Network Security: Detailed info on [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

Subject:	[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes
Date:	Fri, 16 Mar 2007 11:00:06 -0400 (EDT)


[***] Results from Oinkmaster started Fri Mar 16 11:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003470 - BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent (Updater) 
(bleeding-malware.rules)
 2003471 - BLEEDING-EDGE Malware Winsoftware.com Spyware Activity 
(bleeding-malware.rules)
 2003472 - BLEEDING-EDGE Malware DelFin Project Spyware (setup-alt) 
(bleeding-malware.rules)
 2003473 - BLEEDING-EDGE Malware DelFin Project Spyware (payload-alt) 
(bleeding-malware.rules)
 2003474 - BLEEDING-EDGE VOIP Asterisk Register with no URI or Version DOS 
Attempt (bleeding-voip.rules)
 2003475 - BLEEDING-EDGE ABC Torrent User-Agent (ABC/ABC-3.1.0) 
(bleeding-p2p.rules)
 2003476 - BLEEDING-EDGE MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent 
(ad-protect) (bleeding-malware.rules)
 2003477 - BLEEDING-EDGE MALWARE Terminexor.com Spyware User-Agent 
(DInstaller2) (bleeding-malware.rules)
 2003478 - BLEEDING-EDGE MALWARE Errornuker.com Fake Anti-Spyware User-Agent 
(ERRORNUKER) (bleeding-malware.rules)
 2003479 - BLEEDING-EDGE POLICY Radmin Remote Control Session Setup Initiate 
(bleeding-policy.rules)
 2003480 - BLEEDING-EDGE POLICY Radmin Remote Control Session Setup Response 
(bleeding-policy.rules)
 2003481 - BLEEDING-EDGE POLICY Radmin Remote Control Session Authentication 
Initiate (bleeding-policy.rules)
 2003482 - BLEEDING-EDGE POLICY Radmin Remote Control Session Authentication 
Response (bleeding-policy.rules)
 2003484 - BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of 
DDOS (bleeding-virus.rules)
 2003485 - BLEEDING-EDGE MALWARE Weatherbug Related User-Agent (CFNetwork/) 
(bleeding-malware.rules)
 2003486 - BLEEDING-EDGE MALWARE Drivecleaner.com Spyware User-Agent 
(DriveCleaner Updater) (bleeding-malware.rules)
 2003487 - BLEEDING-EDGE MALWARE url404.com Spyware User-Agent (Httper) 
(bleeding-malware.rules)
 2003489 - BLEEDING-EDGE MALWARE malwarewipeupdate.com Spyware User-Agent 
(MalwareWipe) (bleeding-malware.rules)
 2003490 - BLEEDING-EDGE MALWARE Mirar Spyware User-Agent 
(Mirar_KeywordContent) (bleeding-malware.rules)
 2003491 - BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent 
(Mozila/4.0...) (bleeding.rules)
 2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozila/4.0) 
(bleeding.rules)


[///]     Modified active rules:     [///]

 2000328 - BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails 
(bleeding-policy.rules)
 2000586 - BLEEDING-EDGE Malware Ezula Related Calling Home 
(bleeding-malware.rules)
 2001669 - BLEEDING-EDGE WEB Proxy GET Request (bleeding-web.rules)
 2001670 - BLEEDING-EDGE WEB Proxy HEAD Request (bleeding-web.rules)
 2001674 - BLEEDING-EDGE WEB Proxy POST Request (bleeding-web.rules)
 2001675 - BLEEDING-EDGE WEB Proxy CONNECT Request (bleeding-web.rules)
 2001699 - BLEEDING-EDGE Malware YourSiteBar Activity (bleeding-malware.rules)
 2002033 - BLEEDING-EDGE TROJAN BOT - potential response (bleeding-virus.rules)
 2002087 - BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot 
Inbound (bleeding-policy.rules)
 2002398 - BLEEDING-EDGE MALWARE DelFin Project User Agent 
(bleeding-malware.rules)
 2002816 - BLEEDING-EDGE Malware DelFin Project Spyware (payload) 
(bleeding-malware.rules)
 2002817 - BLEEDING-EDGE Malware DelFin Project Spyware (setup) 
(bleeding-malware.rules)
 2003292 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound 
(bleeding-virus.rules)
 2003293 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound 
(bleeding-virus.rules)
 2003294 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound 
(bleeding-virus.rules)
 2003295 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound 
(bleeding-virus.rules)
 2003337 - BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate) 
(bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 124

     -> Added to bleeding-drop.rules (1):
        #  VERSION 124

     -> Added to bleeding-malware.rules (1):
        #Matt Jonkman, from spywarelp data

