|
|
Bleedingsnort.com Daily Update: msg#00169security.ids.snort.sigs
[***] Results from Oinkmaster started Thu Oct 21 20:00:02 2004 [***] [+++] Added rules: [+++] -> Added to bleeding-virus.rules (2): alert tcp $EXTERNAL_NET 5190 -> any any (msg:"BLEEDING-EDGE WORM RBOT inbound Bestfriends.scr"; content:"http"; nocase; content:"bestfriends.scr"; within:80; nocase; classtype:trojan-activity; sid:2001367; rev:1;) alert tcp $HOME_NET any -> any 5190 (msg:"BLEEDING-EDGE WORM RBOT infection Bestfriends.scr"; content:"http"; nocase; content:"bestfriends.scr"; within:80; nocase; sid:2001368; rev:2;) -> Added to bleeding.rules (5): alert tcp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"BLEEDING-EDGE Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow:established,to_server; content:"|10 00 00 10 cc|"; offset:0; depth:5; flowbits:isnotset,tagged; flowbits:set,tagged; tag:host,3,packets,src; reference:bugtraq,11265; classtype:attempted-dos; sid:2001366; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype:shellcode-detect; sid:2001369; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; sid:2001364; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3A 24|$DATA"; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; sid:2001365; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; sid:2001363; rev:1;) [///] Modified active rules: [///] -> Modified active in bleeding.rules (1): old: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:to_server,established; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-dos; sid:2001219; rev:4;) new: alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Brute Force Attack"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; classtype:attempted-dos; sid:2001219; rev:5;) [---] Disabled rules: [---] -> Disabled in bleeding-malware.rules (1): #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE IE Object Data vulnerability"; content:"document.body.innerHTML"; content:"object"; content:"data"; content:"show"; content:"document.body"; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; classtype:misc-attack; sid:2000517; rev:1;) -> Disabled in bleeding.rules (14): #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; content: ".stm\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000523; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; content: ".asax\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000533; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; content: ".htw\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000527; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; content: ".shtml\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000525; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; content: ".asa\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000522; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; content: ".idq\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000528; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; content: ".aspx\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000532; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; content: ".php\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000531; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; content: ".config\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000534; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; content: ".pl\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000530; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; content: ".idc\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000526; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; content: ".ida\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000529; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; content: ".shtm\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000524; rev:1;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; content: ".asp\:\:$DATA"; nocase; reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1; sid:2000521; rev:1;) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (7): 2001363 || BLEEDING-EDGE Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt || url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx 2001364 || BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt || url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx 2001365 || BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt || cve,1999-0278 || url,support.microsoft.com/kb/q188806/ 2001366 || BLEEDING-EDGE Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 2001367 || BLEEDING-EDGE WORM RBOT inbound Bestfriends.scr 2001368 || BLEEDING-EDGE WORM RBOT infection Bestfriends.scr 2001369 || BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Exploit || url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php -> Added to bleeding-virus.rules (1): #Submitted by Jason Alexander -> Added to bleeding.rules (2): #Submitted by mjp to replace the above rules #Submitted by Chris Norton and Woofz [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (15): 2000517 || BLEEDING-EDGE IE Object Data vulnerability || url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm 2000521 || BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000522 || BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000523 || BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000524 || BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000525 || BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000526 || BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000527 || BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000528 || BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000529 || BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000530 || BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000531 || BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000532 || BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000533 || BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 2000534 || BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream || url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1 [*] Added files: [*] None. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Malware zero day thingy: 00169, James Riden |
|---|---|
| Next by Date: | David Kibilka/Networking/Willich/Datasystems ist außer Haus.: 00169, dkibilka |
| Previous by Thread: | Bleedingsnort.com Daily Updatei: 00169, matt |
| Next by Thread: | Bleedingsnort.com Daily Update: 00169, matt |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |