Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleeding Edge Threats Daily Signature Changes
Date: Tue, 10 Apr 2007 16:00:06 -0400 (EDT) 

[***] Results from Oinkmaster started Tue Apr 10 16:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling 
(bleeding-policy.rules)
 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules)


[///]     Modified active rules:     [///]

 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code 
Execution (bleeding-web.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  
(bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control 
access (bleeding.rules)
 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - 
Please report any hits to bleeding@bleedingthreats.net (bleeding.rules)
 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - 
Please report any hits to bleeding@bleedingthreats.net (bleeding.rules)


[---]         Removed rules:         [---]

 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 
(bleeding-virus.rules)
 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling 
(bleeding.rules)
 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft 
Agent Memory Corruption) (bleeding.rules)
 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip 
FileView ActiveX Control Access (bleeding.rules)
 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip 
FolderView ActiveX Control Access (bleeding.rules)
 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function 
Memory Corruption - There are many legitimate uses of the normalize function 
(bleeding.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS 
(bleeding.rules)
 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In 
(bleeding.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded 
Exploit traveling to client browser (bleeding.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt 
(bleeding.rules)
 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet 
(bleeding.rules)
 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet 
(bleeding.rules)
 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 149

     -> Added to bleeding-drop.rules (1):
        #  VERSION 149

     -> Added to bleeding-exploit.rules (1):
        # steven@securityzone

     -> Added to bleeding-policy.rules (2):
        #by Jeff Kell
        # Microsoft teredo tunnel

     -> Added to bleeding-sid-msg.map (2):
        2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling
        2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 || 
url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || 
url,www.milw0rm.com/exploits/3577

     -> Added to bleeding.rules (2):
        # Threat has mostly passed. Leaving in but commented out for now.
        ### Commenting out for now. More information hasn't surfaced yet. Will 
update when we can

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 148

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 148

     -> Removed from bleeding-sid-msg.map (13):
        2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit
        2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling
        2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access 
(Microsoft Agent Memory Corruption) || 
url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx
        2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer 
WinZip FileView ActiveX Control Access || cve,2006-5198
        2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer 
WinZip FolderView ActiveX Control Access || cve,2006-5198
        2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script 
Function Memory Corruption - There are many legitimate uses of the normalize 
function || url,osvdb/30814 || cve,2006-5581
        2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || 
url,www.milw0rm.com/exploits/3111 || 
url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
        2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan 
Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish 
Encoded Exploit traveling to client browser || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
 || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop 
Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet 
|| url,doc.bleedingthreats.net/2003460
        2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet 
|| url,doc.bleedingthreats.net/2003460
        2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet 
Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || 
url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || 
url,www.milw0rm.com/exploits/3577

     -> Removed from bleeding-virus.rules (2):
        #by Jamie Riden
        #disabling, redundant

     -> Removed from bleeding.rules (18):
        #This is being sent to many victims under the pretense of being a 
securityt audit script for colocated customers
        #These should catch it in it's current form. More information coming 
soon
        #Analysis by Jose Nazario
        # These are coming in zips asking you to run on the server. This will 
hit on the html coming FROM the infected server to a client browser, NOT the 
zip in transit
        #The email drop is dead, but phishes are still going out with this 
address. If you see it, someone ran the script... follow up!
        #by Shirkdog
        # steven@securityzone
        #by Christian Siefert
        # There are many legit uses for this, so we're disabling by default. 
Use where appropriate
        #by Blake Hartstein of Demarc
        #by shirkdog
        #by Jeff Kell
        # Microsoft teredo tunnel
        #So far unidentified bot and c&c channel. Working on it. These are 
crude sigs,
        # please let me know if you get hits. Need more information on this one.
        #Matt Jonkman
        #Matt Jonkman. As yet unnamed downloader in a few high profile spots
        #by Mr Magic Pants


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Thread:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]