Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Emerging Threats Daily Signature Changes

from [emerging] Network Security [Permanent Link]
Subject: [Snort-sigs] Emerging Threats Daily Signature Changes
Date: Wed, 9 Jan 2008 17:00:07 -0500 (EST) 

[***] Results from Oinkmaster started Wed Jan  9 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007745 - BLEEDING-EDGE TROJAN Parite.B HTTP Download Detected 
(bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2002082 - BLEEDING-EDGE POLICY Unusual User Agent (Client) 
(bleeding-policy.rules)
 2003484 - BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of 
DDOS (bleeding-virus.rules)
 2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent 
(Mozila/4.0...) (bleeding-malware.rules)
 2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake 
(Mozilla/4.0) (bleeding-malware.rules)
 2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo 
(MOzilla/4.0) (bleeding-malware.rules)
 2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - 
likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules)
 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report 
(bleeding-virus.rules)
 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes 
(bleeding-virus.rules)
 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command 
(bleeding-virus.rules)
 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active 
(bleeding-virus.rules)
 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off 
(bleeding-virus.rules)
 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply 
(bleeding-virus.rules)
 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report 
(bleeding-virus.rules)
 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send 
(bleeding-virus.rules)
 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply 
(bleeding-virus.rules)
 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send 
(bleeding-virus.rules)
 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send 
(bleeding-virus.rules)
 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send 
(bleeding-virus.rules)
 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply 
(bleeding-virus.rules)
 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send 
(bleeding-virus.rules)
 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send 
(bleeding-virus.rules)
 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply 
(bleeding-virus.rules)
 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply 
(bleeding-virus.rules)
 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) 
(bleeding-malware.rules)
 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS 
Extractor) (bleeding-malware.rules)
 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware 
User-Agent (EVNUKER) (bleeding-malware.rules)
 2003583 - BLEEDING-EDGE MALWARE Suspicious User-Agent (update) 
(bleeding-malware.rules)
 2003585 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates 
Manager) (bleeding-malware.rules)
 2003586 - BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 
2) (bleeding-malware.rules)
 2003588 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent skw00001) 
(bleeding-virus.rules)
 2003589 - BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic (User-Agent 
h9tslbw0) (bleeding-virus.rules)
 2003590 - BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique 
UA (MSID [...) (bleeding-virus.rules)
 2003599 - BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install/Startup 
Report (bleeding-policy.rules)
 2003600 - BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install Report 
(bleeding-policy.rules)
 2003601 - BLEEDING-EDGE POLICY Groove.net Virtual Office In Use 
(bleeding-policy.rules)
 2003602 - BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service 
Discovery Broadcast (bleeding-policy.rules)
 2003614 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound 
(bleeding-virus.rules)
 2003615 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound 
(bleeding-virus.rules)
 2006382 - BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent 
Detected (bleeding-virus.rules)
 2006395 - BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet 
(bleeding-virus.rules)
 2006396 - BLEEDING-EDGE TROJAN Socks666 Connect Command Packet 
(bleeding-virus.rules)
 2006397 - BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet Packet 
(bleeding-virus.rules)
 2006398 - BLEEDING-EDGE TROJAN Socks666 Checkin Packet (bleeding-virus.rules)
 2006399 - BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet 
(bleeding-virus.rules)
 2006414 - BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to 
Controller (pr2.cgi) (bleeding-virus.rules)
 2007588 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection Checkin 
(bleeding-virus.rules)
 2007589 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 
(bleeding-virus.rules)
 2007590 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 
(bleeding-virus.rules)
 2007591 - BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection in 
Progress (bleeding-virus.rules)
 2007669 - BLEEDING-EDGE TROJAN Nulprot Checkin Response (bleeding-virus.rules)
 2007673 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1) 
(bleeding.rules)
 2007674 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2) 
(bleeding.rules)
 2007675 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3) 
(bleeding.rules)
 2007676 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4) 
(bleeding.rules)
 2007677 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5) 
(bleeding.rules)
 2007678 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1) 
(bleeding.rules)
 2007679 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2) 
(bleeding.rules)
 2007680 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3) 
(bleeding.rules)
 2007681 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4) 
(bleeding.rules)
 2007682 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5) 
(bleeding.rules)
 2007683 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 
(bleeding.rules)
 2007684 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 
(bleeding.rules)
 2007685 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 
(bleeding.rules)
 2007686 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND 
(bleeding.rules)
 2007687 - BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND 
(bleeding.rules)
 2007695 - BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible 
Malware or Non-Updated System (bleeding-policy.rules)


