[Snort-sigs] Emerging Threats Daily Signature Changes

[***] Results from Oinkmaster started Wed Apr  9 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2008113 - ET POLICY Tor Get Server Request (bleeding-policy.rules)
 2008115 - ET POLICY Tor Get Status Request (bleeding-policy.rules)
 2008116 - ET POLICY Outbound TFTP Write Request (bleeding-policy.rules)
 2008117 - ET POLICY Outbound TFTP Data Transfer (bleeding-policy.rules)
 2008118 - ET POLICY Outbound TFTP ACK (bleeding-policy.rules)
 2008119 - ET POLICY Outbound TFTP Error Message (bleeding-policy.rules)
 2008120 - ET POLICY Outbound TFTP Read Request (bleeding-policy.rules)
 2008121 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) 
(bleeding.rules)
 2008122 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) 
(bleeding.rules)
 2008123 - ET TROJAN Likely Bot Username in IRC (XP-..) (bleeding-virus.rules)
 2008124 - ET TROJAN Likely Bot Nick in IRC (USA +..) (bleeding-virus.rules)
 2008125 - ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-ID and no 
brackets) (bleeding.rules)


[///]     Modified active rules:     [///]

 2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
 2002951 - ET POLICY TOR 1.0 Status Update (bleeding-policy.rules)
 2002952 - ET POLICY TOR 1.0 Inbound Circuit Traffic (bleeding-policy.rules)
 2002953 - ET POLICY TOR 1.0 Outbound Circuit Traffic (bleeding-policy.rules)
 2008112 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe) 
(bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (2):
        #by Nathaniel Richmond
        #by Nathaniel Richmond

     -> Added to bleeding-sid-msg.map (13):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request 
(StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-ID and no brackets)

     -> Added to bleeding-sid-msg.map.txt (13):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request 
(StormCodec8.exe)
        2008113 || ET POLICY Tor Get Server Request || url,tor.eff.org
        2008115 || ET POLICY Tor Get Status Request || url,tor.eff.org
        2008116 || ET POLICY Outbound TFTP Write Request
        2008117 || ET POLICY Outbound TFTP Data Transfer
        2008118 || ET POLICY Outbound TFTP ACK
        2008119 || ET POLICY Outbound TFTP Error Message
        2008120 || ET POLICY Outbound TFTP Read Request
        2008121 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-Id)
        2008122 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-Id)
        2008123 || ET TROJAN Likely Bot Username in IRC (XP-..)
        2008124 || ET TROJAN Likely Bot Nick in IRC (USA +..)
        2008125 || ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked 
Message-ID and no brackets)

     -> Added to bleeding-virus.rules (1):
        #by Greg Bowser

     -> Added to bleeding.rules (3):
        #data from Joe Stewart at Secureworks. Sigs by matt jonkman
        # bobax has some unusual fake header characteristics in it's spam.
        # This ought to help ID inbound spam and thus infected hosts.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (3):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request 
(StormCodex8.exe)
        2404021 || ET DROP Known Bot C&C Server Traffic (group 22)  || 
url,www.shadowserver.org
        2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE 
|| url,www.shadowserver.org

     -> Removed from bleeding-sid-msg.map.txt (3):
        2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request 
(StormCodex8.exe)
        2404021 || ET DROP Known Bot C&C Server Traffic (group 22)  || 
url,www.shadowserver.org
        2405021 || ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE 
|| url,www.shadowserver.org


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs