From aewhale at ABS-CompTech.com Tue May 1 14:46:38 2007 From: aewhale at ABS-CompTech.com (Albert E. Whale) Date: Tue May 1 14:53:34 2007 Subject: [Bleeding-sigs] BloackHole DNS Setting .... resolved. Message-ID: <463752CE.3020308@ABS-CompTech.com> OK, I found the correct configuration setting. The following setting must be made in the the /etc/named.conf to permit the use of the BlackHole DNS on the network. auth-nxdomain no; Please add this information to the BlackHole DNS pages. Best Regards, -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------- ABS Computer Technology, Inc. - www.ABS-CompTech.com SPAM Zapper - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here. From bleeding at bleedingthreats.net Tue May 1 20:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue May 1 20:00:07 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070501200005.86F4322C0BF@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue May 1 16:00:05 2007 [***] [+++] Added rules: [+++] 2003624 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules) 2003630 - BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity (bleeding-malware.rules) 2003631 - BLEEDING-EDGE POLICY Centralops.net Probe (bleeding-policy.rules) [///] Modified active rules: [///] 2003619 - BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003624 - BLEEDING-EDGE POLICY Centralops.net Probe (bleeding-policy.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 170 -> Added to bleeding-drop.rules (1): # VERSION 170 -> Added to bleeding-sid-msg.map (4): 2003619 || BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User 2003624 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) 2003630 || BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/ 2003631 || BLEEDING-EDGE POLICY Centralops.net Probe || url,centralops.net [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 169 -> Removed from bleeding-drop.rules (1): # VERSION 169 -> Removed from bleeding-sid-msg.map (4): 2003619 || BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/ 2003624 || BLEEDING-EDGE POLICY Centralops.net Probe || url,centralops.net 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org From jonkman at bleedingthreats.net Wed May 2 02:24:37 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed May 2 02:25:19 2007 Subject: [Bleeding-sigs] Scans with window of 55808 Message-ID: <4637F665.1090007@bleedingthreats.net> Per the isc entry here: http://isc.sans.org/diary.html?n&storyid=2717 alert tcp any any -> any any (msg:"BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC"; window:55808; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?n&storyid=2717; reference:url,www.cert.org/current/archive/2003/06/25/archive.html; sid:2003633; rev:1;) I didn't put a port in there, even though the isc entry notes vnc traffic specifically. I suspect that this may be a lead to more general scan activity. Time will tell. Load should be minor even though it looks like a bad rule. No matching, just header filtering. Please report any hits here, to bleeding@bleedingthreats.net, or to ISC. Please quickly let me know if this hits frequently and needs a threshold. matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Wed May 2 12:19:29 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed May 2 12:20:17 2007 Subject: [Bleeding-sigs] Scans with window of 55808 In-Reply-To: <4637F665.1090007@bleedingthreats.net> References: <4637F665.1090007@bleedingthreats.net> Message-ID: <463881D1.7040509@bleedingthreats.net> As noted, this is related to snort gpl rule 2018 to some degree, but 2018 is in the deleted ruleset and marked as related to the typot trojan. Could be similar, but we'll have to see. matt Matt Jonkman wrote: > Per the isc entry here: http://isc.sans.org/diary.html?n&storyid=2717 > > alert tcp any any -> any any (msg:"BLEEDING-EDGE CURRENT EVENTS Traffic > with a window of 55808 - Unknown likely hostile scanning - Please report > hits to Bleeding Edge or ISC"; window:55808; classtype:attempted-recon; > reference:url,isc.sans.org/diary.html?n&storyid=2717; > reference:url,www.cert.org/current/archive/2003/06/25/archive.html; > sid:2003633; rev:1;) > > I didn't put a port in there, even though the isc entry notes vnc > traffic specifically. I suspect that this may be a lead to more general > scan activity. Time will tell. > > Load should be minor even though it looks like a bad rule. No matching, > just header filtering. > > Please report any hits here, to bleeding@bleedingthreats.net, or to ISC. > > Please quickly let me know if this hits frequently and needs a threshold. > > matt > > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Wed May 2 13:37:43 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed May 2 13:38:31 2007 Subject: [Bleeding-sigs] Scans with window of 55808 In-Reply-To: <463881D1.7040509@bleedingthreats.net> References: <4637F665.1090007@bleedingthreats.net> <463881D1.7040509@bleedingthreats.net> Message-ID: <46389427.3050803@bleedingthreats.net> Sorry, supposed to be 2182. Not 2018. Matt Matt Jonkman wrote: > As noted, this is related to snort gpl rule 2018 to some degree, but > 2018 is in the deleted ruleset and marked as related to the typot trojan. > > Could be similar, but we'll have to see. > > matt > > Matt Jonkman wrote: >> Per the isc entry here: http://isc.sans.org/diary.html?n&storyid=2717 >> >> alert tcp any any -> any any (msg:"BLEEDING-EDGE CURRENT EVENTS Traffic >> with a window of 55808 - Unknown likely hostile scanning - Please report >> hits to Bleeding Edge or ISC"; window:55808; classtype:attempted-recon; >> reference:url,isc.sans.org/diary.html?n&storyid=2717; >> reference:url,www.cert.org/current/archive/2003/06/25/archive.html; >> sid:2003633; rev:1;) >> >> I didn't put a port in there, even though the isc entry notes vnc >> traffic specifically. I suspect that this may be a lead to more general >> scan activity. Time will tell. >> >> Load should be minor even though it looks like a bad rule. No matching, >> just header filtering. >> >> Please report any hits here, to bleeding@bleedingthreats.net, or to ISC. >> >> Please quickly let me know if this hits frequently and needs a threshold. >> >> matt >> >> > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Wed May 2 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed May 2 20:00:13 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070502200006.E1AC022C0C7@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Wed May 2 16:00:06 2007 [***] [+++] Added rules: [+++] 2003632 - BLEEDING-EDGE CURRENT EVENTS Zlob User Agent - updating (internetsecurity) (bleeding-virus.rules) 2003633 - BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC (bleeding.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 171 -> Added to bleeding-drop.rules (1): # VERSION 171 -> Added to bleeding-sid-msg.map (4): 2003632 || BLEEDING-EDGE CURRENT EVENTS Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618 2003633 || BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC || url,www.cert.org/current/archive/2003/06/25/archive.html || url,isc.sans.org/diary.html?n&storyid=2717 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to bleeding-virus.rules (1): #by axn jxn -> Added to bleeding.rules (2): #by Matt Jonkman #From ISC post here: isc.sans.org/diary.html?n&storyid=2717 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 170 -> Removed from bleeding-drop.rules (1): # VERSION 170 From jonkman at bleedingthreats.net Thu May 3 13:39:16 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu May 3 13:39:57 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule Message-ID: <4639E604.80205@bleedingthreats.net> Anyone seeing hits that are legitimate? Any falses? Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From dennisdistler at mycingular.blackberry.net Thu May 3 13:52:53 2007 From: dennisdistler at mycingular.blackberry.net (dennisdistler@mycingular.blackberry.net) Date: Thu May 3 14:09:41 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <4639E604.80205@bleedingthreats.net> References: <4639E604.80205@bleedingthreats.net> Message-ID: <820446961-1178200347-cardhu_blackberry.rim.net-2146252932-@bxe020-cell02.bisx.prod.on.blackberry> Matt, We have some hits on them and I will be sending you the pcap's on them soon. Thanks, Dennis Sent via BlackBerry from Cingular Wireless -----Original Message----- From: Matt Jonkman Date: Thu, 03 May 2007 09:39:16 To:Bleeding Sigs Subject: [Bleeding-sigs] 2003633: Window 55808 rule Anyone seeing hits that are legitimate? Any falses? Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs From jeff-kell at utc.edu Thu May 3 14:17:48 2007 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu May 3 14:18:26 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <4639E604.80205@bleedingthreats.net> References: <4639E604.80205@bleedingthreats.net> Message-ID: <4639EF0C.4020809@utc.edu> Matt Jonkman wrote: > Anyone seeing hits that are legitimate? > > Any falses? Showing up in SMTP streams, AOL streaming media, etc. Nothing that looks legitimately like a scan (i.e., I would expect a scan to fire multiple times for a given source IP, this isn't the case). Jeff From jonkman at bleedingthreats.net Thu May 3 14:29:08 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu May 3 14:29:49 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <4639EF0C.4020809@utc.edu> References: <4639E604.80205@bleedingthreats.net> <4639EF0C.4020809@utc.edu> Message-ID: <4639F1B4.5080400@bleedingthreats.net> I think I;ll narrow it down to syn packets then and we can see how that goes. Updating momentarily Matt Jeff Kell wrote: > Matt Jonkman wrote: >> Anyone seeing hits that are legitimate? >> >> Any falses? > > Showing up in SMTP streams, AOL streaming media, etc. Nothing that looks legitimately like a scan (i.e., I would expect a scan to fire multiple times for a given source IP, this isn't the case). > > Jeff > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From ddistler at afferentsecurity.com Thu May 3 14:36:04 2007 From: ddistler at afferentsecurity.com (Dennis Distler) Date: Thu May 3 14:43:42 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <4639F1B4.5080400@bleedingthreats.net> Message-ID: <200705031435.l43EZZbQ021354@Affmail.afferentsecurity.com> Hey Matt, Here is my packet capture: tcpdump -X -s 1518 -r snort.tcpd.1178094040 tcp[14:2]=55808 reading from file snort.tcpd.1178094040, link-type EN10MB (Ethernet) 11:22:48.551401 IP 10.10.10.28.2062 > 10.10.10.6.20001: . ack 2164619564 win 55808 0x0000: 4500 0028 b386 4000 8006 1f14 0a0a 0a1c E..(..@......... 0x0010: 0a0a 0a06 080e 4e21 b453 3066 8105 792c ......N!.S0f..y, 0x0020: 5010 da00 7883 0000 bdc6 c6bd 1c00 P...x......... I only got one packet on the sensor that fired and it was an ACK. HTH, Dennis Dennis Distler Security Consultant @fferent Security Labs, L.L.C. 16011 College Blvd. Suite 203 Lenexa, KS 66219 Phone: 913.685.6581 Cell: 913.568.6016 Email: dennis.distler@afferentsecurity.com www.afferentsecurity.com -----Original Message----- From: bleeding-sigs-bounces@bleedingthreats.net [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Matt Jonkman Sent: Thursday, May 03, 2007 9:29 AM To: Bleeding Sigs Subject: Re: [Bleeding-sigs] 2003633: Window 55808 rule I think I;ll narrow it down to syn packets then and we can see how that goes. Updating momentarily Matt Jeff Kell wrote: > Matt Jonkman wrote: >> Anyone seeing hits that are legitimate? >> >> Any falses? > > Showing up in SMTP streams, AOL streaming media, etc. Nothing that looks legitimately like a scan (i.e., I would expect a scan to fire multiple times for a given source IP, this isn't the case). > > Jeff > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs From jonkman at bleedingthreats.net Thu May 3 14:49:01 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu May 3 14:53:07 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <200705031435.l43EZZbQ021354@Affmail.afferentsecurity.com> References: <200705031435.l43EZZbQ021354@Affmail.afferentsecurity.com> Message-ID: <4639F65D.10302@bleedingthreats.net> Thanks Dennis. No, that's not what I was hoping to catch. Try the new version of the sig, see if you get anything there please. Thanks! Matt Dennis Distler wrote: > Hey Matt, > > Here is my packet capture: > > tcpdump -X -s 1518 -r snort.tcpd.1178094040 tcp[14:2]=55808 > reading from file snort.tcpd.1178094040, link-type EN10MB (Ethernet) > 11:22:48.551401 IP 10.10.10.28.2062 > 10.10.10.6.20001: . ack 2164619564 win > 55808 > 0x0000: 4500 0028 b386 4000 8006 1f14 0a0a 0a1c E..(..@......... > 0x0010: 0a0a 0a06 080e 4e21 b453 3066 8105 792c ......N!.S0f..y, > 0x0020: 5010 da00 7883 0000 bdc6 c6bd 1c00 P...x......... > > I only got one packet on the sensor that fired and it was an ACK. > > HTH, > Dennis > > Dennis Distler > Security Consultant > @fferent Security Labs, L.L.C. > 16011 College Blvd. Suite 203 > Lenexa, KS 66219 > Phone: 913.685.6581 > Cell: 913.568.6016 > Email: dennis.distler@afferentsecurity.com > www.afferentsecurity.com > -----Original Message----- > From: bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Matt Jonkman > Sent: Thursday, May 03, 2007 9:29 AM > To: Bleeding Sigs > Subject: Re: [Bleeding-sigs] 2003633: Window 55808 rule > > I think I;ll narrow it down to syn packets then and we can see how that > goes. > > Updating momentarily > > Matt > > Jeff Kell wrote: >> Matt Jonkman wrote: >>> Anyone seeing hits that are legitimate? >>> >>> Any falses? >> Showing up in SMTP streams, AOL streaming media, etc. Nothing that looks > legitimately like a scan (i.e., I would expect a scan to fire multiple times > for a given source IP, this isn't the case). >> Jeff >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bamm.visscher at gmail.com Thu May 3 14:52:26 2007 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Thu May 3 14:53:24 2007 Subject: [Bleeding-sigs] 2003633: Window 55808 rule In-Reply-To: <4639EF0C.4020809@utc.edu> References: <4639E604.80205@bleedingthreats.net> <4639EF0C.4020809@utc.edu> Message-ID: <27492850705030752o75b4ddfcq9b0d403974143bc4@mail.gmail.com> I am seeing plenty of benign hits on data streams, but I am also seeing a number of hits on incoming syn packets. Some to known ports, some to high ports. I really haven't seen anything that I would classify as "useful". Bammkkkk On 5/3/07, Jeff Kell wrote: > Matt Jonkman wrote: > > Anyone seeing hits that are legitimate? > > > > Any falses? > > Showing up in SMTP streams, AOL streaming media, etc. Nothing that looks legitimately like a scan (i.e., I would expect a scan to fire multiple times for a given source IP, this isn't the case). > > Jeff > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- sguil - The Analyst Console for NSM http://sguil.sf.net From bleeding at bleedingthreats.net Thu May 3 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu May 3 20:00:09 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070503200006.06D3722C0C5@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu May 3 16:00:06 2007 [***] [+++] Added rules: [+++] 2003634 - BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan (bleeding-web.rules) 2003635 - BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected (bleeding-virus.rules) 2003636 - BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09) (bleeding-virus.rules) 2003637 - BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx) (bleeding-virus.rules) 2003639 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown) (bleeding-malware.rules) 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules) 2003641 - BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe) (bleeding-virus.rules) 2003642 - BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol) (bleeding-virus.rules) [///] Modified active rules: [///] 2003633 - BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC (bleeding.