Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleeding Edge Threats Daily Signature Changes
Date: Sun, 28 Jan 2007 20:00:04 +0000 (UTC) 

[***] Results from Oinkmaster started Sun Jan 28 20:00:04 2007 [***]

[+++]          Added rules:          [+++]

 2003330 - BLEEDING-EDGE POLICY Unusually High Client DNS Query Volume -- 
Possible Spambot (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001742 - BLEEDING-EDGE EXPLOIT Arkeia full remote access without password or 
authentication (bleeding-exploit.rules)
 2002845 - BLEEDING-EDGE EXPLOIT MSSQL Hello Overflow Attempt 
(bleeding-exploit.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  
(bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2001049 - BLEEDING-EDGE EXPLOIT Buffer Overflow Exploit in Adobe Acrobat 
Reader (bleeding-exploit.rules)
 2001094 - BLEEDING-EDGE EXPLOIT Internet Explorer URL parsing vulnerability 
(bleeding-exploit.rules)
 2001097 - BLEEDING-EDGE EXPLOIT Internet Explorer Object Data Remote Execution 
Vulnerability (bleeding-exploit.rules)
 2001667 - BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in 
(bleeding-exploit.rules)
 2001671 - BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (to 
blahot.com) (bleeding-exploit.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS 
(bleeding.rules)


[---]         Removed rules:         [---]

 2000004 - BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt 
(bleeding-exploit.rules)
 2000008 - BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command 
(bleeding-exploit.rules)
 2001093 - BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of arbitrary 
code (bleeding-exploit.rules)
 2001687 - BLEEDING-EDGE WORM MySQL bot DNS lookup (bleeding-virus.rules)
 2001688 - BLEEDING-EDGE WORM MySQL bot DNS lookup (bleeding-virus.rules)
 2001690 - BLEEDING-EDGE WORM Potential MySQL bot connecting to IRC server 
(bleeding-virus.rules)
 2001922 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Outbound 
(bleeding-virus.rules)
 2001923 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Outbound 
(bleeding-virus.rules)
 2001924 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Outbound 
(bleeding-virus.rules)
 2001925 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Inbound 
(bleeding-virus.rules)
 2001926 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Inbound 
(bleeding-virus.rules)
 2001927 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Inbound 
(bleeding-virus.rules)
 2001955 - BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection / DNS lookup 
(bleeding-virus.rules)
 2001956 - BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection 
(bleeding-virus.rules)
 2001986 - BLEEDING-EDGE VIRUS Mytob.DI - outbound (bleeding-virus.rules)
 2001987 - BLEEDING-EDGE VIRUS Mytob.DI - incoming (bleeding-virus.rules)
 2002049 - BLEEDING-EDGE VIRUS Mytob.GC - outbound (bleeding-virus.rules)
 2002050 - BLEEDING-EDGE VIRUS Mytob.GC - incoming (bleeding-virus.rules)
 2002053 - BLEEDING-EDGE VIRUS Mytob.HF - outbound (bleeding-virus.rules)
 2002054 - BLEEDING-EDGE VIRUS Mytob.HF - incoming (bleeding-virus.rules)
 2002125 - BLEEDING-EDGE VIRUS Mytob.HE - outbound (bleeding-virus.rules)
 2002126 - BLEEDING-EDGE VIRUS Mytob.HE - incoming (bleeding-virus.rules)
 2002719 - BLEEDING-EDGE VIRUS Mytob.AH SMTP Inbound (aka - 
BQ,AU,BA,F,T-2,T,.gen,AR,-Fam) (bleeding-virus.rules)
 2003001 - BLEEDING-EDGE TROJAN Unknown Trojan Communication (bleeding.rules)
 2003090 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Outbound 
(bleeding.rules)
 2003091 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Inbound 
(bleeding.rules)
 2003246 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript 
Attempt (URL Inbound) (bleeding-exploit.rules)
 2003247 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Client 
Request (bleeding-exploit.rules)
 2003248 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL (inbound) 
(bleeding-exploit.rules)
 2003249 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client 
Request (bleeding-exploit.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 69

     -> Added to bleeding-drop.rules (1):
        #  VERSION 69

     -> Added to bleeding-exploit.rules (2):
        #Disabling. Obsoleted. To be removed later
        #Domain dead

     -> Added to bleeding-sid-msg.map (2):
        2002845 || BLEEDING-EDGE EXPLOIT MSSQL Hello Overflow Attempt || 
bugtraq,5411 || cve,2002-1123
        2003330 || BLEEDING-EDGE POLICY Unusually High Client DNS Query Volume 
-- Possible Spambot

