Bleeding Edge Threats Daily Signature Changes: msg#00112 security.ids.snort.bleedingsnort

[***] Results from Oinkmaster started Mon Jan 15 20:00:04 2007 [***]

[+++] Added rules: [+++]

2003254 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003255 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source)
(bleeding-malware.rules)
2003256 - BLEEDING-EDGE MALWARE Socksv4 Port 25 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003257 - BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux Source)
(bleeding-malware.rules)
2003258 - BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Windows Source)
(bleeding-malware.rules)
2003259 - BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Linux Source)
(bleeding-malware.rules)
2003260 - BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Windows
Source) (bleeding-malware.rules)
2003261 - BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request (Linux
Source) (bleeding-malware.rules)
2003262 - BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Windows
Source) (bleeding-malware.rules)
2003263 - BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request (Linux
Source) (bleeding-malware.rules)
2003264 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows Source)
(bleeding-malware.rules)
2003265 - BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux Source)
(bleeding-malware.rules)
2003266 - BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003267 - BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003268 - BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003269 - BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003270 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003271 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003272 - BLEEDING-EDGE MALWARE Socksv4 Port 5190 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003273 - BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003274 - BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003275 - BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003276 - BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003277 - BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003278 - BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003279 - BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003280 - BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Windows
Source) (bleeding-malware.rules)
2003281 - BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request (Linux
Source) (bleeding-malware.rules)
2003282 - BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Windows
Source) (bleeding-malware.rules)
2003283 - BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Linux Source)
(bleeding-malware.rules)
2003284 - BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Windows
Source) (bleeding-malware.rules)
2003285 - BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request (Linux
Source) (bleeding-malware.rules)
2003286 - BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request
(Windows Source) (bleeding-malware.rules)
2003287 - BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect Request
(Linux Source) (bleeding-malware.rules)
2003288 - BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Windows Source)
(bleeding-malware.rules)
2003289 - BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Linux Source)
(bleeding-malware.rules)
2003290 - BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Linux Source)
(bleeding-malware.rules)
2003291 - BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Windows Source)
(bleeding-malware.rules)
2003292 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound
(bleeding-virus.rules)
2003293 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound
(bleeding-virus.rules)
2003294 - BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound
(bleeding-virus.rules)
2003295 - BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound
(bleeding-virus.rules)
2003296 - BLEEDING-EDGE TROJAN Possible Web-based DDoS-command being issued
(bleeding-virus.rules)

[///] Modified active rules: [///]

2002992 - BLEEDING-EDGE SCAN Rapid POP3 Connections - Possible Brute Force
Attack (bleeding-scan.rules)
2002993 - BLEEDING-EDGE SCAN Rapid POP3S Connections - Possible Brute Force
Attack (bleeding-scan.rules)
2002994 - BLEEDING-EDGE SCAN Rapid IMAP Connections - Possible Brute Force
Attack (bleeding-scan.rules)
2002995 - BLEEDING-EDGE SCAN Rapid IMAPS Connections - Possible Brute Force
Attack (bleeding-scan.rules)
2003099 - BLEEDING-EDGE WEB-MISC Poison Null Byte (bleeding-web.rules)
2003180 - BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to
Controller (bleeding-virus.rules)
2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound
(bleeding-drop.rules)
2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING
SOURCE (bleeding-drop-BLOCK.rules)
2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)
(bleeding-botcc.rules)
2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)

[---] Removed rules: [---]

2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)
(bleeding-botcc.rules)
2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)
(bleeding-botcc.rules)
2404008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)
(bleeding-botcc.rules)
2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)

[+++] Added non-rule lines: [+++]

-> Added to bleeding-drop-BLOCK.rules (1):
# VERSION 56

-> Added to bleeding-drop.rules (1):
# VERSION 56

-> Added to bleeding-malware.rules (7):
#by William Salusky of the ISC (www.incidents.org)
# Details and updates available here
http://handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
# If you have any socks proxies being abused in your environment... The
following four rules are MONEY.
# The following rules open ended arbitrary Socks4 detection of ANY port
being proxied. I run this only on occasion when looking for sketchy new
activity. A better rule would do byte tests to exclude common target ports of
25, 80 etc...
# Another case of rules that fire according to RFC standards, but I
haven't really witnessed this type of traffic to confirm.
# Another case of rules that fire according to RFC standards, but I
haven't really witnessed this type of traffic to confirm.
# I keep these mostly commented, while they are correct according to
RFC for BIND actions, in practice I've found only FP's which I still need to
dig through and see what's really going on there.