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2001915 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP) (bleeding-exploit.rules) 2001916 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP) (bleeding-exploit.rules) 2001917 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP) (bleeding-exploit.rules) 2001918 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP) (bleeding-exploit.rules) [---] Removed rules: [---] 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 172 -> Added to bleeding-drop.rules (1): # VERSION 172 -> Added to bleeding-malware.rules (1): #from castlecops research -> Added to bleeding-sid-msg.map (8): 2003634 || BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan 2003635 || BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected 2003636 || BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09) 2003637 || BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx) 2003639 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown) 2003640 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) 2003641 || BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe) 2003642 || BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol) -> Added to bleeding-virus.rules (4): #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman -> Added to bleeding-web.rules (2): #Seen being used for vuln scanning. # The original script it's modified from is legitimate, so there may be some falses [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 171 -> Removed from bleeding-drop.rules (1): # VERSION 171 -> Removed from bleeding-sid-msg.map (2): 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org From r.fulton at auckland.ac.nz Fri May 4 00:01:21 2007 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Fri May 4 00:20:18 2007 Subject: [Bleeding-sigs] FP for BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) SID: 2003584 Message-ID: <463A77D1.4000806@auckland.ac.nz> An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070504/23e9f219/attachment.html From jonkman at bleedingthreats.net Fri May 4 00:47:06 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri May 4 00:47:52 2007 Subject: [Bleeding-sigs] FP for BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) SID: 2003584 In-Reply-To: <463A77D1.4000806@auckland.ac.nz> References: <463A77D1.4000806@auckland.ac.nz> Message-ID: <463A828A.1080604@bleedingthreats.net> Thats a problem... That sig may be too general. Anyone object to disabling it by default? matt Russell Fulton wrote: > All our mail servers are triggering this whenever they get updates from > kaspersky.... > > META > SID CID TimeStamp Signature Sig ID > 4 1313120 2007-05-03 12:00:10 BLEEDING-EDGE MALWARE Suspicious > User-Agent (Updater) 2003584 > > > Sensor Hostname Sensor Interface > dmzi.insec.auckland.ac.nz Inside dmz > > IP > Source Address Dest Address Ver Hdr Len TOS length ID flags > offset TTL chksum > 130.216.10.121 85.12.1.95 4 5 0 246 28652 2 0 59 60249 > > Resolved Source Resolved Dest > moe.its.auckland.ac.nz Could Not Resolve > > TCP > Source Port Dest Port Seq Ack Offset Reserved Flags Window > Checksum Urgent Ptr > 38886 80 3334683079 2801231379 8 0 24 1460 5761 0 > > Options > None > > Flags > > RB 1 RB 0 URG ACK PSH RST SYN FIN > > > > X X > > > > DATA > > 474554202F696E646578 > > 2F6D61737465722E786D > > 6C20485454502F312E30 > > 0D0A486F73743A20646E > > 6C2D6575372E6B617370 > > 6572736B792D6C616273 > > 2E636F6D0D0A50726167 > > 6D613A206E6F2D636163 > > 68650D0A43616368652D > > 436F6E74726F6C3A206E > > 6F2D63616368650D0A43 > > 6F6E6E656374696F6E3A > > 206B6565702D616C6976 > > 650D0A557365722D4167 > > 656E743A205570646174 > > 65725F352E302E312E36 > > 342D313133355F352E35 > > 2E302D313031302D3130 > > 31392D33393439373235 > > 0D0A0D0A > > > > > > > GET /index > > /master.xm > > l HTTP/1.0 > > ..Host: dn > > l-eu7.kasp > > ersky-labs > > .com..Prag > > ma: no-cac > > he..Cache- > > Control: n > > o-cache..C > > onnection: > > keep-aliv > > e..User-Ag > > ent: Updat > > er_5.0.1.6 > > 4-1135_5.5 > > .0-1010-10 > > 19-3949725 > > .... > > > > > ------------------------------------------------------------------------ > DATA > > GET /index/master.xml HTTP/1.0..Host: dnl-eu7.kaspersky-labs > .com..Pragma: no-cache..Cache-Control: no-cache..Connection: > keep-alive..User-Agent: Updater_5.0.1.64-1135_5.5.0-1010-10 > 19-3949725.... > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From thierry.chich at ac-clermont.fr Fri May 4 06:48:51 2007 From: thierry.chich at ac-clermont.fr (Thierry CHICH) Date: Fri May 4 07:18:10 2007 Subject: [Bleeding-sigs] FP for BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater)=?iso-8859-15?q?=09SID=3A?= 2003584 In-Reply-To: <463A828A.1080604@bleedingthreats.net> References: <463A77D1.4000806@auckland.ac.nz> <463A828A.1080604@bleedingthreats.net> Message-ID: <200705040848.51686.thierry.chich@ac-clermont.fr> Le vendredi 4 mai 2007 02:47, Matt Jonkman a ?crit : > Thats a problem... > > That sig may be too general. Anyone object to disabling it by default? > > matt I had also a lot of alert with web trafic. For instance : 199.181.133.142:80 -> 10.103.146.246:39920 [AP] HTTP/1.0 200 OK..Server: "IIS/1.0 (mopnix)"..Date: Thu, 03 May 2007 14:13:25 GMT..Content-length: 1100029..Content-type: audio/x-mpeg..Etag: "4549277-93-10c8fd-45dd6737"..Last-modified: Thu, 22 Feb 2007 09:49:43 GMT..Accept-ranges: bytes..Connection: Keep-Alive..Via: 1.1 dolirl02 (Juniper Networks Application A cceleration Platform - DX 5.1.4 0).. From pepperjack at afferentsecurity.com Fri May 4 16:07:26 2007 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri May 4 16:13:52 2007 Subject: [Bleeding-sigs] FP for BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) SID: 2003584 In-Reply-To: <463A828A.1080604@bleedingthreats.net> References: <463A77D1.4000806@auckland.ac.nz> <463A828A.1080604@bleedingthreats.net> Message-ID: <20070504110726.diq9gstrcbo0wg04@mail.afferentsecurity.com> Quoting Matt Jonkman : > Thats a problem... > > That sig may be too general. Anyone object to disabling it by default? > We disable that one already. another candidate for disabling is 2003337: The user-agent string identifies itself as "Autoupdate". the Autoupdate user-agent is used by Norton anti-virus. Unfortunately, this user agent is also used to communicate with other "non-update" sites like gator and wave.com (via their affiliate relationships with nai). We were catching bunches of these to other norton and gator affiliate companies, so we had to disable 2003337. Other candidates are 2001858 (hotbar) and 2003463 (toolbar) when you have a Dell shop. Dell support uses these user agents for their built in support software through their affiliate program with the [alleged] Hotbar spyware company and My Way Search affliates. If you run Dell, you run spyware. jp ---------------------------------------------------------------- Afferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From bleeding at bleedingthreats.net Fri May 4 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri May 4 20:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070504200006.C9F4422C0C5@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri May 4 16:00:06 2007 [***] [///] Modified active rules: [///] 2003587 - BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack (bleeding.rules) 2003592 - BLEEDING-EDGE CURRENT EVENTS Vulnerable DNS RPC Bind (bleeding.rules) 2003593 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit (specific to Metasploit Module) (bleeding.rules) 2003594 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit big endian (specific to Metasploit Module) (bleeding.