Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Fri, 23 Jun 2006 21:00:11 -0400 (EDT) 

[***] Results from Oinkmaster started Fri Jun 23 21:00:11 2006 [***]

[+++]          Added rules:          [+++]

 2002973 - BLEEDING-EDGE Behavioral Unusual Port 3127 traffic, Potential Scan 
or Backdoor (bleeding-scan.rules)
 2002974 - BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible Control Connection 
Being Established (bleeding-virus.rules)
 2002975 - BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION - Reporting Host 
Type (bleeding-virus.rules)
 2002976 - BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial Email 
to Owner (bleeding-virus.rules)
 2002977 - BLEEDING-EDGE TROJAN Banload Downloader Infection - Sending initial 
email to owner (bleeding-virus.rules)
 2002978 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 2 - Sending 
Initial Email to Owner (bleeding-virus.rules)
 2002979 - BLEEDING-EDGE POLICY SC-KeyLog Keylogger Installed - Sending Initial 
Email Report (bleeding-policy.rules)
 2002980 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 3 - Sending 
Initial Email to Owner (bleeding-virus.rules)
 2002981 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 4 - Sending 
Initial Email to Owner (bleeding-virus.rules)
 2002982 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email 
to Owner - INFECTADO (bleeding-virus.rules)
 2002983 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email 
to Owner - SUCCESSO (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or 
Infection (bleeding-scan.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan 
or Infection (bleeding-scan.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan 
or Infection (bleeding-scan.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # This is a commercial product, but we see it very often used in 
malware. Send this email on install

     -> Added to bleeding-sid-msg.map (11):
        2002973 || BLEEDING-EDGE Behavioral Unusual Port 3127 traffic, 
Potential Scan or Backdoor
        2002974 || BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible Control 
Connection Being Established || 
url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html
        2002975 || BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION - Reporting 
Host Type || 
url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html
        2002976 || BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002977 || BLEEDING-EDGE TROJAN Banload Downloader Infection - Sending 
initial email to owner || 
url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586
        2002978 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 2 - 
Sending Initial Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002979 || BLEEDING-EDGE POLICY SC-KeyLog Keylogger Installed - Sending 
Initial Email Report || url,www.soft-central.net/keylog.php
        2002980 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 3 - 
Sending Initial Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 4 - 
Sending Initial Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002982 || BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial 
Email to Owner - INFECTADO
        2002983 || BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial 
Email to Owner - SUCCESSO

     -> Added to bleeding-virus.rules (12):
        #Matt Jonkman, analysis from captured binary
        # Don't know a lot about this one. But the control session is 
apparently opened by a 00 00 00 00
        #  Then the bot replies with a packet that begins with the date in form 
such as 20060622, and
        #  among other things contains the host OS info.
        #  Since this is a windos bot, we can assume the word windows will be 
in there.
        #  Hopefully we can update these as more is learned. This is sorta 
crude, but should
        #  be reliable to not false pos at least....
        # This thing send out an email to it's owner with stats and such. This 
ought to catch it..
        #another variant
        #Yet another
        # Regular downloader, usually grabs a fw swf exploiting files from 
brazilian servers. Sends an email on installl
        # General signs of trojan infections....


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] rule for Non-SSL traffic on SSL port?, Jason Brvenik
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]