     -> Added to bleeding-virus.rules (2):
        #Experimenting with this idea. When a bot comes up live and starts 
spamming, it
        #  does a massive number of dns queries. This may be an extra way to 
identify infections

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 65

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 65

     -> Removed from bleeding-exploit.rules (7):
        #by Mr Magic Pants
        #Disabling. This will never hit, since the parameters are stripped from 
the uri before the browser makes the request. The request will be for the pdf 
only
        #by mr Magic Pants
        #These are probably higher load, and may false. We should consider 
removing these around the middle of february 2007 if the vuln passes
        #Commenting the first out by default. It's falsing a lot!
        #Disabling. This will never hit, since the parameters are stripped from 
the uri before the browser makes the request. The request will be for the pdf 
only
        #Disabling by default. Long since obsoleted. To be deleted MAJ 12.6.06

     -> Removed from bleeding-sid-msg.map (33):
        2000004 || BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection 
Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx || 
cve,CAN-2004-0380
        2000008 || BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command || 
url,www.securityfocus.com/archive/1/141471
        2001093 || BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of 
arbitrary code || 
url,www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0
        2001687 || BLEEDING-EDGE WORM MySQL bot DNS lookup || 
url,isc.sans.org/diary.php?date=2005-01-27
        2001688 || BLEEDING-EDGE WORM MySQL bot DNS lookup || 
url,isc.sans.org/diary.php?date=2005-01-27
        2001690 || BLEEDING-EDGE WORM Potential MySQL bot connecting to IRC 
server || url,isc.sans.org/diary.php?date=2005-01-27
        2001922 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Outbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001923 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Outbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001924 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Outbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001925 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Inbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001926 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Inbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001927 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Inbound || 
url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html
        2001955 || BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection / DNS 
lookup || url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006
        2001956 || BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection || 
url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006
        2001986 || BLEEDING-EDGE VIRUS Mytob.DI - outbound || 
url,secunia.com/virus_information/18407/
        2001987 || BLEEDING-EDGE VIRUS Mytob.DI - incoming || 
url,secunia.com/virus_information/18407/
        2002049 || BLEEDING-EDGE VIRUS Mytob.GC - outbound || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002050 || BLEEDING-EDGE VIRUS Mytob.GC - incoming || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002053 || BLEEDING-EDGE VIRUS Mytob.HF - outbound || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002054 || BLEEDING-EDGE VIRUS Mytob.HF - incoming || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002125 || BLEEDING-EDGE VIRUS Mytob.HE - outbound || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002126 || BLEEDING-EDGE VIRUS Mytob.HE - incoming || 
url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002719 || BLEEDING-EDGE VIRUS Mytob.AH SMTP Inbound (aka - 
BQ,AU,BA,F,T-2,T,.gen,AR,-Fam) || 
url,www.symantec.com/avcenter/venc/data/w32.mytob.ah@mm.html
        2002845 || BLEEDING-EDGE EXPLOIT Hello Overflow Attempt || bugtraq,5411 
|| cve,2002-1123
        2003001 || BLEEDING-EDGE TROJAN Unknown Trojan Communication
        2003090 || BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Outbound
        2003091 || BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Inbound
        2003246 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter 
Javascript Attempt (URL Inbound) || url,secunia.com/advisories/23483/
        2003247 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter 
Javascript Client Request || url,secunia.com/advisories/23483/
        2003248 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL 
(inbound)
        2003249 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL 
Client Request
        2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || 
url,www.spamhaus.org/drop/drop.lasso
        2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - 
BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Removed from bleeding-virus.rules (15):
        #disabling, zone dead
        #disabling for falses, likely no longer relevant
        #Evgeny Pinchuk Mytob 5-9-05
        #Smetona 6-2-05
        #disabling, no longer relevant
        # Mytob.DI
        #Submitted by Mark Scott, 6/5/2005
        # Mytob.GC
        #Submitted by Mark Scott, 6/21/2005, for Mytob.GC
        # Mytob.HF
        #Submitted by Mark Scott, 6/26/2005, for Mytob.HF
        # Mytob.HE
        #Submitted by Mark Scott, 7/8/2005
        # Mytob.AH
        # Submitted by Mark Scott, 2005-12-11

     -> Removed from bleeding.rules (7):
        # Matt Jonkman
        # This is a sngle packet sent out by a bot binary that was submitted
        # If you get a hit on this check out the source system, and let us know 
please
        #  We have yet to figure out what this is. It doesn't get a reply but 
appears important
        #Matt Jonkman
        #Disabling, not new info, need more research
        #A new bot. It appears to have an encrypted or obfucated c&c channel. 
More as we get it, watch ISC for a diary entry and more info


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Thread:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]