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; 
content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; 
content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; 
within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; 
classtype:trojan-activity; flow:established; sid:2001273; rev:8; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE 
VIRUS Outbound W32.Novarg.A worm"; content:"TVqQAAMAAAAEAAAA"; 
content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; 
content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; 
content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; 
within:30; classtype:trojan-activity; flow:established; sid:2001273; rev:9; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"GET 
HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; 
msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; 
flow:to_server,established; sid:2001278; rev:4; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; content:"GET 
HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; 
classtype:trojan-activity; flow:to_server,established; sid:2001278; rev:5;)
        old: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|FE 26 B9 92 
CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 
03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; 
classtype:trojan-activity; sid:2001288; rev:4; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE 
VIRUS W32/Stdbot.worm.b"; content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 
0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; 
classtype:trojan-activity; sid:2001288; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE 
Virus Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; 
reference:url,secunia.com/virus_information/11709/; flow:established; 
classtype: misc-activity;  sid:2001630; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE 
Virus Rbot IRC OUTGOING activity - Trying to join IRC"; 
content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; 
flow:established; classtype: misc-activity;  sid:2001630; rev:2;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-virus.rules (1):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE VIRUS Bagle Variant Requesting 2.jpg"; 
reference:url,isc.sans.org/diary.php?date=2004-08-09; pcre:"/(GET |GET 
(http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; 
classtype:trojan-activity; sid:2001061; rev:10;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001630 || BLEEDING-EDGE Virus Rbot IRC OUTGOING activity - Trying to 
join IRC || url,secunia.com/virus_information/11709/
        2001631 || BLEEDING-EDGE Virus Rbot IRC INCOMING activity - Trying to 
join IRC || url,secunia.com/virus_information/11709/
        2001739 || BLEEDING-EDGE Virus Dipnet infected host response || 
url,www.lurhq.com/dipnet.html
        2001740 || BLEEDING-EDGE Virus Dipnet infected host response || 
url,www.lurhq.com/dipnet.html

     -> Added to bleeding-virus.rules (44):
        #       Dipnet
        #Submitted by Sven
        #       CIA
        #       Evaman Worm
        #Taken from the Netsquid Rules
        #       GDI Exploit
        #       Korgo Worm
        #       MiMail Worm
        #Submitted by Michael Sconzo and taken from Netsquid
        #Taken from Lurhq for MyDoom.m,o
        #       MySQL Worm
        #Submitted by unknown
        #       Nachi/Phatbot Worm
        #Taken from the Netsquid Rules
        #       Netsky Worm
        #Submitted by Mark Scott, 3/11/2004, for NetSky.C
        #Submitted by Mark Scott, 3/22/2004, for Netsky.P
        #Submitted by Mark Scott, 5/18/2004, for Netsky.Z
        #Taken from the Netsquid Rules
        #       Novarg Worm
        #Taken from the Netsquid Rules
        #       PHPInclude Worm
        #Submitted by Matt Jonkman for phpinclude.worm
        #       Rbot trojan
        #Submitted by Mark Scott, 12/27/2004, for robot
        #Submitted by Christopher Harrington for RXBOT/RBOT
        #Submitted by Jason Alexander for RBOT BestFriends.scr
        #Submitted by Chris Norton for Rbot.Gen
        #Submitted by James Riden for bot activity
        #       Santy Worm
        #Taken from Dshield for Santy.A
        #Submitted  Erik Fichtner for Santy.B
        #       Sasser Worm
        #Submitted by Lin Zhong for Sasser variants
        #Submitted by unknown
        #Submitted by Joe Stewart for Sasser FTP exploit
        #       Small Trojan
        #       Stdbot
        #Taken from the Netsquid Rules stdbot variants
        #       Suspicious Extensions
        #       Swen Worm
        #Taken from the Netsquid rules
        #       VBSun Worm
        #       Zincite worm

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001630 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC 
|| url,secunia.com/virus_information/11709/
        2001631 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC 
|| url,secunia.com/virus_information/11709/

     -> Removed from bleeding-virus.rules (24):
        #Written by Chris Norton
        #From the Netsquid Rules
        #From Michael Sconzo and Netsquid
        # Very crude first draft of rule to detect MySQL worm
        #From the Netsquid Rules
        #From the Netsquid Rules
        #Submitted by Mark Scott, Mark.Scott@mtgroup.com, created 3/22/2004
        #added by Mark Scott 3/11/2004 for NetSky.C, updated 3/23/2003
        #Submitted by Mark Scott 5/18/2004 for Netsky.Z
        #From the Netsquid Rules
        #Matt Jonkman phpinclude.worm
        #Submitted by Christopher Harrington
        #Submitted by Jason Alexander
        #Written by Chris Norton
        # Investigating Rbot activity - created by Mark Scott, 12/27/2004
        #By James Riden
        #From Dshield
        #By Erik Fichtner
        #Submitted by Lin Zhong
        # as posted by Joe Stewart
        #From the Netsquid Rules
        #From the Netsquid rules
        #Matt Jonkman
        #From Lurhq

[*] Added files: [*]
    None.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs