[***] Results from Oinkmaster started Fri Apr 6 11:00:05 2007 [***]
[+++] Added rules: [+++]
2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent
(Mozila/4.0...) (bleeding-malware.rules)
2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake
(Mozilla/4.0) (bleeding-malware.rules)
2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo
(MOzilla/4.0) (bleeding-malware.rules)
2003519 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (bleeding.rules)
2003521 - BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe
(bleeding.rules)
2003522 - BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic
(bleeding.rules)
2003523 - BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic
(bleeding.rules)
2003524 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) (bleeding.rules)
2003525 - BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware
(bleeding-malware.rules)
2003526 - BLEEDING-EDGE MALWARE KMIP.net Spyware 2 (bleeding-malware.rules)
2003527 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent
(WinSoftware) (bleeding-malware.rules)
2003528 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent
(NetInstaller) (bleeding-malware.rules)
2003529 - BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent
(MsgPlus3) (bleeding-malware.rules)
2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator -
likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules)
2003531 - BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent
(AntiVermeans) (bleeding-malware.rules)
2003532 - BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent
(CommonName Agent) (bleeding-malware.rules)
2003533 - BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting
(bleeding-malware.rules)
2003534 - BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity
(bleeding-malware.rules)
2003535 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected
(bleeding-attack_response.rules)
2003536 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded
(bleeding-attack_response.rules)
[///] Modified active rules: [///]
2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2
(bleeding-policy.rules)
2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)
(bleeding-botcc.rules)
2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)
(bleeding-botcc.rules)
2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
[---] Removed rules: [---]
2003491 - BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent
(Mozila/4.0...) (bleeding.rules)
2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0)
(bleeding.rules)
2003513 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0)
(bleeding.rules)
2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)
(bleeding-botcc.rules)
2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-attack_response.rules (2):
#by Cees Elzinga
#note: most effective with a deep flow depth, or 0
-> Added to bleeding-drop-BLOCK.rules (1):
# VERSION 144
-> Added to bleeding-drop.rules (1):
# VERSION 144
-> Added to bleeding-malware.rules (6):
#By Matt Jonkman from spyware lp data
#Seeing hits with a misspelled Mozila in the UA.
#also seeing just Mozilla/4.0. That's unusual as well
#from rras, another typo'd trojan
#Pluses in a UA, suspicious as well
#Matt Jonkman, from spyware lp data
-> Added to bleeding-sid-msg.map (20):
2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla
User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely
Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo
(MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
2003519 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit
2003521 || BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe
||
url,uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ANICMOO.AX
2003522 || BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic ||
url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml
2003523 || BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic ||
url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml
2003524 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) ||
url,doc.bleedingthreats.net/2003524 ||
url,www.avertlabs.com/research/blog/?p=233 ||
url,isc.sans.org/diary.html?storyid=2534
2003525 || BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189
2003526 || BLEEDING-EDGE MALWARE KMIP.net Spyware 2 || url,www.kmip.net
2003527 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent
(WinSoftware) ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037
2003528 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent
(NetInstaller) ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037
2003529 || BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent
(MsgPlus3) ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931
2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent
Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) ||
url,doc.bleedingthreats.net/2003530
2003531 || BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware
User-Agent (AntiVermeans) || url,www.bleepingcomputer.com/forums/topic69886.htm
2003532 || BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware
User-Agent (CommonName Agent) ||
url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618
2003533 || BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting ||
url,www.sophos.com/security/analyses/w32forbotdv.html
2003534 || BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity
2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected
|| url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being
uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
-> Added to bleeding.rules (2):
#by dajackman
#A new approach, details from malaware
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (1):
# VERSION 138
-> Removed from bleeding-drop.rules (1):
# VERSION 138
-> Removed from bleeding-sid-msg.map (5):
2003491 || BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent
(Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent
(Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
2003513 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo
(MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)
|| url,www.shadowserver.org
2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) -
BLOCKING SOURCE || url,www.shadowserver.org
-> Removed from bleeding.rules (3):
#Seeing hits with a misspelled Mozila in the UA. Want to see how
widespread this is.
#also seeing just Mozilla/4.0. That's unusual as well
#from rras, another typo'd trojan
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
