[***] Results from Oinkmaster started Fri Mar 28 17:00:11 2008 [***]
[+++] Added rules: [+++]
2008062 - ET WEB Univeral HTTP File Upload Remote File Deletetion
(bleeding-web.rules)
2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command
Universal Exploit (bleeding-exploit.rules)
2008064 - ET POLICY Nginx Server with no version string - Often Hostile
Traffic (bleeding-policy.rules)
2008065 - ET POLICY Nginx Server with modified version string - Often Hostile
Traffic (bleeding-policy.rules)
2008066 - ET MALWARE Suspicious Blank User-Agent (descriptor but no string)
(bleeding-malware.rules)
[---] Disabled and modified rules: [---]
2008054 - ET POLICY Nginx Server in use - Often Hostile Traffic
(bleeding-policy.rules)
[---] Disabled rules: [---]
2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious -
Possible Trojan Report (bleeding.rules)
[---] Removed rules: [---]
2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested
(VideoAccessCodecInstall.exe) (bleeding.rules)
2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
(bleeding.rules)
2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
(bleeding.rules)
2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
(bleeding.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (1):
# disabling by default, falses a lot but may be of interest to some
folks
-> Added to bleeding-sid-msg.map (5):
2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion ||
url,www.milw0rm.com/exploits/5272
2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH
Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
2008064 || ET POLICY Nginx Server with no version string - Often
Hostile Traffic
2008065 || ET POLICY Nginx Server with modified version string - Often
Hostile Traffic
2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no
string)
-> Added to bleeding-sid-msg.map.txt (5):
2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion ||
url,www.milw0rm.com/exploits/5272
2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH
Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
2008064 || ET POLICY Nginx Server with no version string - Often
Hostile Traffic
2008065 || ET POLICY Nginx Server with modified version string - Often
Hostile Traffic
2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no
string)
-> Added to bleeding-web.rules (1):
#by akash mahajan of stillsecure
-> Added to bleeding.rules (1):
#disabling by default. Is used in some legit places as well. Use this
if you have a need
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (4):
2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested
(VideoAccessCodecInstall.exe)
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
-> Removed from bleeding-sid-msg.map.txt (4):
2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested
(VideoAccessCodecInstall.exe)
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
-> Removed from bleeding.rules (2):
# by matt jonkman, to be removed/reconsidered on feb 20 08
#keeping this, still getting reports of hits
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
