|
osdir.com mailing list archive |
|
Subject: Re: Bleedingsnort.com Daily Update - msg#00099List: security.ids.snort.sigscbdugd@dugdale ~ ><> grep skip /etc/oinkmaster.conf # You can then choose to skip individual files by specifying # the "skipfile" keyword below. # Files to totally skip (i.e. never update or check for changes) # # Syntax: skipfile filename # # or: skipfile filename1, filename2, filename3, ... # skipfile local.rules skipfile deleted.rules # Also skip snort.conf by default since we don't want to overwrite our own skipfile snort.conf skipfile threshold.conf # If you just want to disable SIDs, please skip this section and have a # On Tue, 2004-08-31 at 13:21, Jose Maria Lopez wrote: > El mar, 31 de 08 de 2004 a las 03:00, matt@xxxxxxxxxxx escribió: > > [***] Results from Oinkmaster started Mon Aug 30 20:00:01 2004 [***] > > > > [///] Modified active rules: [///] > > > > -> Modified active in bleeding.rules (2): > > old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA > > trojan activity"; content:"CIA 1."; content:"pass"; > > classtype:trojan-activity; sid:2001234; rev:1;) > > new: alert ip any any -> any any (msg:"BLEEDING-EDGE Win32/Small.AR > > outbound activity"; uricontent:"/zosman/cia/index.php"; > > classtype:trojan-activity; sid:2001234; rev:2;) > > old: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible CIA > > Trojan/Backdoor download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; > > classtype:trojan-activity; sid:2001233; rev:1;) > > new: alert ip any any -> any any (msg:"BLEEDING-EDGE Possible > > Win32/Small.AR download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; > > classtype:trojan-activity; sid:2001233; rev:2;) > > > > [+++] Added non-rule lines: [+++] > > > > -> Added to bleeding-sid-msg.map (2): > > 2001233 || BLEEDING-EDGE Possible Win32/Small.AR download/upload > > attempt > > 2001234 || BLEEDING-EDGE Win32/Small.AR outbound activity > > > > [---] Removed non-rule lines: [---] > > > > -> Removed from bleeding-sid-msg.map (2): > > 2001233 || BLEEDING-EDGE Possible CIA Trojan/Backdoor > > download/upload attempt > > 2001234 || BLEEDING-EDGE Possible CIA trojan activity > > > > [*] Added files: [*] > > None. > > I have read this message and I would like to know if oinkmaster > it's really capable of getting the new rules and add them without > touching the rules I have changed. This could be very important > for me, because when I install snort to a client they always want > rules to be updated automatically, but I always need to touch them > to make a good IDS. > > So my question is: are you using oinkmaster to do this work? could > it do what I want it to do? -- Ben Dugdale <ben@xxxxxxxxxxxxxxxx> Apache County Data Processing (928) 337-7507 --- [Scanned for viruses] ------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m Thread at a glance:
Previous Message by Date: click to view message previewFalse positives on FTP command 100 character limitHi, I'm getting a lot of false positives on the FTP command size checks, like rule 1748. They are (mostly) caused FTP clients that retrieve a file using the complete path in the RETR command. Is there a reason the limit is at 100 characters, or is it safe to raise that limit to reduce the number of false positives? Rule 2546 is triggered a lot by the WS-FTP Pro synchronisation tool. It is a tool to synchronise a local directory with a directory on an FTP server. It uses a lot of MDTM commands with the full pathname to compare the local and remote files. Examples: length = 109 000 : 4D 44 54 4D 20 32 30 30 34 30 36 32 35 31 38 33 MDTM 20040625183 010 : 33 34 34 20 2F 77 65 62 73 69 74 65 2F 70 65 72 344 /website/per 020 : 73 6F 6E 65 65 6C 2F 70 65 72 73 6F 6E 65 65 6C soneel/personeel 030 : 73 76 65 72 65 6E 69 67 69 6E 67 2F 66 6F 74 6F svereniging/foto 040 : 27 73 20 32 35 20 6A 75 6E 69 20 32 30 30 34 2F 's 25 juni 2004/ 050 : 44 61 67 6A 65 20 75 69 74 20 70 76 20 32 35 30 Dagje uit pv 250 060 : 36 30 34 20 30 34 39 2E 6A 70 67 0D 0A 604 049.jpg.. length = 130 000 : 4D 44 54 4D 20 32 30 30 31 30 35 31 31 31 30 32 MDTM 20010511102 010 : 30 30 34 20 2F 77 65 62 73 69 74 65 2F 69 6E 68 004 /website/inh 020 : 6F 75 64 2F 6C 65 65 72 6C 69 6E 67 65 6E 7A 6F oud/leerlingenzo 030 : 72 67 2F 68 61 6E 73 20 76 65 72 62 72 75 67 67 rg/hans verbrugg 040 : 65 6E 2F 69 6E 66 6F 72 6D 61 74 69 65 20 6D 61 en/informatie ma 050 : 74 65 72 69 61 61 6C 2F 76 6F 6F 72 6C 69 63 68 teriaal/voorlich 060 : 74 69 6E 67 20 68 61 6E 73 2F 76 69 73 75 65 6C ting hans/visuel 070 : 65 20 77 61 61 72 6E 65 6D 69 6E 67 2E 64 6F 63 e waarneming.doc 080 : 0D 0A .. Thanks, Sander Steffann. ------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m Next Message by Date: click to view message previewRe: " ..MS Terminal Server no encryption.. " misfire?Here is a tcp dump and alert file. Obfuscated and on a false account, in case the alert is right... Thanks On Fri, 2004-08-27 at 11:18, Nigel Houghton wrote: > On 0, Ben Dugdale <ben.dugdale@xxxxxxxxxxxxx> allegedly wrote: > > The "... MS Terminal Server no encryption session initiation attmept" > > rule seems to be misfiring. > > > > False Positives: > > Connect to a MS Server using rdesktop. > > > > The rdesktop man page seems to indicate that default use is encrypted. > > > > >From the rdesktop man page... > > > > -e Disable encryption. This option is only needed (and will > > only work) if you > > have a French version of NT TSE. > > > > -E Disable encryption from client to server. This sends an > > encrypted login > > packet, but everything after this is unencrypted > > (including interactive > > logins). > > > > Either the rule is misfiring or rdesktop is not behaving as advertised. > > Evidence suggests a misfire. > > > > -- > > Please send packet capture data to support your findings. > > +-------------------------------------------------------------------------+ > Nigel Houghton Research Engineer Sourcefire Inc. > Vulnerability Research Team > > "Dude, dolphins are intelligent and friendly!" - Wendy > "Intelligent and friendly on rye bread, with some mayonaise." - Cartman > +-------------------------------------------------------------------------+ > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click > _______________________________________________ > Snort-sigs mailing list > Snort-sigs@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/snort-sigs -- Ben Dugdale <ben@xxxxxxxxxxxxxxxx> Apache County Data Processing (928) 337-7507 alert Description: Text document snort.log.1093968900 Description: Binary data Previous Message by Thread: click to view message previewBleedingsnort.com Daily Update[***] Results from Oinkmaster started Mon Sep 13 00:05:42 2004 [***] [+++] Added rules: [+++] -> Added to bleeding-malware.rules (15): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Traffic Syndicate Add/Remove"; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype:trojan-activity; sid:2001313; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wild Tangent Agent"; uricontent:"/CDAFiles/"; nocase; classtype:trojan-activity; sid:2001314; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wild Tangent Agent Checking In"; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype:trojan-activity; sid:2001309; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Speedera Agent"; uricontent:"/io/downloads"; nocase; classtype:trojan-activity; sid:2001320; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wild Tangent New Install"; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype:trojan-activity; sid:2001322; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Unknown Spyware Agent Traffic"; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype:trojan-activity; sid:2001323; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Webhancer Data Upload"; content:"WebHancer Authority Server"; nocase; classtype:trojan-activity; sid:2001317; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Wild Tangent Agent Traffic"; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype:trojan-activity; sid:2001310; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Traffic Syndicate Agent Updating"; uricontent:"/TbInstConfig.asmx"; nocase; classtype:trojan-activity; sid:2001316; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Rdxrp.com Traffic"; uricontent:"/rdxr020304.dat"; nocase; classtype:trojan-activity; sid:2001311; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Traffic Syndicate Agent Updating"; uricontent:"/TbLinkConfig.asmx"; nocase; classtype:trojan-activity; sid:2001315; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)"; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype:trojan-activity; sid:2001312; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Unknown Spyware Agent