     -> Added to bleeding-p2p.rules (1):
        #Matt Jonkman, from spywarelp data

     -> Added to bleeding-sid-msg.map (29):
        2001669 || BLEEDING-EDGE WEB Proxy GET Request
        2001670 || BLEEDING-EDGE WEB Proxy HEAD Request
        2001674 || BLEEDING-EDGE WEB Proxy POST Request
        2001675 || BLEEDING-EDGE WEB Proxy CONNECT Request
        2003292 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound || 
url,isc.sans.org/diary.html?storyid=2451 || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003293 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound || 
url,isc.sans.org/diary.html?storyid=2451 || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003294 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound || 
url,isc.sans.org/diary.html?storyid=2451 || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003295 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound || 
url,isc.sans.org/diary.html?storyid=2451 || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003470 || BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent 
(Updater)
        2003471 || BLEEDING-EDGE Malware Winsoftware.com Spyware Activity
        2003472 || BLEEDING-EDGE Malware DelFin Project Spyware (setup-alt)
        2003473 || BLEEDING-EDGE Malware DelFin Project Spyware (payload-alt)
        2003474 || BLEEDING-EDGE VOIP Asterisk Register with no URI or Version 
DOS Attempt || url,tools.ietf.org/html/rfc3261 || 
url,labs.musecurity.com/advisories/MU-200703-01.txt
        2003475 || BLEEDING-EDGE ABC Torrent User-Agent (ABC/ABC-3.1.0) || 
url,pingpong-abc.sourceforge.net
        2003476 || BLEEDING-EDGE MALWARE Virusblast.com Fake AV/Anti-Spyware 
User-Agent (ad-protect) || url,www.virusblast.com || 
url,spywarewarrior.com/rogue_anti-spyware.htm
        2003477 || BLEEDING-EDGE MALWARE Terminexor.com Spyware User-Agent 
(DInstaller2) || 
url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor || 
url,www.terminexor.com
        2003478 || BLEEDING-EDGE MALWARE Errornuker.com Fake Anti-Spyware 
User-Agent (ERRORNUKER) || url,www.errornuker.com || 
url,www.spywarewarrior.com/rogue_anti-spyware.htm
        2003479 || BLEEDING-EDGE POLICY Radmin Remote Control Session Setup 
Initiate || url,www.radmin.com
        2003480 || BLEEDING-EDGE POLICY Radmin Remote Control Session Setup 
Response || url,www.radmin.com
        2003481 || BLEEDING-EDGE POLICY Radmin Remote Control Session 
Authentication Initiate || url,www.radmin.com
        2003482 || BLEEDING-EDGE POLICY Radmin Remote Control Session 
Authentication Response || url,www.radmin.com
        2003484 || BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly 
part of DDOS || url,isc.sans.org/diary.html?storyid=2451 || 
url,doc.bleedingthreats.net/2003483
        2003485 || BLEEDING-EDGE MALWARE Weatherbug Related User-Agent 
(CFNetwork/)
        2003486 || BLEEDING-EDGE MALWARE Drivecleaner.com Spyware User-Agent 
(DriveCleaner Updater) || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533
 || url,www.drivecleaner.com
        2003487 || BLEEDING-EDGE MALWARE url404.com Spyware User-Agent (Httper) 
|| url,www.spywareguide.com/product_show.php?id=581
        2003489 || BLEEDING-EDGE MALWARE malwarewipeupdate.com Spyware 
User-Agent (MalwareWipe) || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086
 || url,www.malwarewipeupdate.com
        2003490 || BLEEDING-EDGE MALWARE Mirar Spyware User-Agent 
(Mirar_KeywordContent) || 
url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818
        2003491 || BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent 
(Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent 
(Mozila/4.0) || url,doc.bleedingthreats.net/2003492

     -> Added to bleeding-voip.rules (1):
        #by Blake Hartstein

     -> Added to bleeding.rules (2):
        #Seeing hits with a misspelled Mozila in the UA. Want to see how 
widespread this is.
        #also seeing just Mozilla/4.0. That's unusual as well

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 117

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 117

     -> Removed from bleeding-sid-msg.map (8):
        2001669 || BLEEDING-EDGE Web Proxy GET Request
        2001670 || BLEEDING-EDGE Web Proxy HEAD Request
        2001674 || BLEEDING-EDGE Proxy POST Request
        2001675 || BLEEDING-EDGE Proxy CONNECT Request
        2003292 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003293 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003294 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
        2003295 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound || 
url,www.sophos.com/virusinfo/analyses/w32allapleb.html


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding <= [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding

Previous by Date:	Re: [Snort-sigs] new rule for detect Novell Netmail WebAdmin Buffer Overflow Vulnerability, Paul Gear
Next by Date:	[Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:	[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Next by Thread:	[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Indexes:	[Date] [Thread] [Top] [All Lists]