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 173 -> Added to bleeding-drop.rules (1): # VERSION 173 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 172 -> Removed from bleeding-drop.rules (1): # VERSION 172 From bleeding at bleedingthreats.net Fri May 4 22:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri May 4 22:00:09 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070504220006.6E27722C0CA@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri May 4 18:00:06 2007 [***] [+++] Added rules: [+++] 2003617 - BLEEDING-EDGE Malware MyWebSearch Toolbar Posting Activity Report (bleeding-malware.rules) 2003619 - BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User (bleeding-malware.rules) 2003620 - BLEEDING-EDGE MALWARE 51yes.com Spyware Reporting User Activity (bleeding-malware.rules) 2003621 - BLEEDING-EDGE Malware MyWay Spyware Posting Activity Report - Dell Related (bleeding-malware.rules) 2003622 - BLEEDING-EDGE MALWARE Suspicious User-Agent (bot) (bleeding-malware.rules) 2003623 - BLEEDING-EDGE POLICY Centralops.net Domain Dossier Utility Probe (bleeding-policy.rules) 2003624 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules) 2003625 - BLEEDING-EDGE MALWARE dns-look-up.com Spyware User-Agent (KRSystem) (bleeding-malware.rules) 2003626 - BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: ) (bleeding-malware.rules) 2003627 - BLEEDING-EDGE MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI) (bleeding-malware.rules) 2003630 - BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity (bleeding-malware.rules) 2003631 - BLEEDING-EDGE POLICY Centralops.net Probe (bleeding-policy.rules) 2003632 - BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) (bleeding-virus.rules) 2003633 - BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC (bleeding.rules) 2003634 - BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan (bleeding-web.rules) 2003635 - BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected (bleeding-virus.rules) 2003636 - BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09) (bleeding-virus.rules) 2003637 - BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx) (bleeding-virus.rules) 2003639 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown) (bleeding-malware.rules) 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules) 2003641 - BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe) (bleeding-virus.rules) 2003642 - BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol) (bleeding-virus.rules) [///] Modified active rules: [///] 2002682 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution (bleeding-exploit.rules) 2002734 - BLEEDING-EDGE EXPLOIT WMF Exploit (bleeding-exploit.rules) 2002860 - BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution (bleeding-exploit.rules) 2003109 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow (bleeding-exploit.rules) 2003425 - BLEEDING-EDGE MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module) (bleeding-malware.rules) 2003587 - BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack (bleeding.rules) 2003592 - BLEEDING-EDGE CURRENT EVENTS Vulnerable DNS RPC Bind (bleeding.rules) 2003593 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit (specific to Metasploit Module) (bleeding.rules) 2003594 - BLEEDING-EDGE CURRENT EVENTS DNS RPC Exploit big endian (specific to Metasploit Module) (bleeding.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified inactive rules: [///] 2002909 - BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access (bleeding-exploit.rules) [---] Disabled rules: [---] 2001915 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP) (bleeding-exploit.rules) 2001916 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP) (bleeding-exploit.rules) 2001917 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP) (bleeding-exploit.rules) 2001918 - BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP) (bleeding-exploit.rules) 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 173 -> Added to bleeding-drop.rules (1): # VERSION 173 -> Added to bleeding-malware.rules (2): #from spyware listening post data, by matt Jonkman #from castlecops research -> Added to bleeding-policy.rules (1): #online tools -> Added to bleeding-sid-msg.map (27): 2002682 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002734 || BLEEDING-EDGE EXPLOIT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php 2002860 || BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196 2002909 || BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172 2003109 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868 2003617 || BLEEDING-EDGE Malware MyWebSearch Toolbar Posting Activity Report 2003619 || BLEEDING-EDGE MALWARE Alexa Spyware Redirecting User 2003620 || BLEEDING-EDGE MALWARE 51yes.com Spyware Reporting User Activity 2003621 || BLEEDING-EDGE Malware MyWay Spyware Posting Activity Report - Dell Related 2003622 || BLEEDING-EDGE MALWARE Suspicious User-Agent (bot) 2003623 || BLEEDING-EDGE POLICY Centralops.net Domain Dossier Utility Probe || url,centralops.net 2003624 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) 2003625 || BLEEDING-EDGE MALWARE dns-look-up.com Spyware User-Agent (KRSystem) 2003626 || BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: ) 2003627 || BLEEDING-EDGE MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI) 2003630 || BLEEDING-EDGE MALWARE Baidu.com Spyware Sobar Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/ 2003631 || BLEEDING-EDGE POLICY Centralops.net Probe || url,centralops.net 2003632 || BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618 2003633 || BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC || url,www.cert.org/current/archive/2003/06/25/archive.html || url,isc.sans.org/diary.html?n&storyid=2717 2003634 || BLEEDING-EDGE WEB Suspicious User-Agent - get-minimal - Possible Vuln Scan 2003635 || BLEEDING-EDGE TROJAN Generic Password Stealer User Agent Detected 2003636 || BLEEDING-EDGE Sality Virus User Agent Detected (KUKU v3.09) 2003637 || BLEEDING-EDGE TROJAN Inject.BV Trojan User Agent Detected (faserx) 2003639 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (ProxyDown) 2003640 || BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) 2003641 || BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe) 2003642 || BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol) -> Added to bleeding-virus.rules (5): #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman #by axn jxn -> Added to bleeding-web.rules (2): #Seen being used for vuln scanning. # The original script it's modified from is legitimate, so there may be some falses -> Added to bleeding.rules (2): #by Matt Jonkman #From ISC post here: isc.sans.org/diary.html?n&storyid=2717 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 166 -> Removed from bleeding-drop.rules (1): # VERSION 166 -> Removed from bleeding-sid-msg.map (5): 2002682 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002734 || BLEEDING-EDGE CURRENT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php 2002860 || BLEEDING-EDGE WEB CLIENT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196 2002909 || BLEEDING-EDGE WEB CLIENT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172 2003109 || BLEEDING-EDGE Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868 From bleeding at bleedingthreats.net Sat May 5 20:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat May 5 20:00:14 