[***] Results from Oinkmaster started Fri Nov 23 22:00:12 2007 [***]
[+++] Added rules: [+++]
2003330 - BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High
Count (bleeding-policy.rules)
[///] Modified active rules: [///]
2003588 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001)
(bleeding-virus.rules)
2003589 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent
h9tslbw0) (bleeding-virus.rules)
2003636 - BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (KUKU v3.09)
(bleeding-virus.rules)
2003651 - BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (SPM_ID=)
(bleeding-virus.rules)
2006417 - BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth Challenge
Detected (bleeding-attack_response.rules)
2007695 - BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible
Malware or Non-Updated System (bleeding-policy.rules)
[---] Removed rules: [---]
2003330 - BLEEDING-EDGE POLICY Possible Spambot -- Host DNS MX Query High
Count (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (3):
#Matt Jonkman, major updates by Chris Byrd
#Experimenting with this idea. When a bot comes up live and starts
spamming, it
# does a massive number of dns queries. This may be an extra way to
identify infections
-> Added to bleeding-sid-msg.map (6):
2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent
skw00001) || url,doc.bleedingthreats.net/2003588
2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic
(User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
2003636 || BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (KUKU
v3.09)
2003651 || BLEEDING-EDGE VIRUS Sality Virus User Agent Detected
(SPM_ID=)
2006417 || BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth
Challenge Detected
2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected -
Possible Malware or Non-Updated System ||
url,doc.bleedingthreats.net/bin/view/Main/Windows98UA
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (6):
2003588 || BLEEDING-EDGE CURRENT EVENTS Worm.Pyks HTTP C&C Traffic
(User-Agent skw00001) || url,doc.bleedingthreats.net/2003588
2003589 || BLEEDING-EDGE CURRENT EVENTS Worm.Pyks HTTP C&C Post Traffic
(User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
2003636 || BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09)
2003651 || BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=)
2006417 || BLEEDING-EDGE ATTACK-RESPONSE Weak Netbios Lanman Auth
Challenge Detected
2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected -
Possible Malware or Non-Updated System ||
url.doc.bleedingthreats.net/bin/view/Main/Windows98UA
-> Removed from bleeding-virus.rules (3):
#Matt Jonkman, major updates by Chris Byrd
#Experimenting with this idea. When a bot comes up live and starts
spamming, it
# does a massive number of dns queries. This may be an extra way to
identify infections
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