-> Added to bleeding-sid-msg.map (44):
2003180 || BLEEDING-EDGE TROJAN Possible Warezov/Stration Data Post to
Controller || url,www.sophos.com/security/analyses/w32strationbo.html
2003254 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003255 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003256 || BLEEDING-EDGE MALWARE Socksv4 Port 25 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003257 || BLEEDING-EDGE MALWARE Socksv5 Port 25 Inbound Request (Linux
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003258 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Windows
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003259 || BLEEDING-EDGE MALWARE Socksv5 DNS Inbound Request (Linux
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003260 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003261 || BLEEDING-EDGE MALWARE Socksv5 HTTP Proxy Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003262 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003263 || BLEEDING-EDGE MALWARE Socksv4 HTTP Proxy Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003264 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Windows
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003265 || BLEEDING-EDGE MALWARE HTTP Connect Request Inbound (Linux
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003266 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003267 || BLEEDING-EDGE MALWARE Socksv5 Port 443 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003268 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003269 || BLEEDING-EDGE MALWARE Socksv4 Port 443 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003270 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003271 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003272 || BLEEDING-EDGE MALWARE Socksv4 Port 5190 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003273 || BLEEDING-EDGE MALWARE Socksv5 Port 5190 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003274 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003275 || BLEEDING-EDGE MALWARE Socksv5 Port 1863 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003276 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003277 || BLEEDING-EDGE MALWARE Socksv4 Port 1863 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003278 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003279 || BLEEDING-EDGE MALWARE Socksv5 Port 5050 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003280 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003281 || BLEEDING-EDGE MALWARE Socksv4 Port 5050 Inbound Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003282 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003283 || BLEEDING-EDGE MALWARE Socksv4 Inbound Connect Request (Linux
Source) || url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003284 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request
(Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003285 || BLEEDING-EDGE MALWARE Socksv5 IPv6 Inbound Connect Request
(Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003286 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect
Request (Windows Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003287 || BLEEDING-EDGE MALWARE Socksv5 UDP Proxy Inbound Connect
Request (Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003288 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Windows Source)
|| url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003289 || BLEEDING-EDGE MALWARE Socksv4 Bind Inbound (Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003290 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Linux Source) ||
url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003291 || BLEEDING-EDGE MALWARE Socksv5 Bind Inbound (Windows Source)
|| url,handlers.sans.org/wsalusky/ws/index.php/Snort-SOCKS-proto-rules
2003292 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound ||
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
2003293 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound ||
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
2003294 || BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound ||
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
2003295 || BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound ||
url,www.sophos.com/virusinfo/analyses/w32allapleb.html
2003296 || BLEEDING-EDGE TROJAN Possible Web-based DDoS-command being
issued

-> Added to bleeding-virus.rules (2):
#from anonymous
#by Matt Jonkman

[---] Removed non-rule lines: [---]

-> Removed from bleeding-attack_response.rules (1):
# $Id: bleeding-attack_response.rules $

-> Removed from bleeding-dos.rules (1):
# $Id: bleeding-dos.rules $

-> Removed from bleeding-drop-BLOCK.rules (1):
# VERSION 53

-> Removed from bleeding-drop.rules (1):
# VERSION 53

-> Removed from bleeding-exploit.rules (1):
# $Id: bleeding-exploit.rules $

-> Removed from bleeding-game.rules (1):
# $Id: bleeding-game.rules $

-> Removed from bleeding-inappropriate.rules (1):
# $Id: bleeding-inappropriate.rules $

-> Removed from bleeding-malware.rules (1):
# $Id: bleeding-malware.rules $

-> Removed from bleeding-p2p.rules (1):
# $Id: bleeding-p2p.rules $

-> Removed from bleeding-policy.rules (1):
# $Id: bleeding-policy.rules $

-> Removed from bleeding-scan.rules (1):
# $Id: bleeding-scan.rules $

-> Removed from bleeding-sid-msg.map (7):
2003180 || BLEEDING-EDGE TROJAN Warezov/Stration Data Post to
Controller || url,www.sophos.com/security/analyses/w32strationbo.html
2404006 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)
|| url,www.shadowserver.org
2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)
|| url,www.shadowserver.org
2404008 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)
|| url,www.shadowserver.org
2405006 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) -
BLOCKING SOURCE || url,www.shadowserver.org
2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) -
BLOCKING SOURCE || url,www.shadowserver.org
2405008 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) -
BLOCKING SOURCE || url,www.shadowserver.org

-> Removed from bleeding-virus.rules (1):
# $Id: bleeding-virus.rules $

-> Removed from bleeding-web.rules (1):
# $Id: bleeding-web.rules $

Previous by Date:	Re: Allaplw Trojan Sig: 00112, Matt Jonkman
Next by Date:	Re: definition: 00112, Jason
Previous by Thread:	Bleeding Edge Threats Daily Signature Changesi: 00112, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt
Next by Thread:	Bleeding Edge Threats Daily Signature Changes: 00112, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt
Indexes:	[Date] [Thread] [Top] [All Lists]