[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes
From: bleeding () bleedingthreats ! net
Date: 2006-11-27 20:00:03
Message-ID: 20061127200003.6A60B22C088 () sb03 ! us ! bleedingsnort ! com
[Download RAW message or body]
[***] Results from Oinkmaster started Mon Nov 27 20:00:03 2006 [***]
[+++] Added rules: [+++]
2003195 - BLEEDING-EDGE POLICY Unusual number of DNS No Such Name Responses \
(bleeding-policy.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic \
(group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C \
Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
[///] Modified active rules: [///]
2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound \
(bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic \
Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed \
Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP \
Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus \
DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP \
Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) \
2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE \
(bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed \
Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - \
BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE \
(bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed \
Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - \
BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - \
BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING \
(bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server \
Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C \
Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known \
Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE \
DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - \
BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) \
2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) \
(bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic \
(group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server \
Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C \
Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known \
Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - \
BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE \
(bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic \
(group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE \
DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) \
2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE \
(bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic \
(group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE \
DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) \
2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE \
(bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic \
(group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
[---] Removed rules: [---]
2001834 - BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC \
Diary (bleeding.rules) 2001835 - BLEEDING-EDGE Sites trying to infect PCs with \
malware - ISC Diary (bleeding.rules) 2001836 - BLEEDING-EDGE Web page trying to \
infect PCs with malware - ISC Diary (bleeding.rules) 2001837 - BLEEDING-EDGE \
Suspicious DNS server answer\: 218.38.13.108 (bleeding.rules) 2001838 - \
BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148 (bleeding.rules) 2001839 \
- BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11 (bleeding.rules) \
2001840 - BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr \
(bleeding.rules) 2001842 - BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning \
Domain 7sir7.com (bleeding.rules) 2001843 - BLEEDING-EDGE Possible DNS Lookup for \
DNS Poisoning Domain 123xxl.com (bleeding.rules) 2001844 - BLEEDING-EDGE Possible \
DNS Lookup for DNS Poisoning Domain abx4.com (bleeding.rules) 2002670 - \
BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp) \
(bleeding.rules) 2002672 - BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS \
to Malicious DNS Server (udp) (bleeding.rules) 2002692 - BLEEDING-EDGE CURRENT \
EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host (bleeding.rules) 2002712 \
- BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - \
people.freenet.de (bleeding.rules) 2002713 - BLEEDING-EDGE DNS Lookup for sites \
serving Sober control activity - scifi.pages.at (bleeding.rules) 2002714 - \
BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at \
(bleeding.rules) 2002715 - BLEEDING-EDGE DNS Lookup for sites serving Sober control \
activity - free.pages.at (bleeding.rules) 2002716 - BLEEDING-EDGE DNS Lookup for \
sites serving Sober control activity - home.arcor.de (bleeding.rules) 2002813 - \
BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag (bleeding.rules) 2003111 \
- BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.1 (bleeding.rules) \
2003112 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.2 \
(bleeding.rules) 2003113 - BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - \
v.3 (bleeding.rules) 2003114 - BLEEDING-EDGE CURRENT Lookup for \
Trojan.Proxy.PPAgent.A - v.4 (bleeding.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (1):
# VERSION 5
-> Added to bleeding-drop.rules (1):
# VERSION 5
-> Added to bleeding-policy.rules (1):
#Adapted from nextsoft.cz
-> Added to bleeding-sid-msg.map (6):
2003192 || BLEEDING-EDGE VOIP INVITE Message Flood
2003193 || BLEEDING-EDGE VOIP REGISTER Message Flood
2003194 || BLEEDING-EDGE VOIP Multiple Unathorized SIP Responses
2003195 || BLEEDING-EDGE POLICY Unusual number of DNS No Such Name Responses
2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) || \
url,www.shadowserver.org
2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING \
SOURCE || url,www.shadowserver.org
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (1):
# VERSION 1
-> Removed from bleeding-drop.rules (1):
# VERSION 1
-> Removed from bleeding-sid-msg.map (23):
2001834 || BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server \
- ISC Diary || url,isc.sans.org/diary.php?date=2005-03-31 || \
url,isc.sans.org/diary.php?date=2005-03-30
2001835 || BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary \
|| url,isc.sans.org/diary.php?date=2005-03-30
2001836 || BLEEDING-EDGE Web page trying to infect PCs with malware - ISC \
Diary || url,isc.sans.org/diary.php?date=2005-03-30
2001837 || BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108
2001838 || BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148
2001839 || BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11
2001840 || BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr
2001842 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain \
7sir7.com || url,isc.sans.org/diary.php?date=2005-04-07
2001843 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain \
123xxl.com || url,isc.sans.org/diary.php?date=2005-04-07
2001844 || BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain \
abx4.com || url,isc.sans.org/diary.php?date=2005-04-07
2002670 || BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to \
Malicious DNS Server (tcp) || url,isc.sans.org/diary.php?storyid=819
2002672 || BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to \
Malicious DNS Server (udp) || url,isc.sans.org/diary.php?storyid=819
2002692 || BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible \
Infected Host 2002712 || BLEEDING-EDGE DNS Lookup for sites serving Sober control \
activity - people.freenet.de || url,www.lurhq.com/soberdates.html || \
url,www.f-secure.com/weblog/archives/archive-122005.html#00000729 2002713 || \
BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - scifi.pages.at || \
url,www.lurhq.com/soberdates.html || \
url,www.f-secure.com/weblog/archives/archive-122005.html#00000729 2002714 || \
BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at || \
url,www.lurhq.com/soberdates.html || \
url,www.f-secure.com/weblog/archives/archive-122005.html#00000729 2002715 || \
BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - free.pages.at || \
url,www.lurhq.com/soberdates.html || \
url,www.f-secure.com/weblog/archives/archive-122005.html#00000729 2002716 || \
BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.arcor.de || \
url,www.lurhq.com/soberdates.html || \
url,www.f-secure.com/weblog/archives/archive-122005.html#00000729
2002813 || BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag || \
url,isc.sans.org/diary.php?storyid=1138
2003111 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.1 || \
url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
2003112 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.2 || \
url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
2003113 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.3 || \
url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
2003114 || BLEEDING-EDGE CURRENT Lookup for Trojan.Proxy.PPAgent.A - v.4 || \
url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738
-> Removed from bleeding.rules (13):
# Added 2006-02-21 after pondering about the current OS/X issue
#by jnorcross
#This will false some, but should be minimal. This should be removed in a \
month or so. Reevaluate on 1/1/07
#Turning off by default. is does false a lot, and the threat is mostly gone. \
Will remove completely soon.
# The rules below were written in response to an ISC Diary that listed known
# evil, poisoning name servers .
# Added by Frank Knobbe
# Submitted by Stephane Nasdrovisky
#Matt Jonkman, related to dns poisoning
#from dajackman re incidents.org entry
# Added by Frank Knobbe in preparation for Sober activity
# Trojan.Proxy.PPAgent.A ruleset from Russ McRee
# These for dns are temporary, the domains will surely change soon. To be \
removed in a few days.
[+] Added files (consider updating your snort.conf to include them if needed): [+]
-> bleeding-voip.rules
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic