[***] Results from Oinkmaster started Sat Jun 18 20:00:05 2005 [***]
[+++] Added rules: [+++]
2002022 - BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling
Client OK (bleeding-policy.rules)
2002023 - BLEEDING-EDGE TROJAN IRC USER command (bleeding-virus.rules)
2002024 - BLEEDING-EDGE TROJAN IRC NICK command (bleeding-virus.rules)
2002025 - BLEEDING-EDGE TROJAN IRC JOIN command (bleeding-virus.rules)
2002026 - BLEEDING-EDGE TROJAN IRC PRIVMSG command (bleeding-virus.rules)
2002027 - BLEEDING-EDGE TROJAN IRC PING command (bleeding-virus.rules)
2002028 - BLEEDING-EDGE TROJAN IRC PONG response (bleeding-virus.rules)
2002029 - BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command
(bleeding-virus.rules)
2002030 - BLEEDING-EDGE TROJAN BOT - potential scan/exploit command
(bleeding-virus.rules)
2002031 - BLEEDING-EDGE TROJAN BOT - potential update/download
(bleeding-virus.rules)
2002032 - BLEEDING-EDGE TROJAN BOT - potential DDoS command
(bleeding-virus.rules)
2002033 - BLEEDING-EDGE TROJAN BOT - potential response (bleeding-virus.rules)
[---] Disabled rules: [---]
2001370 - BLEEDING-EDGE IRC Trojan Reporting (Exploit) (bleeding-virus.rules)
2001371 - BLEEDING-EDGE IRC Trojan Reporting (lsass) (bleeding-virus.rules)
2001372 - BLEEDING-EDGE IRC Trojan Reporting (Scan) (bleeding-virus.rules)
2001373 - BLEEDING-EDGE IRC Trojan Reporting (zombie) (bleeding-virus.rules)
2001786 - BLEEDING-EDGE TROJAN potential update/download IRC Bot command
(bleeding-virus.rules)
2001787 - BLEEDING-EDGE TROJAN IRC Bot scan/exploit command
(bleeding-virus.rules)
2001788 - BLEEDING-EDGE TROJAN IRC Bot DDoS command (bleeding-virus.rules)
2001789 - BLEEDING-EDGE TROJAN Suspicious IRC Bot response
(bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (1):
#This intends to be a more intelligent version of the old gotomypc
rule, eventually to replace the old if it catches everything
-> Added to bleeding-sid-msg.map (12):
2002022 || BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to
Polling Client OK
2002023 || BLEEDING-EDGE TROJAN IRC USER command
2002024 || BLEEDING-EDGE TROJAN IRC NICK command
2002025 || BLEEDING-EDGE TROJAN IRC JOIN command
2002026 || BLEEDING-EDGE TROJAN IRC PRIVMSG command
2002027 || BLEEDING-EDGE TROJAN IRC PING command
2002028 || BLEEDING-EDGE TROJAN IRC PONG response
2002029 || BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command
2002030 || BLEEDING-EDGE TROJAN BOT - potential scan/exploit command
2002031 || BLEEDING-EDGE TROJAN BOT - potential update/download
2002032 || BLEEDING-EDGE TROJAN BOT - potential DDoS command
2002033 || BLEEDING-EDGE TROJAN BOT - potential response
-> Added to bleeding-virus.rules (12):
#DISABLING THESE SIGS TEMPORARILY!!! If the new ones below work out
these will be dropped, or left disabled permanently
# These are the new sigs replacing the above
# By Erik Fichtner
# Bleeding-Remix :: irc / ircbot detection state machine
# compiled from various sources.
# thanks to: Joe Stewart of LURHO, Joel Esler, Tomfi.
### Client login process. flowbits needs an OR.
### Client needs to tell the server who they are, join
### join a group, and someone needs to say something to
### someone else.
### Alternate path to is_proto_irc, Catch PING/PONG.
# Bot potty
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
