[***] Results from Oinkmaster started Mon Dec 31 17:00:06 2007 [***]
[+++] Added rules: [+++]
2007715 - BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - user
(bleeding-attack_response.rules)
2007717 - BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - pass
(bleeding-attack_response.rules)
2007723 - BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - retr
(bleeding-attack_response.rules)
2007724 - BLEEDING-EDGE TROJAN Prg Trojan HTTP POST version 2
(bleeding-virus.rules)
2007725 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port
(WinFtpd) (bleeding-attack_response.rules)
2007726 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port
(StnyFtpd) (bleeding-attack_response.rules)
2007727 - BLEEDING-EDGE Policy possible torrent download (bleeding-p2p.rules)
[///] Modified active rules: [///]
2007688 - BLEEDING-EDGE TROJAN Prg Trojan HTTP POST v1 (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-attack_response.rules (20):
# seeing some worms/trojans use an ftp server with all banners stripped
out
# on off ports to download payload after the initial compromise.
# Just stats codes, no welcome, etc. Very unique
# something like:
#220
#USER a
#331
#PASS a
#230
#TYPE I
#200
#PORT 10,2,32,214,4,9
#200
#RETR msnnmaneger.exe
#150
#226
#QUIT
#221
#removing a few to simplify
#Matt Jonkman, off port ftp banners
-> Added to bleeding-p2p.rules (1):
#by Will Metcalf
-> Added to bleeding-sid-msg.map (8):
2007688 || BLEEDING-EDGE TROJAN Prg Trojan HTTP POST v1 ||
url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007715 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners -
user
2007717 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners -
pass
2007723 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners -
retr
2007724 || BLEEDING-EDGE TROJAN Prg Trojan HTTP POST version 2 || url,
ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007725 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on
High Port (WinFtpd)
2007726 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on
High Port (StnyFtpd)
2007727 || BLEEDING-EDGE Policy possible torrent download
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (1):
2007688 || BLEEDING-EDGE TROJAN Prg Trojan HTTP POST ||
url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