Upload"; uricontent:"/conf/xml/"; nocase; classtype:trojan-activity; sid:2001324; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Speedera Agent (Specific)"; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype:trojan-activity; sid:2001321; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Adwave Agent Access"; uricontent:"/search_404.aspx?aff="; nocase; classtype:trojan-activity; sid:2001318; rev:1;) [---] Removed rules: [---] -> Removed from bleeding-malware.rules (2): #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE spyware downloader get.php"; content:"script"; content:"language"; content:"JavaScript"; content:"src"; content:"http\:\/\/"; content:".php"; content:"\/"; content:"script"; reference: url, http.www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; nocase; classtype:misc-attack; sid:2000511; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE spyware downloader prompt.php"; pcre:"/document\.write[\s]*\([\s]*["'](%[0-9a-fA-F]{1,2}){20}/i"; reference: url, http.www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; classtype:misc-attack; sid:2000512; rev:3;) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (15): 2001309 || BLEEDING-EDGE Malware Wild Tangent Agent Checking In 2001310 || BLEEDING-EDGE Malware Wild Tangent Agent Traffic 2001311 || BLEEDING-EDGE Malware Rdxrp.com Traffic 2001312 || BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic) 2001313 || BLEEDING-EDGE Malware Traffic Syndicate Add/Remove 2001314 || BLEEDING-EDGE Malware Wild Tangent Agent 2001315 || BLEEDING-EDGE Malware Traffic Syndicate Agent Updating 2001316 || BLEEDING-EDGE Malware Traffic Syndicate Agent Updating 2001317 || BLEEDING-EDGE Malware Webhancer Data Upload 2001318 || BLEEDING-EDGE Malware Adwave Agent Access 2001320 || BLEEDING-EDGE Malware Speedera Agent 2001321 || BLEEDING-EDGE Malware Speedera Agent (Specific) 2001322 || BLEEDING-EDGE Malware Wild Tangent New Install 2001323 || BLEEDING-EDGE Malware Unknown Spyware Agent Traffic 2001324 || BLEEDING-EDGE Malware Unknown Spyware Agent Upload [*] Added files: [*] None. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php Next Message by Thread: click to view message previewBleedingsnort.com Daily Update[***] Results from Oinkmaster started Tue Sep 14 20:00:04 2004 [***] [///] Modified active rules: [///] -> Modified active in bleeding.rules (5): old: alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; sid:2000333;) new: alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k file request answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2; sid:2000333;) old: alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file search"; content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; sid:2000331;) new: alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k file search"; content:"|e3|"; offset:0; depth:1; content:"|00000016|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2; sid:2000331;) old: alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request part"; content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; sid:2000332;) new: alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k request part"; content:"|e3|"; offset:0; depth:1; content:"|00000047|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2; sid:2000332;) old: alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 1; sid:2000330;) new: alert tcp any any -> any 4660:4799 (msg:"BLEEDING-EDGE P2P ed2k connection to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; offset:2; depth:4; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 2; sid:2000330;) old: alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE Multiple Non-SMTP Server Emails";flags: S; threshold: type threshold, track by_src,count 10, seconds 60; classtype:misc-activity; rev:2; sid:2000328;) new: alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE Multiple Non-SMTP Server Emails";flags: S; threshold: type threshold, track by_src,count 10, seconds 120; classtype:misc-activity; rev:3; sid:2000328;) [---] Disabled rules: [---] -> Disabled in bleeding.rules (1): #alert tcp any any <> any any (msg:"BLEEDING-EDGE CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; classtype:policy-violation; priority:1; sid:2001260; rev:1;) [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (1): 2001260 || BLEEDING-EDGE CHAT Yahoo IM message [*] Added files: [*] None. ------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m Loading Comments...
|
|
