|
|
Bleedingsnort.com Daily Update: msg#00186security.ids.snort.sigs
[***] Results from Oinkmaster started Wed Oct 27 20:00:02 2004 [***] [+++] Added rules: [+++] -> Added to bleeding.rules (1): alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible ShixxNote buffer-overflow + remote shell attempt"; flow:established,to_server; content:"|68 61 63 6b 75|"; offset:126; depth:5; content:"|68 61 63 6b 90 61 61 61 61|"; offset:519; depth:9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype:shellcode-detect; sid:2001385; rev:1;) [///] Modified active rules: [///] -> Modified active in bleeding-virus.rules (1): old: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS OUTBOUND Suspicious Email Attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(ps|cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2000562; rev:6;) new: alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE VIRUS OUTBOUND Suspicious Email Attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2000562; rev:7;) [---] Disabled rules: [---] -> Disabled in bleeding-virus.rules (1): #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; flow:to_server; sid:2001011; threshold: type threshold, track by_src, count 30,seconds 60; rev:4;) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (1): 2001385 || BLEEDING-EDGE Possible ShixxNote buffer-overflow + remote shell attempt || url,aluigi.altervista.org/adv/shixxbof-adv.txt -> Added to bleeding-virus.rules (2): # isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc, msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, rar, #Too many falses, needs improvement -> Added to bleeding.rules (1): #Submitted by Cooljay ref: http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139 [---] Removed non-rule lines: [---] -> Removed from bleeding-virus.rules (1): # isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc, msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, pps, rar, [*] Added files: [*] None. ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Identical rules: 00186, Esler, Joel - Contractor |
|---|---|
| Next by Date: | False Positive with SID 2329 "MS-SQL probe response overflow attempt": 00186, Joerg Weber |
| Previous by Thread: | Bleedingsnort.com Daily Updatei: 00186, matt |
| Next by Thread: | Bleedingsnort.com Daily Update: 00186, matt |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |