Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Emerging Threats Weekly Signature Changes

from [emerging] Network Security [Permanent Link]
Subject: [Snort-sigs] Emerging Threats Weekly Signature Changes
Date: Sat, 29 Mar 2008 19:00:11 -0400 (EDT) 

[***] Results from Oinkmaster started Sat Mar 29 19:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008048 - ET MALWARE Suspicious User-Agent (Version 1.23) 
(bleeding-malware.rules)
 2008049 - ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via HTTP 
(bleeding-virus.rules)
 2008050 - ET POLICY Likely Google Groups pr0n Access (bleeding-policy.rules)
 2008051 - ET POLICY Dell MyWay Remote control agent (bleeding-policy.rules)
 2008052 - ET MALWARE Suspicious User Agent (Internet Explorer) 
(bleeding-malware.rules)
 2008053 - ET MALWARE InternetSpeedMonitor Related Spyware User-Agent (parchmnt 
loader v1.8) (bleeding-malware.rules)
 2008054 - ET POLICY Nginx Server in use - Often Hostile Traffic 
(bleeding-policy.rules)
 2008055 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC 
(bleeding-virus.rules)
 2008056 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 
(bleeding-virus.rules)
 2008057 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response 
(bleeding-virus.rules)
 2008058 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443 
(bleeding-virus.rules)
 2008059 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443 
(bleeding-virus.rules)
 2008060 - ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response port 443 
(bleeding-virus.rules)
 2008061 - ET TROJAN LDPinch Checkin (4) (bleeding-virus.rules)
 2008062 - ET WEB Univeral HTTP File Upload Remote File Deletetion 
(bleeding-web.rules)
 2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command 
Universal Exploit (bleeding-exploit.rules)
 2008064 - ET POLICY Nginx Server with no version string - Often Hostile 
Traffic (bleeding-policy.rules)
 2008065 - ET POLICY Nginx Server with modified version string - Often Hostile 
Traffic (bleeding-policy.rules)
 2008066 - ET MALWARE Suspicious Blank User-Agent (descriptor but no string) 
(bleeding-malware.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  
(bleeding-botcc.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2001663 - ET MALWARE Malware MyWebSearch Toolbar Traffic (host) 
(bleeding-malware.rules)
 2002030 - ET TROJAN BOT - potential scan/exploit command (bleeding-virus.rules)
 2006435 - ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce 
Tool (bleeding-scan.rules)
 2006546 - ET SCAN LibSSH Based Frequent SSH Connections -- Likely BruteForce 
Attack! (bleeding-scan.rules)
 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (bleeding-virus.rules)
 2008041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE 
(bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE 
(bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE 
(bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE 
(bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE 
(bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  
(bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  
(bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  
(bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  
(bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  
(bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  
(bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  
(bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  
(bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  
(bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  
(bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  
(bleeding-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  
(bleeding-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  
(bleeding-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  
(bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (1) 
(bleeding-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (2) 
(bleeding-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (3) 
(bleeding-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (4) 
(bleeding-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (5) 
(bleeding-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (6) 
(bleeding-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (7) 
(bleeding-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (8) 
(bleeding-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (9) 
(bleeding-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (10) 
(bleeding-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (11) 
(bleeding-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (12) 
(bleeding-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (13) 
(bleeding-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (14) 
(bleeding-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (15) 
(bleeding-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (16) 
(bleeding-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (17) 
(bleeding-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (18) 
(bleeding-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (19) 
(bleeding-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (20) 
(bleeding-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (21) 
(bleeding-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (22) 
(bleeding-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (23) 
(bleeding-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (24) 
(bleeding-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (25) 
(bleeding-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (26) 
(bleeding-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (27) 
(bleeding-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (28) 
(bleeding-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (29) 
(bleeding-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (30) 
(bleeding-rbn.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (31) 
(bleeding-rbn.rules)
 2406036 - ET RBN Known Russian Business Network Monitored Domains (32) 
(bleeding-rbn.rules)
 2406037 - ET RBN Known Russian Business Network Monitored Domains (33) 
(bleeding-rbn.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(1) (bleeding-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(2) (bleeding-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(3) (bleeding-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(4) (bleeding-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(5) (bleeding-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(6) (bleeding-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(7) (bleeding-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(8) (bleeding-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(9) (bleeding-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(10) (bleeding-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(11) (bleeding-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(12) (bleeding-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(13) (bleeding-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(14) (bleeding-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(15) (bleeding-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(16) (bleeding-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(17) (bleeding-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(18) (bleeding-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(19) (bleeding-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(20) (bleeding-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(21) (bleeding-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(22) (bleeding-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(23) (bleeding-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(24) (bleeding-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(25) (bleeding-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(26) (bleeding-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(27) (bleeding-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(28) (bleeding-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(29) (bleeding-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(30) (bleeding-rbn-BLOCK.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(31) (bleeding-rbn-BLOCK.rules)
 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(32) (bleeding-rbn-BLOCK.rules)
 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING 
(33) (bleeding-rbn-BLOCK.rules)