[///]    Modified inactive rules:    [///]

 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) 
(bleeding-malware.rules)
 2007640 - BLEEDING-EDGE TROJAN Storm Making initial outbound connection 
(bleeding-virus.rules)
 2007641 - BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp 
(bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (70):
        2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || 
url,doc.emergingthreats.net/2002082
        2003484 || BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly 
part of DDOS || url,isc.sans.org/diary.html?storyid=2451 || 
url,doc.emergingthreats.net/2003483
        2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla 
User-Agent (Mozila/4.0...) || url,doc.emergingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely 
Fake (Mozilla/4.0) || url,doc.emergingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo 
(MOzilla/4.0) || url,doc.emergingthreats.net/2003513
        2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent 
Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || 
url,doc.emergingthreats.net/2003530
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and 
Report || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy 
Active || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off 
|| url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and 
Report || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key 
Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command 
Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send 
|| url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || 
url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy 
Command Send || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start 
Command Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Reply || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || 
url,doc.emergingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent 
(DNS Extractor) || url,doc.emergingthreats.net/2003567
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware 
User-Agent (EVNUKER) || url,doc.emergingthreats.net/2003567
        2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || 
url,doc.emergingthreats.net/2003583
        2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || 
url,doc.emergingthreats.net/2003584
        2003585 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates 
Manager) || url,doc.emergingthreats.net/2003585
        2003586 || BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro 
Service Pack 2) || url,doc.emergingthreats.net/2003586
        2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent 
skw00001) || url,doc.emergingthreats.net/2003588
        2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic 
(User-Agent h9tslbw0) || url,doc.emergingthreats.net/2003589
        2003590 || BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal 
Unique UA (MSID [...) || url,doc.emergingthreats.net/2003590
        2003599 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite 
Install/Startup Report || url,doc.emergingthreats.net/bin/view/Main/GrooveNet 
|| url,www.groove.net
        2003600 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install 
Report || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || 
url,www.groove.net
        2003601 || BLEEDING-EDGE POLICY Groove.net Virtual Office In Use || 
url,doc.emergingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003602 || BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service 
Discovery Broadcast || url,doc.emergingthreats.net/bin/view/Main/GrooveNet || 
url,www.groove.net
        2003614 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound || 
url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders
        2003615 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound || 
url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders
        2006382 || BLEEDING-EDGE TROJAN Matcash or related downloader 
User-Agent Detected || url,doc.emergingthreats.net/2006382
        2006395 || BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet || 
url,doc.emergingthreats.net/2006396
        2006396 || BLEEDING-EDGE TROJAN Socks666 Connect Command Packet || 
url,doc.emergingthreats.net/2006396
        2006397 || BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet 
Packet || url,doc.emergingthreats.net/2006396
        2006398 || BLEEDING-EDGE TROJAN Socks666 Checkin Packet || 
url,doc.emergingthreats.net/2006396
        2006399 || BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet || 
url,doc.emergingthreats.net/2006396
        2006414 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to 
Controller (pr2.cgi) || url,doc.emergingthreats.net/2006414
        2007588 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection 
Checkin || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007589 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 || 
url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007590 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 || 
url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007591 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection 
in Progress || url,doc.emergingthreats.net/bin/view/Main/Win32AgentALT
        2007640 || BLEEDING-EDGE TROJAN Storm Making initial outbound 
connection || url,doc.emergingthreats.net/bin/view/Main/StormWorm
        2007641 || BLEEDING-EDGE TROJAN Storm Controller Response to Drone via 
tcp || url,doc.emergingthreats.net/bin/view/Main/StormWorm
        2007669 || BLEEDING-EDGE TROJAN Nulprot Checkin Response || 
url,doc.emergingthreats.net/2007669
        2007673 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007674 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007675 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007676 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007677 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007678 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007679 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007680 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007681 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007682 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007683 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 || 
url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007684 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 || 
url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007685 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 || 
url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007686 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity 
OUTBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007687 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity 
INBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - 
Possible Malware or Non-Updated System || 
url,doc.emergingthreats.net/bin/view/Main/Windows98UA
        2007745 || BLEEDING-EDGE TROJAN Parite.B HTTP Download Detected

     -> Added to bleeding-virus.rules (1):
        #based on clamav info, by matt Jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (4):
        # These are user agent string from the user agents project:
        # http://www.bleedingsnort.com/article.php?story=20050303190103553
        # These will hit on traffic generated by spyware agents and installers
        # The user agent sigs from all types of spyware are consolidated here

