Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Wed, 20 Apr 2005 20:00:05 -0500 (EST) 

[***] Results from Oinkmaster started Wed Apr 20 20:00:05 2005 [***]

[+++]          Added rules:          [+++]

 2001247 - BLEEDING-EDGE WORM General MSN Worm URL Attempt 
(bleeding-virus.rules)
 2001846 - BLEEDING-EDGE DOS [ISC] ICMP blind TCP reset DoS guessing attempt 
(bleeding-dos.rules)
 2001873 - BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe 
MS05-021) (bleeding-exploit.rules)
 2001874 - BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, 
probably crashed it (MS05-021) (bleeding-exploit.rules)
 2001875 - BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted 
(bleeding-exploit.rules)
 2001876 - BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but 
didn't die (MS05-021) (bleeding-exploit.rules)
 2001878 - BLEEDING-EDGE WORM General MSN Worm URL Outbound 
(bleeding-virus.rules)
 2001879 - BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert (bleeding-virus.rules)
 2001880 - BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert 
(bleeding-virus.rules)
 2001881 - BLEEDING-EDGE VIRUS Possible Sober virus attachment Outbound 
(bleeding-virus.rules)
 2001882 - BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold 
(bleeding-dos.rules)


[///]     Modified active rules:     [///]

 2000330 - BLEEDING-EDGE P2P ed2k connection to server (bleeding-p2p.rules)
 2000331 - BLEEDING-EDGE P2P ed2k file search (bleeding-p2p.rules)
 2000332 - BLEEDING-EDGE P2P ed2k request part (bleeding-p2p.rules)
 2000335 - BLEEDING-EDGE P2P Overnet Server Announce (bleeding-p2p.rules)
 2000496 - BLEEDING-EDGE DOS Microsoft SMS dos attempt (bleeding-dos.rules)
 2001337 - BLEEDING-EDGE Korgo.P offering executable (bleeding-virus.rules)
 2001362 - BLEEDING-EDGE DOS MS04-030 Attempted DoS (bleeding-dos.rules)
 2001461 - BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs 
(bleeding-malware.rules)
 2001622 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1 
(bleeding-exploit.rules)
 2001640 - BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic 
(bleeding-malware.rules)
 2001761 - BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install 
(bleeding-malware.rules)
 2001836 - BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary 
(bleeding.rules)
 2001850 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested 
(bleeding-malware.rules)
 2001851 - BLEEDING-EDGE MALWARE Thinking Media Spyware User Agent 
(bleeding-malware.rules)
 2001852 - BLEEDING-EDGE MALWARE 404Search Spyware User Agent 
(bleeding-malware.rules)
 2001853 - BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent 
(bleeding-malware.rules)
 2001854 - BLEEDING-EDGE MALWARE EZULA Spyware User Agent 
(bleeding-malware.rules)
 2001855 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent 
(bleeding-malware.rules)
 2001856 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent 
(bleeding-malware.rules)
 2001857 - BLEEDING-EDGE MALWARE Enhance My Search Spyware User Agent 
(bleeding-malware.rules)
 2001858 - BLEEDING-EDGE MALWARE Hotbar Spyware User Agent 
(bleeding-malware.rules)
 2001859 - BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent 
(bleeding-malware.rules)
 2001860 - BLEEDING-EDGE MALWARE Kontiki Spyware User Agent 
(bleeding-malware.rules)
 2001861 - BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent 
(bleeding-malware.rules)
 2001862 - BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent 
(bleeding-malware.rules)
 2001863 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent 
(bleeding-malware.rules)
 2001864 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent 
(bleeding-malware.rules)
 2001865 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent 
(bleeding-malware.rules)
 2001866 - BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent 
(bleeding-malware.rules)
 2001867 - BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent 
(bleeding-malware.rules)
 2001868 - BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent 
(bleeding-malware.rules)
 2001869 - BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent 
(bleeding-malware.rules)
 2001870 - BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent 
(bleeding-malware.rules)
 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent 
(bleeding-malware.rules)
 2001872 - BLEEDING-EDGE MALWARE Visicom Spyware User Agent 
(bleeding-malware.rules)


[///]    Modified inactive rules:    [///]

 2001011 - BLEEDING-EDGE Worm Zincite Probing port 1034 (bleeding-virus.rules)


[---]         Disabled rules:        [---]

 2001723 - BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 -- bad PNG 
(bleeding-exploit.rules)


[---]         Removed rules:         [---]

 2001333 - BLEEDING-EDGE P2P CHAT Skype VoIP Initialization (bleeding-p2p.rules)
 2001846 - BLEEDING-EDGE EXPLOIT [ISC] ICMP blind TCP reset DoS guessing 
attempt (bleeding-exploit.rules)
 2001847 - BLEEDING-EDGE WORM pictures.php MSN Worm URL Attempt 
(bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-dos.rules (13):
        #From Erik Fichtner
        # NOTE:  If you can, put in a check on offset 20 through 23, as these
        # are the source IP of the packet that is supposedly generating
        # the traffic that caused the icmp unreach (EG: YOU.)   example, if you
        # have 192.168.0.0/24, you could put:
        # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
        # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
        # You get the idea. This may well be unnecessary overkill.  YMMV.
        # From Erik Fichtner:
        # alert on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and
        # below a sane value, eg 576 bytes.  Adjust to taste.
        # true RFC791 min = 68, true end-to-end pmtu compatble min = 132.
        # real world might even go as high as 1100 bytes min.  YMMV.

     -> Added to bleeding-exploit.rules (3):
        # since this could be variable length chunks, we can't tell if we had
        # enough data to blow the server up or not, so we have to read the
        # chicken bones to see if it looks like exchange sh!t the bed or not.

     -> Added to bleeding-sid-msg.map (11):
        2001247 || BLEEDING-EDGE WORM General MSN Worm URL Attempt || 
url,isc.sans.org/diary.php?date=2005-04-13
        2001846 || BLEEDING-EDGE DOS [ISC] ICMP blind TCP reset DoS guessing 
attempt || cve,can-2004-0790
        2001873 || BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk 
(maybe MS05-021)
        2001874 || BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after 
chunked data, probably crashed it (MS05-021)
        2001875 || BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted
        2001876 || BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, 
but didn't die (MS05-021)
        2001878 || BLEEDING-EDGE WORM General MSN Worm URL Outbound || 
url,isc.sans.org/diary.php?date=2005-04-13
        2001879 || BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert
        2001880 || BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - 
noalert
        2001881 || BLEEDING-EDGE VIRUS Possible Sober virus attachment Outbound
        2001882 || BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable 
threshold || url,isc.sans.org/diary.php?date=2005-04-12 || 
url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || 
cve,CAN-2004-1060

     -> Added to bleeding-virus.rules (1):
        #Joe Stewart

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-exploit.rules (7):
        # NOTE:  If you can, put in a check on offset 20 through 23, as these
        # are the source IP of the packet that is supposedly generating
        # the traffic that caused the icmp unreach (EG: YOU.)   example, if you
        # have 192.168.0.0/24, you could put:
        # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
        # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
        # You get the idea. This may well be unnecessary overkill.  YMMV.

     -> Removed from bleeding-p2p.rules (1):
        #Submitted by Jason Haar

     -> Removed from bleeding-sid-msg.map (3):
        2001333 || BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
        2001846 || BLEEDING-EDGE EXPLOIT [ISC] ICMP blind TCP reset DoS 
guessing attempt || cve,can-2004-0790
        2001847 || BLEEDING-EDGE WORM pictures.php MSN Worm URL Attempt || 
url,isc.sans.org/diary.php?date=2005-04-13



-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] VRT Certified Rule Update, Matthew Watchinski
Next by Date:  Re: [Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization, Russell Fulton
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]