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070505200005.E076F22C0B2@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sat May 5 16:00:05 2007 [***] [///] Modified active rules: [///] 2002682 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution (bleeding-exploit.rules) 2002734 - BLEEDING-EDGE EXPLOIT WMF Exploit (bleeding-exploit.rules) 2002860 - BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution (bleeding-exploit.rules) 2003109 - BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow (bleeding-exploit.rules) 2003632 - BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) (bleeding-virus.rules) [///] Modified inactive rules: [///] 2002909 - BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access (bleeding-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (6): 2002682 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002734 || BLEEDING-EDGE EXPLOIT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php 2002860 || BLEEDING-EDGE EXPLOIT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196 2002909 || BLEEDING-EDGE EXPLOIT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172 2003109 || BLEEDING-EDGE EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868 2003632 || BLEEDING-EDGE VIRUS Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618 [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (6): 2002682 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution || cve,2005-1790 || url,www.computerterrorism.com/research/ie/ct21-11-2005 || url,secunia.com/advisories/15546 2002734 || BLEEDING-EDGE CURRENT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php 2002860 || BLEEDING-EDGE WEB CLIENT Internet Explorer createTextRange Code Execution || cve,2006-1359 || bugtraq,17196 2002909 || BLEEDING-EDGE WEB CLIENT Internet Explorer Cryptomathic ActiveX createPKCS10 Access || bugtraq,17852 || cve,2006-1172 2003109 || BLEEDING-EDGE Microsoft Internet Explorer VML Fill Method Attribute Overflow || bugtraq,20096 || cve,2006-4868 2003632 || BLEEDING-EDGE CURRENT EVENTS Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618 From bleeding at bleedingthreats.net Mon May 7 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon May 7 20:00:13 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070507200006.C400922C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon May 7 16:00:06 2007 [***] [+++] Added rules: [+++] 2003643 - BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent) (bleeding-virus.rules) 2003644 - BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader) (bleeding-malware.rules) 2003645 - BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) (bleeding-virus.rules) 2003646 - BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) (bleeding-virus.rules) 2003647 - BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) (bleeding-virus.rules) 2003648 - BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner) (bleeding-virus.rules) 2003649 - BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO) (bleeding-virus.rules) [///] Modified active rules: [///] 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 176 -> Added to bleeding-drop.rules (1): # VERSION 176 -> Added to bleeding-sid-msg.map (7): 2003643 || BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent) 2003644 || BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader) 2003645 || BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) 2003646 || BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) 2003647 || BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) 2003648 || BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner) 2003649 || BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO) -> Added to bleeding-virus.rules (2): #from castlecops research #UA used by trojan small.mi, sent in from castlecops research [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 173 -> Removed from bleeding-drop.rules (1): # VERSION 173 -> Removed from bleeding-virus.rules (1): #No better name for it yet From r.fulton at auckland.ac.nz Mon May 7 23:26:06 2007 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Mon May 7 23:26:48 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection" Message-ID: <463FB58E.5020503@auckland.ac.nz> Has this sig changed in the last few days? All of a sudden single long running RDP sessions are triggering lots of alerts. We need something that makes certain that this only triggers once per connection. alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flow:to_server,established; threshold: type both, track by_src, count 20, seconds 360; classtype: misc-activity; sid: 2001972; rev:14; ) The packets show just an ACK flag, no data. Russell. From jonkman at bleedingthreats.net Tue May 8 01:37:31 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 01:38:18 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection" In-Reply-To: <463FB58E.5020503@auckland.ac.nz> References: <463FB58E.5020503@auckland.ac.nz> Message-ID: <463FD45B.8040401@bleedingthreats.net> Your version is missing something. The version in cvs is: SCAN/SCAN_Term_Server:alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; classtype: misc-activity; sid: 2001972; rev:14; ) You're missing the flags:S,12. That'll fix teh issue I bet. Matt Russell Fulton wrote: > Has this sig changed in the last few days? All of a sudden single long > running RDP sessions are triggering lots of alerts. We need something > that makes certain that this only triggers once per connection. > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE > Behavioral Unusually fast Terminal Server Traffic, Potential Scan or > Infection"; flow:to_server,established; threshold: type both, track > by_src, count 20, seconds 360; classtype: misc-activity; sid: 2001972; > rev:14; ) > > The packets show just an ACK flag, no data. > > > Russell. > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From r.fulton at auckland.ac.nz Tue May 8 05:37:13 2007 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Tue May 8 05:38:02 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection" In-Reply-To: <463FD45B.8040401@bleedingthreats.net> References: <463FB58E.5020503@auckland.ac.nz> <463FD45B.8040401@bleedingthreats.net> Message-ID: <46400C89.5050901@auckland.ac.nz> Mea Culpa! I had an oinkmaster rule that fiddled wtih the rule. Doh! I made the change weeks ago so I'm not sure why it suddenly burst into life now.. What I was trying to do was make it so that the rule did not trigger on scans, i.e. lots of syn packets but would trigger on lots of sessions from a single host. i.e. iterative exploit attempts or brute force attempts. I had not realised that just having 'established' would trigger repeatedly for long running sessions. Hmmm.... I could trigger on the syn+ack and track by_dst would that work? Matt Jonkman wrote: > Your version is missing something. The version in cvs is: > > SCAN/SCAN_Term_Server:alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 > (msg: "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, > Potential Scan or Infection"; flags: S,12; threshold: type both, track > by_src, count 20, seconds 360; classtype: misc-activity; sid: 2001972; > rev:14; ) > > You're missing the flags:S,12. That'll fix teh issue I bet. > > > From scheidell at secnap.net Tue May 8 10:34:29 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Tue May 8 10:35:18 2007 Subject: [Bleeding-sigs] Report to bleedingsigs? Message-ID: Meta ID # Time Triggered Signature 2 - 716208 2007-05-08 05:07:29 [url ] [url ] [snort ] BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC Sensor Name Interface Filter curagen WAN none Alert Group none IP Source Address Dest. Address Ver Hdr Len TOS length ID flags offset TTL chksum 220.234.105.140 clientmailserver 4 5 