     -> Removed from bleeding-sid-msg.map (69):
        2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || 
url,doc.bleedingthreats.net/2002082
        2003484 || BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly 
part of DDOS || url,isc.sans.org/diary.html?storyid=2451 || 
url,doc.bleedingthreats.net/2003483
        2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla 
User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely 
Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo 
(MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
        2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent 
Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || 
url,doc.bleedingthreats.net/2003530
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and 
Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy 
Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off 
|| url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and 
Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key 
Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command 
Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send 
|| url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy 
Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start 
Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || 
url,doc.bleedingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent 
(DNS Extractor) || url,doc.bleedingthreats.net/2003567
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware 
User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567
        2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || 
url,doc.bleedingthreats.net/2003583
        2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || 
url,doc.bleedingthreats.net/2003584
        2003585 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates 
Manager) || url,doc.bleedingthreats.net/2003585
        2003586 || BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro 
Service Pack 2) || url,doc.bleedingthreats.net/2003586
        2003588 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Traffic (User-Agent 
skw00001) || url,doc.bleedingthreats.net/2003588
        2003589 || BLEEDING-EDGE VIRUS Worm.Pyks HTTP C&C Post Traffic 
(User-Agent h9tslbw0) || url,doc.bleedingthreats.net/2003589
        2003590 || BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal 
Unique UA (MSID [...) || url,doc.bleedingthreats.net/2003590
        2003599 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite 
Install/Startup Report || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet 
|| url,www.groove.net
        2003600 || BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install 
Report || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || 
url,www.groove.net
        2003601 || BLEEDING-EDGE POLICY Groove.net Virtual Office In Use || 
url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || url,www.groove.net
        2003602 || BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service 
Discovery Broadcast || url,doc.bleedingthreats.net/bin/view/Main/GrooveNet || 
url,www.groove.net
        2003614 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound || 
url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2003615 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound || 
url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2006382 || BLEEDING-EDGE TROJAN Matcash or related downloader 
User-Agent Detected || url,doc.bleedingthreats.net/2006382
        2006395 || BLEEDING-EDGE TROJAN Socks666 Connection Initial Packet || 
url,doc.bleedingthreats.net/2006396
        2006396 || BLEEDING-EDGE TROJAN Socks666 Connect Command Packet || 
url,doc.bleedingthreats.net/2006396
        2006397 || BLEEDING-EDGE TROJAN Socks666 Successful Connect Packet 
Packet || url,doc.bleedingthreats.net/2006396
        2006398 || BLEEDING-EDGE TROJAN Socks666 Checkin Packet || 
url,doc.bleedingthreats.net/2006396
        2006399 || BLEEDING-EDGE TROJAN Socks666 Checkin Success Packet || 
url,doc.bleedingthreats.net/2006396
        2006414 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to 
Controller (pr2.cgi) || url,doc.bleedingthreats.net/2006414
        2007588 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Initial Infection 
Checkin || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007589 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 1 || 
url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007590 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin packet 2 || 
url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007591 || BLEEDING-EDGE TROJAN Win32 Agent.ALT C&C Checkin Connection 
in Progress || url,doc.bleedingthreats.net/bin/view/Main/Win32AgentALT
        2007640 || BLEEDING-EDGE TROJAN Storm Making initial outbound 
connection || url,doc.bleedingthreats.net/bin/view/Main/StormWorm
        2007641 || BLEEDING-EDGE TROJAN Storm Controller Response to Drone via 
tcp || url,doc.bleedingthreats.net/bin/view/Main/StormWorm
        2007669 || BLEEDING-EDGE TROJAN Nulprot Checkin Response || 
url,doc.bleedingthreats.net/2007669
        2007673 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(1) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007674 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(2) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007675 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(3) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007676 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(4) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007677 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP 
(5) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007678 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(1) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007679 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(2) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007680 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(3) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007681 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(4) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007682 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP 
(5) || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007683 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1 || 
url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007684 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2 || 
url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007685 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3 || 
url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007686 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity 
OUTBOUND || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007687 || BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity 
INBOUND || url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool
        2007695 || BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - 
Possible Malware or Non-Updated System || 
url,doc.bleedingthreats.net/bin/view/Main/Windows98UA


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] [Snort-sigs] Sourcefire VRT Certified Snort Rules Update, Will Metcalf
Next by Date:  [Snort-sigs] NTMLSSP or NTLMSSP sigs ?, rmkml
Previous by Thread:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Next by Thread:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Indexes:  [Date] [Thread] [Top] [All Lists]