Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Tue, 5 Apr 2005 20:00:03 -0500 (EST) 

[***] Results from Oinkmaster started Tue Apr  5 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan 
or Infection (bleeding-scan.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan 
or Infection (bleeding-scan.rules)
 2001841 - BLEEDING-EDGE P2P UDP traffic -- Lilkely Limewire 
(bleeding-p2p.rules)


[///]     Modified active rules:     [///]

 2001837 - BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108 
(bleeding.rules)


[---]         Disabled rules:        [---]

 2001815 - BLEEDING-EDGE Spambot Suspicious 220 Banner on Local Port 
(bleeding-malware.rules)


[---]         Removed rules:         [---]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or 
Infection (bleeding-custom.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or 
Infection (bleeding-custom.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or 
Infection (bleeding-custom.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or 
Infection (bleeding-custom.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan 
or Infection (bleeding-custom.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan 
or Infection (bleeding-custom.rules)
 2001816 - BLEEDING-EDGE ATTACK-RESPONSE .com DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001817 - BLEEDING-EDGE ATTACK-RESPONSE .net DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001818 - BLEEDING-EDGE ATTACK-RESPONSE .org DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001819 - BLEEDING-EDGE ATTACK-RESPONSE .biz DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001820 - BLEEDING-EDGE ATTACK-RESPONSE .edu DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001821 - BLEEDING-EDGE ATTACK-RESPONSE .gov DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001822 - BLEEDING-EDGE ATTACK-RESPONSE .int DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001823 - BLEEDING-EDGE ATTACK-RESPONSE .mil DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001824 - BLEEDING-EDGE ATTACK-RESPONSE .info DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001825 - BLEEDING-EDGE ATTACK-RESPONSE .name DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001826 - BLEEDING-EDGE ATTACK-RESPONSE .pro DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001827 - BLEEDING-EDGE ATTACK-RESPONSE .us DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001828 - BLEEDING-EDGE ATTACK-RESPONSE .ws DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001829 - BLEEDING-EDGE ATTACK-RESPONSE .museum DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001830 - BLEEDING-EDGE ATTACK-RESPONSE .tv DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001831 - BLEEDING-EDGE ATTACK-RESPONSE .uk DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001832 - BLEEDING-EDGE ATTACK-RESPONSE .de DNS cache poison attempt 
(bleeding-attack_response.rules)
 2001833 - BLEEDING-EDGE ATTACK-RESPONSE .jp DNS cache poison attempt 
(bleeding-attack_response.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-scan.rules (1):
        # These are intended to catch new worms and such scanning internally. 
Careful of falses.

     -> Added to bleeding-sid-msg.map (2):
        2001837 || BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108
        2001841 || BLEEDING-EDGE P2P UDP traffic -- Lilkely Limewire

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-attack_response.rules (19):
        # Added 04-02-2005 by Frank Knobbe
        # Following rules were originally created by the fine folks at the SANS
        # Internet Storm Center.
        # Credit goes to: Cody Hatch, Kyle Haugsness, Stephane Nasdrovisky,
        # Tony Carothers
        # These rules attempt to alert on DNS response packets for responsible 
top
        # level domain servers containing invalid servers. For example, the 
.com domain
        # is served by a.gtld-servers.net through m.gtld-servers.net. Any DNS 
response
        # packet claiming that a different name server is responsible for the 
.com
        # domain is an attempt to poison the querying DNS servers cache.
        # The challenge is to find a single, all encompassing domain. Efforts 
are under
        # way to write such a rule. These rules below act more as a white list 
of
        # valid responses and will alert on servers not specifically 
white-listed.
        ####
        #### THESE RULES ARE CURRENTLY EXPERIMENTAL!  ENABLE AT YOUR OWN RISK!
        ####
        #### Warning: Side effects may include headaches, dry mouth, bloated 
logs,
        ####          raised blood pressure and abnormal desire for medication.
        ####

     -> Removed from bleeding-custom.rules (3):
        #Collective ideas: These are mostly off by default. You need to decide
        # if and where to run these on your networks. They will cause 
significant
        # False positives if you just turn them on everywhere. You're been 
warned.

     -> Removed from bleeding-sid-msg.map (19):
        2001816 || BLEEDING-EDGE ATTACK-RESPONSE .com DNS cache poison attempt
        2001817 || BLEEDING-EDGE ATTACK-RESPONSE .net DNS cache poison attempt
        2001818 || BLEEDING-EDGE ATTACK-RESPONSE .org DNS cache poison attempt
        2001819 || BLEEDING-EDGE ATTACK-RESPONSE .biz DNS cache poison attempt
        2001820 || BLEEDING-EDGE ATTACK-RESPONSE .edu DNS cache poison attempt
        2001821 || BLEEDING-EDGE ATTACK-RESPONSE .gov DNS cache poison attempt
        2001822 || BLEEDING-EDGE ATTACK-RESPONSE .int DNS cache poison attempt
        2001823 || BLEEDING-EDGE ATTACK-RESPONSE .mil DNS cache poison attempt
        2001824 || BLEEDING-EDGE ATTACK-RESPONSE .info DNS cache poison attempt
        2001825 || BLEEDING-EDGE ATTACK-RESPONSE .name DNS cache poison attempt
        2001826 || BLEEDING-EDGE ATTACK-RESPONSE .pro DNS cache poison attempt
        2001827 || BLEEDING-EDGE ATTACK-RESPONSE .us DNS cache poison attempt
        2001828 || BLEEDING-EDGE ATTACK-RESPONSE .ws DNS cache poison attempt
        2001829 || BLEEDING-EDGE ATTACK-RESPONSE .museum DNS cache poison 
attempt
        2001830 || BLEEDING-EDGE ATTACK-RESPONSE .tv DNS cache poison attempt
        2001831 || BLEEDING-EDGE ATTACK-RESPONSE .uk DNS cache poison attempt
        2001832 || BLEEDING-EDGE ATTACK-RESPONSE .de DNS cache poison attempt
        2001833 || BLEEDING-EDGE ATTACK-RESPONSE .jp DNS cache poison attempt
        2001837 || BLEEDING-EDGE Suspicious DNS aerver answer\: 218.38.13.108



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] ipadnet.com.br's broken mailservers., Matt Kettler
Next by Date:  Re: [Snort-sigs] ipadnet.com.br's broken mailservers., Hugo van der Kooij
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]