[---]         Disabled rules:        [---]

 2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - 
Possible Trojan Report (bleeding.rules)


[---]         Removed rules:         [---]

 2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested 
(VideoAccessCodecInstall.exe) (bleeding.rules)
 2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) 
(bleeding.rules)
 2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) 
(bleeding.rules)
 2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) 
(bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1101
        #  Generated 2008-03-28 01:03:01 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1101
        #  Generated 2008-03-28 01:03:01 EDT

     -> Added to bleeding-policy.rules (5):
        #by will metcalf
        #by matt jonkman
        #nginx is an open http server. It's quite good, but seems an extremely 
high number of it's
        # installs are malicious. Storm, rbn, etc. Use this rule if you are 
interested
        # disabling by default, falses a lot but may be of interest to some 
folks

     -> Added to bleeding-rbn-BLOCK.rules (2):
        #  VERSION 40
        #  Updated 2008-03-25 00:13:20

     -> Added to bleeding-rbn.rules (2):
        #  VERSION 40
        #  Updated 2008-03-25 00:13:20

     -> Added to bleeding-sid-msg.map (21):
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
        2008049 || ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via 
HTTP
        2008050 || ET POLICY Likely Google Groups pr0n Access
        2008051 || ET POLICY Dell MyWay Remote control agent
        2008052 || ET MALWARE Suspicious User Agent (Internet Explorer)
        2008053 || ET MALWARE InternetSpeedMonitor Related Spyware User-Agent 
(parchmnt loader v1.8)
        2008054 || ET POLICY Nginx Server in use - Often Hostile Traffic
        2008055 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC
        2008056 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2
        2008057 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response
        2008058 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443
        2008059 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 
port 443
        2008060 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response 
port 443
        2008061 || ET TROJAN LDPinch Checkin (4)
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || 
url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH 
Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often 
Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often 
Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no 
string)
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || 
url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE 
|| url,www.shadowserver.org

     -> Added to bleeding-sid-msg.map.txt (21):
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
        2008049 || ET TROJAN Yahoo550.com Related Downlaoder/Trojan Checkin via 
HTTP
        2008050 || ET POLICY Likely Google Groups pr0n Access
        2008051 || ET POLICY Dell MyWay Remote control agent
        2008052 || ET MALWARE Suspicious User Agent (Internet Explorer)
        2008053 || ET MALWARE InternetSpeedMonitor Related Spyware User-Agent 
(parchmnt loader v1.8)
        2008054 || ET POLICY Nginx Server in use - Often Hostile Traffic
        2008055 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC
        2008056 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2
        2008057 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response
        2008058 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443
        2008059 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 
port 443
        2008060 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response 
port 443
        2008061 || ET TROJAN LDPinch Checkin (4)
        2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || 
url,www.milw0rm.com/exploits/5272
        2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH 
Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
        2008064 || ET POLICY Nginx Server with no version string - Often 
Hostile Traffic
        2008065 || ET POLICY Nginx Server with modified version string - Often 
Hostile Traffic
        2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no 
string)
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || 
url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE 
|| url,www.shadowserver.org

     -> Added to bleeding-virus.rules (3):
        #re Trojan.Win32.Inject.ajq, by matt jonkman
        # 5bb2b20d012cfe541f1173881be28729
        #also seeing the same on 443

     -> Added to bleeding-web.rules (1):
        #by akash mahajan of stillsecure

     -> Added to bleeding.rules (1):
        #disabling by default. Is used in some legit places as well. Use this 
if you have a need

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1095
        #  Generated 2008-03-22 01:03:02 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1095
        #  Generated 2008-03-22 01:03:02 EDT

     -> Removed from bleeding-rbn-BLOCK.rules (2):
        #  VERSION 39
        #  Updated 2008-03-16 00:25:31

     -> Removed from bleeding-rbn.rules (2):
        #  VERSION 39
        #  Updated 2008-03-16 00:25:31

     -> Removed from bleeding-sid-msg.map (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested 
(VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested 
(postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding-sid-msg.map.txt (4):
        2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested 
(VideoAccessCodecInstall.exe)
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested 
(postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)

     -> Removed from bleeding.rules (2):
        # by matt jonkman, to be removed/reconsidered on feb 20 08
        #keeping this, still getting reports of hits


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Next by Date:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Previous by Thread:  [Snort-sigs] Emerging Threats Weekly Signature Changes, emerging
Next by Thread:  [Snort-sigs] Sourcefire VRT Certified Snort Rules Update, research
Indexes:  [Date] [Thread] [Top] [All Lists]