Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes
Date: Fri, 23 Feb 2007 15:00:06 +0000 (UTC) 

[***] Results from Oinkmaster started Fri Feb 23 15:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003415 - BLEEDING-EDGE EXPLOIT Firefox Cookie Manipulation Attempt 
(bleeding-exploit.rules)
 2003424 - BLEEDING-EDGE VIRUS Sality Trojan Web Update (bleeding-virus.rules)
 2003425 - BLEEDING-EDGE MALWARE clickspring.com Spyware Install User-Agent (CS 
Fingerprint Module) (bleeding-malware.rules)
 2003426 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Checkin 
(bleeding-malware.rules)
 2003427 - BLEEDING-EDGE VIRUS Bagle Worm User-Agent (DEBUT.TMP) 
(bleeding-virus.rules)
 2003428 - BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent 
(SF Installe) (bleeding-malware.rules)
 2003429 - BLEEDING-EDGE MALWARE xxxtoolbar.com Spyware Install User-Agent 
(bleeding-malware.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt 
(bleeding.rules)
 2003431 - BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get 
(bleeding-virus.rules)
 2003432 - BLEEDING-EDGE TROJAN Nukebot related infection - Unique HTTP get 
request (bleeding-virus.rules)
 2003433 - BLEEDING-EDGE TROJAN Nukebot Checkin (bleeding-virus.rules)
 2003434 - BLEEDING-EDGE EXPLOIT Trend Micro Web Interface Auth Bypass 
Vulnerable Cookie Attempt (bleeding-exploit.rules)
 2003435 - BLEEDING-EDGE TROJAN Stormy Variant HTTP Request 
(bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001495 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Install 
(bleeding-malware.rules)
 2001496 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Advertising Campaign 
Download (bleeding-malware.rules)
 2001497 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Activity 
(bleeding-malware.rules)
 2003088 - BLEEDING-EDGE VIRUS Sality Trojan User-Agent (KUKU v3.09 exp) 
(bleeding-virus.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded 
Exploit traveling to client browser (bleeding.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  
(bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  
(bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2003299 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound 
(bleeding-virus.rules)
 2003300 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound 
(bleeding-virus.rules)
 2003301 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound 
(bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 95

     -> Added to bleeding-drop.rules (1):
        #  VERSION 95

     -> Added to bleeding-exploit.rules (2):
        #Issue is fixed by patch, and all http traffic is now redirected to 
https. So anything on this
        # port in the clear using the bad cookie name is suspect. Thanks for 
the reference Jose

     -> Added to bleeding-malware.rules (2):
        #Matt jonkman, from spywarelp data
        #Matt Jonkman form SpywareLP Data

     -> Added to bleeding-sid-msg.map (18):
        2001495 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Install
        2001496 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Advertising 
Campaign Download
        2001497 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Activity
        2003088 || BLEEDING-EDGE VIRUS Sality Trojan User-Agent (KUKU v3.09 
exp) || url,www.sophos.com/security/analyses/w32salityu.html
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish 
Encoded Exploit traveling to client browser || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
 || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003415 || BLEEDING-EDGE EXPLOIT Firefox Cookie Manipulation Attempt || 
cve,2007-0981
        2003424 || BLEEDING-EDGE VIRUS Sality Trojan Web Update || 
url,www.sophos.com/security/analyses/w32salityu.html
        2003425 || BLEEDING-EDGE MALWARE clickspring.com Spyware Install 
User-Agent (CS Fingerprint Module)
        2003426 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Checkin
        2003427 || BLEEDING-EDGE VIRUS Bagle Worm User-Agent (DEBUT.TMP)
        2003428 || BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install 
User-Agent (SF Installe)
        2003429 || BLEEDING-EDGE MALWARE xxxtoolbar.com Spyware Install 
User-Agent
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop 
Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003431 || BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get
        2003432 || BLEEDING-EDGE TROJAN Nukebot related infection - Unique HTTP 
get request || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        2003433 || BLEEDING-EDGE TROJAN Nukebot Checkin || 
url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        2003434 || BLEEDING-EDGE EXPLOIT Trend Micro Web Interface Auth Bypass 
Vulnerable Cookie Attempt || 
url,www.trendmicro.com/download/product.asp?productid=20 || 
url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477
        2003435 || BLEEDING-EDGE TROJAN Stormy Variant HTTP Request

     -> Added to bleeding-virus.rules (4):
        #No better name for it yet
        #Matt Jonkman, found by axn jxn
        # Advisory by Websense, 
www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        #This one is from what appears to be a typo in the get string right 
after the initial infection

     -> Added to bleeding.rules (2):
        # These are coming in zips asking you to run on the server. This will 
hit on the html coming FROM the infected server to a client browser, NOT the 
zip in transit
        #The email drop is dead, but phishes are still going out with this 
address. If you see it, someone ran the script... follow up!

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 88

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 88

     -> Removed from bleeding-sid-msg.map (8):
        2001495 || BLEEDING-EDGE Malware Outerinfo.com Spyware Install
        2001496 || BLEEDING-EDGE Malware Outerinfo.com Spyware Advertising 
Campaign Download
        2001497 || BLEEDING-EDGE Malware Outerinfo.com Spyware Activity
        2003088 || BLEEDING-EDGE MALWARE W32/Sality || 
url,www.sophos.com/security/analyses/w32salityu.html
        2003299 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound
        2003300 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound
        2003301 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish 
Encoded Exploit traveling to client browser

     -> Removed from bleeding-virus.rules (2):
        #by Bojan Zdrnja
        #Commenting these out. This is edonkey protocol. Altering the wexisting 
edonkey rules to be inclusive


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  [Snort-sigs] False positive in GEN:SID 1:3634, Brian Epstein
Previous by Thread:  Re: [Snort-sigs] question on byte_jump, Brian
Next by Thread:  [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]