Network Security: Detailed info on [Snort-sigs] Bleedingsnort.com Daily Update

Subject:	[Snort-sigs] Bleedingsnort.com Daily Update
Date:	Tue, 25 Jul 2006 21:00:12 -0400 (EDT)


[***] Results from Oinkmaster started Tue Jul 25 21:00:12 2006 [***]

[+++]          Added rules:          [+++]

 2003047 - BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi) 
(bleeding-policy.rules)
 2003048 - BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi) 
(bleeding-policy.rules)
 2003049 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [billy] - Possible 
Bot (bleeding-virus.rules)
 2003050 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Intbound [billy] 
(bleeding-virus.rules)
 2003051 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [billy] - Possible 
Bot (bleeding-virus.rules)
 2003052 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Intbound [billy] 
(bleeding-virus.rules)
 2003053 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Inbound [zombie] 
(bleeding-virus.rules)
 2003054 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Inbound [zombie] 
(bleeding-virus.rules)
 2003055 - BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port 
(bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2002846 - BLEEDING-EDGE WEB Minishare GET Overflow (bleeding-web.rules)
 2003043 - BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [zombie] - 
Possible Bot (bleeding-virus.rules)
 2003044 - BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [zombie] - 
Possible Bot (bleeding-virus.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #by Reg Quinton

     -> Added to bleeding-policy.rules (3):
        #Seeing some bots and proxy evasion apps use these proxy judges to find 
their way out
        #by Scotty Melnick
        #Thresholded like the Windows-User-Agent user agent sig (after 
suggestion from Eduardo)

     -> Added to bleeding-sid-msg.map (11):
        2003043 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [zombie] - 
Possible Bot
        2003044 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [zombie] - 
Possible Bot
        2003047 || BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion 
(prxjdg.cgi)
        2003048 || BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion 
(proxyjudge.cgi)
        2003049 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound [billy] - 
Possible Bot
        2003050 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Intbound [billy]
        2003051 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound [billy] - 
Possible Bot
        2003052 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Intbound [billy]
        2003053 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Inbound [zombie]
        2003054 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Inbound [zombie]
        2003055 || BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port

     -> Added to bleeding-virus.rules (2):
        #These sigs are for the unique things that spam bots do in how they talk
        #Submitted by Scott Melnick

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-policy.rules (1):
        #Thresholded like the Windows-User-Agent user agent sig (after 
suggestion from Eduardo Horowitz

     -> Removed from bleeding-sid-msg.map (2):
        2003043 || BLEEDING-EDGE VIRUS Suspicious SMTP HELO Outbound
        2003044 || BLEEDING-EDGE VIRUS Suspicious SMTP EHLO Outbound


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] Bleedingsnort.com Daily Update, (continued) [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding [Snort-sigs] Bleedingsnort.com Daily Update, bleeding <= [Snort-sigs] Bleedingsnort.com Daily Update, bleeding

Previous by Date:	[Snort-sigs] CN=Marty Bostick/OU=IS/O=PLC is out of the office., Marty . Bostick
Next by Date:	[Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Indexes:	[Date] [Thread] [Top] [All Lists]