0 52 39735 2 0 111 7752 FQDN Source Name Dest. Name Unable to resolve address smtp2.jjjjjjjj Options none TCP Source Port Dest Port R 1 R 0 U R G A C K P S H R S T S Y N F I N seq # ack offset res window urp chksum 3992 25 X 2529488708 0 8 0 55808 0 44310 Options none Payload none [ First ] [ Last ] -- Michael Scheidell, CTO Join SECNAP at SecureWorld Philadelphia May 16-17 http://www.secnap.com/events for free and discounted seminar tickets _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070508/29b1e99a/attachment.htm From jonkman at bleedingthreats.net Tue May 8 12:29:08 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 12:29:51 2007 Subject: [Bleeding-sigs] 2003591 falses? Message-ID: <46406D14.2080005@bleedingthreats.net> Anyone getting falses on this: CURRENT_EVENTS/CURRENT_Rinbot:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Rinbot.a User Agent - Downloading new Code (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent\: Mozilla/5.0|0d 0a|"; content:!"Accept\: text/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; rev:2;) Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue May 8 12:32:46 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 12:33:42 2007 Subject: [Bleeding-sigs] Report to bleedingsigs? In-Reply-To: References: Message-ID: <46406DEE.1010700@bleedingthreats.net> That's interesting. Chinese source IP. Getting many of those, or just that? matt Michael Scheidell wrote: > > Meta > ID # Time Triggered Signature > 2 - 716208 2007-05-08 05:07:29 [url > ] [url > ] [snort > ] BLEEDING-EDGE > CURRENT EVENTS Traffic with a window of 55808 - Unknown likely > hostile scanning - Please report hits to Bleeding Edge or ISC > > Sensor Name Interface Filter > curagen WAN /none/ > > Alert Group /none/ > > IP > Source Address Dest. Address Ver Hdr Len TOS length ID > flags offset TTL chksum > 220.234.105.140 > > clientmailserver 4 5 0 52 39735 2 0 111 7752 > > FQDN Source Name Dest. Name > /Unable to resolve address/ smtp2.jjjjjjjj > > Options /none / > > TCP > Source > Port Dest > Port R > 1 R > 0 U > R > G A > C > K P > S > H R > S > T S > Y > N F > I > N seq # ack offset res window urp chksum > 3992 25 X 2529488708 0 8 0 55808 0 44310 > > Options /none / > > Payload > > > > > /none / > > [ First ] [ Last ] > > > > -- > Michael Scheidell, CTO > Join SECNAP at SecureWorld Philadelphia May 16-17 > http://www.secnap.com/events for free and discounted seminar tickets > > > ------------------------------------------------------------------------ > This email has been scanned and certified safe by SpammerTrap^(TM). > For Information please see www.spammertrap.com > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue May 8 12:58:07 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 12:58:51 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection" In-Reply-To: <46400C89.5050901@auckland.ac.nz> References: <463FB58E.5020503@auckland.ac.nz> <463FD45B.8040401@bleedingthreats.net> <46400C89.5050901@auckland.ac.nz> Message-ID: <464073DF.9070507@bleedingthreats.net> Russell Fulton wrote: > Mea Culpa! I had an oinkmaster rule that fiddled wtih the rule. Doh! > I made the change weeks ago so I'm not sure why it suddenly burst into > life now.. :) > > What I was trying to do was make it so that the rule did not trigger on > scans, i.e. lots of syn packets but would trigger on lots of sessions > from a single host. i.e. iterative exploit attempts or brute force > attempts. I had not realised that just having 'established' would > trigger repeatedly for long running sessions. > > Hmmm.... I could trigger on the syn+ack and track by_dst would that work? That might. The threshold ought to do what you're wanting though. You could fiddle with the numbers in the threshold if it's not sensitive enough. Would that do what you're looking for? Matt > > Matt Jonkman wrote: >> Your version is missing something. The version in cvs is: >> >> SCAN/SCAN_Term_Server:alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 >> (msg: "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, >> Potential Scan or Infection"; flags: S,12; threshold: type both, track >> by_src, count 20, seconds 360; classtype: misc-activity; sid: 2001972; >> rev:14; ) >> >> You're missing the flags:S,12. That'll fix teh issue I bet. >> >> >> > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jeff-kell at utc.edu Tue May 8 14:57:37 2007 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue May 8 14:58:20 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal In-Reply-To: <464073DF.9070507@bleedingthreats.net> References: <463FB58E.5020503@auckland.ac.nz> <463FD45B.8040401@bleedingthreats.net> <46400C89.5050901@auckland.ac.nz> <464073DF.9070507@bleedingthreats.net> Message-ID: <46408FE1.2040202@utc.edu> Matt Jonkman wrote: > Russell Fulton wrote: >> What I was trying to do was make it so that the rule did not trigger on >> scans, i.e. lots of syn packets but would trigger on lots of sessions >> from a single host. >> Hmmm.... I could trigger on the syn+ack and track by_dst would that work? > That might. The threshold ought to do what you're wanting though. You > could fiddle with the numbers in the threshold if it's not sensitive > enough. Would that do what you're looking for? Another good case for my "flow: first_data,to_server" dream :-) Many cases you want to know the first data packet in a flow (after 3-way handshake). I've mentioned this to Marty. Maybe we should start up a petition (or convince somebody to hack up the code). Many false positives are the result of signatures that are looking for a particular file or data "header" in a data stream, but the characteristic pattern gets triggered by unrelated binary data in a large file transfer (for example). There is no way to just look at the "beginning" of a data stream (other than uricontent: for HTTP requests, which works to avoid false positives that might otherwise result from http data uploads getting confused with GET requests). Jeff From jonkman at bleedingthreats.net Tue May 8 15:44:05 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 15:44:54 2007 Subject: [Bleeding-sigs] "BLEEDING-EDGE Behavioral Unusually fast Terminal In-Reply-To: <46408FE1.2040202@utc.edu> References: <463FB58E.5020503@auckland.ac.nz> <463FD45B.8040401@bleedingthreats.net> <46400C89.5050901@auckland.ac.nz> <464073DF.9070507@bleedingthreats.net> <46408FE1.2040202@utc.edu> Message-ID: <46409AC5.2030906@bleedingthreats.net> I agree with you Jeff. The inability to anchor to the start of a stream is a frequent problem, or to be able to specify depth/offset in a stream. It's a core stream4 issue. I know Will and Victor at snort_inline have been making a stink over this and a few other stream4 flaws for some time now without any positive results from the snort developers. I wouldn't expect a quick change. We have a sponsor that does hardware acceleration, they had to rewrite stream reassembly to suit their hardware needs, and solved a few of the outstanding issues with stream4. But it's only good on accelerated platforms of course. But the changes are of course possible. Maybe we need to work with will and victor to help get them what they need to do it in snort_inline. They have a modified stream4 to do their more effective inline stuff. Anyone knowledgeable of coding stream4 stuff, and willing to help out? Matt Jeff Kell wrote: > Matt Jonkman wrote: >> Russell Fulton wrote: > >>> What I was trying to do was make it so that the rule did not trigger on >>> scans, i.e. lots of syn packets but would trigger on lots of sessions >>> from a single host. > >>> Hmmm.... I could trigger on the syn+ack and track by_dst would that work? > >> That might. The threshold ought to do what you're wanting though. You >> could fiddle with the numbers in the threshold if it's not sensitive >> enough. Would that do what you're looking for? > > Another good case for my "flow: first_data,to_server" dream :-) > > Many cases you want to know the first data packet in a flow (after 3-way handshake). I've mentioned this to Marty. Maybe we should start up a petition (or convince somebody to hack up the code). > > Many false positives are the result of signatures that are looking for a particular file or data "header" in a data stream, but the characteristic pattern gets triggered by unrelated binary data in a large file transfer (for example). There is no way to just look at the "beginning" of a data stream (other than uricontent: for HTTP requests, which works to avoid false positives that might otherwise result from http data uploads getting confused with GET requests). > > Jeff > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Tue May 8 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue May 8 20:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070508200006.BFAB122C0B1@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue May 8 16:00:06 2007 [***] [+++] Added rules: [+++] 2003650 - BLEEDING-EDGE TROJAN Dialer-715 Install Checkin (bleeding-virus.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (1): 2003650 || BLEEDING-EDGE TROJAN Dialer-715 Install Checkin -> Added to bleeding-virus.rules (1): #Matt Jonkman from snadnet data From david at vorant.com Tue May 8 19:55:30 2007 From: david at vorant.com (David J. Bianco) Date: Tue May 8 20:17:08 2007 Subject: [Bleeding-sigs] Downloader.VB.TX false positives Message-ID: <4640D5B2.4010400@vorant.com> Ok, I just updated this morning and I see that sid 2003646 is giving a lot of false positives. For reference, this is: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; flow:established,to_server; content:"User-Agent\: Microsoft URL Control -"; nocase; classtype:trojan-activity; sid:2003646; rev:1;) The problem is that it's looking for "User-Agent: Microsoft URL Control -" in the request, which is apparently a perfectly legitimate UA, though an uncommon one. For example, see this page: http://forums.seochat.com/search-engine-spiders-27/microsoft-url-control-6-00-8169t-3968.html According to this posting, the UA is actually from a standard VB control, and anything written to use the control will have the same agent string. This explains what I see on my own network. So far none of the alerts have actually been virus activity. I recommend disabling this rule, since it isn't really specific to a virus or trojan. David David From jonkman at bleedingthreats.net Tue May 8 20:18:55 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue May 8 20:20:46 2007 Subject: [Bleeding-sigs] Downloader.VB.TX false positives In-Reply-To: <4640D5B2.4010400@vorant.com> References: <4640D5B2.4010400@vorant.com> Message-ID: <4640DB2F.3040706@bleedingthreats.net> Ahh, thanks for the report. I wasn't aware that was a legit UA, or in much use. I agree, I'll disable the sig and schedule it for deletion. Thanks again for the report! matt David J. Bianco wrote: > Ok, I just updated this morning and I see that sid 2003646 is giving a lot > of false positives. For reference, this is: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; > flow:established,to_server; content:"User-Agent\: Microsoft URL Control -"; > nocase; classtype:trojan-activity; sid:2003646; rev:1;) > > The problem is that it's looking for "User-Agent: Microsoft URL Control -" in > the request, which is apparently a perfectly legitimate UA, though an > uncommon one. For example, see this page: > > http://forums.seochat.com/search-engine-spiders-27/microsoft-url-control-6-00-8169t-3968.html > > According to this posting, the UA is actually from a standard VB control, > and anything written to use the control will have the same agent string. > This explains what I see on my own network. So far none of the alerts have > actually been virus activity. > > I recommend disabling this rule, since it isn't really specific to a > virus or trojan. > > David > > > David > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Wed May 9 20:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed May 9 20:00:18 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070509200005.E936122C08A@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Wed May 9 16:00:05 2007 [***] [+++] Added rules: [+++] 2003651 - BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=) (bleeding-virus.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003646 - BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) (bleeding-virus.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 178 -> Added to bleeding-drop.rules (1): # VERSION 178 -> Added to bleeding-sid-msg.map (1): 2003651 || BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=) -> Added to bleeding-virus.rules (2): #from the bleeding sandnet #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 176 -> Removed from bleeding-drop.rules (1): # VERSION 176 From bleeding at bleedingthreats.net Fri May 11 20:00:07 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri May 11 20:00:12 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070511200007.289B222C08B@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri May 11 16:00:06 2007 [***] [+++] Added rules: [+++] 2003652 - BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) (bleeding-malware.rules) 2003653 - BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) (bleeding-policy.rules) 2003654 - BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank) (bleeding-malware.rules) 2003655 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules) 2003656 - BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) (bleeding-malware.rules) 2003657 - BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx)) (bleeding-malware.rules) 2003658 - BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame) (bleeding-malware.rules) 2003659 - BLEEDING-EDGE MALWARE Unusual Referer String (human) (bleeding-malware.rules) [///] Modified active rules: [///] 2003399 - BLEEDING-EDGE MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 180 -> Added to bleeding-drop.rules (1): # VERSION 180 -> Added to bleeding-malware.rules (3): #from spyware lp data #not really a UA sig, but related: #by Mark Warren at Praemunio -> Added to bleeding-policy.rules (1): #this is a distributed search engine crawling thing. I am not aware of any spyware-like activity, but it is likely not welcome on a corporate net -> Added to bleeding-sid-msg.map (8): 2003652 || BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) 2003653 || BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) 2003654 || BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank) 2003655 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) 2003656 || BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) || url,www.f-secure.com/v-descs/rizo.shtml 2003657 || BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx)) 2003658 || BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame) 2003659 || BLEEDING-EDGE MALWARE Unusual Referer String (human) [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 178 -> Removed from bleeding-drop.rules (1): # VERSION 178 From bleeding at bleedingthreats.net Fri May 11 22:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri May 11 22:00:11 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070511220006.7D0D922C0C8@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri May 11 18:00:05 2007 [***] [+++] Added rules: [+++] 2003643 - BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent) (bleeding-virus.rules) 2003644 - BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader) (bleeding-malware.rules) 2003645 - BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) (bleeding-virus.rules) 2003646 - BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) (bleeding-virus.rules) 2003647 - BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) (bleeding-virus.rules) 2003648 - BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner) (bleeding-virus.rules) 2003649 - BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO) (bleeding-virus.rules) 2003650 - BLEEDING-EDGE TROJAN Dialer-715 Install Checkin (bleeding-virus.rules) 2003651 - BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=) (bleeding-virus.rules) 2003652 - BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) (bleeding-malware.rules) 2003653 - BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) (bleeding-policy.rules) 2003654 - BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank) (bleeding-malware.rules) 2003655 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules) 2003656 - BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) (bleeding-malware.rules) 2003657 - BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx)) (bleeding-malware.rules) 2003658 - BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame) (bleeding-malware.rules) 2003659 - BLEEDING-EDGE MALWARE Unusual Referer String (human) (bleeding-malware.rules) [///] Modified active rules: [///] 2003399 - BLEEDING-EDGE MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) (bleeding-malware.rules) 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 180 -> Added to bleeding-drop.rules (1): # VERSION 180 -> Added to bleeding-malware.rules (3): #from spyware lp data #not really a UA sig, but related: #by Mark Warren at Praemunio -> Added to bleeding-policy.rules (1): #this is a distributed search engine crawling thing. I am not aware of any spyware-like activity, but it is likely not welcome on a corporate net -> Added to bleeding-sid-msg.map (17): 2003643 || BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent) 2003644 || BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader) 2003645 || BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) 2003646 || BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) 2003647 || BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) 2003648 || BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner) 2003649 || BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO) 2003650 || BLEEDING-EDGE TROJAN Dialer-715 Install Checkin 2003651 || BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=) 2003652 || BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) 2003653 || BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) 2003654 || BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank) 2003655 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) 2003656 || BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) || url,www.f-secure.com/v-descs/rizo.shtml 2003657 || BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx)) 2003658 || BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame) 2003659 || BLEEDING-EDGE MALWARE Unusual Referer String (human) -> Added to bleeding-virus.rules (5): #from the bleeding sandnet #Matt Jonkman from snadnet data #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this #from castlecops research #UA used by trojan small.mi, sent in from castlecops research [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 173 -> Removed from bleeding-drop.rules (1): # VERSION 173 -> Removed from bleeding-virus.rules (1): #No better name for it yet From security at secnap.com Sat May 12 11:15:15 2007 From: security at secnap.com (SECNAP Network Security) Date: Tue May 15 12:06:04 2007 Subject: [Bleeding-sigs] interesting port 0 traffic: FW: alert: New event: BAD-TRAFFIC udp port 0 traffic Message-ID: What do you make of this? It almost looks like the slammer/udp 1434 stuff: 05/11-20:10:37 UDP 150.101.167.237:0 --> 192.168.3.4:0 [1:525:9] BAD-TRAFFIC udp port 0 traffic [Classification: Misc activity] [Priority: 3] length = 376 000 : 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 010 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 020 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 030 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 040 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 050 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 060 : 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 070 : 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. 080 : B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 090 : 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 0a0 : 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 0b0 : 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 0c0 : 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf 0d0 : B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E 0e0 : D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P 0f0 : BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. 100 : BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 110 : 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 120 : 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E 130 : C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........ References: Message-ID: <4649A9A3.6050906@bleedingthreats.net> Don't recognize the payload pattern right off, but it's interesting that it's padded with 1's up front. Wonder if it's a scan tool that was overloaded, or misconfigured. Any chance the snort instance was overloaded and mangled it at that second? Matt SECNAP Network Security wrote: > What do you make of this? > > It almost looks like the slammer/udp 1434 stuff: > > 05/11-20:10:37 UDP 150.101.167.237:0 --> 192.168.3.4:0 > [1:525:9] BAD-TRAFFIC > udp port 0 traffic > [Classification: Misc activity] [Priority: 3] > > > length = 376 > > 000 : 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 010 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 020 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 030 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 040 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 050 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ > 060 : 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. > 070 : 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. > 080 : B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. > 090 : 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 > 0a0 : 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick > 0b0 : 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d > 0c0 : 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf > 0d0 : B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E > 0e0 : D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P > 0f0 : BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. > 100 : BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. > 110 : 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. > 120 : 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E > 130 : C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........ 140 : D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ > 150 : C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. > 160 : 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P > 170 : 8B 45 AC 50 FF D6 EB CA .E.P.... > > > > ------------------------------------------------------------------------ > This email has been scanned and certified safe by SpammerTrap^(TM). > For Information please see www.spammertrap.com > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Thu May 17 01:10:18 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Thu May 17 01:11:22 2007 Subject: [Bleeding-sigs] interesting port 0 traffic: FW: alert: New event:BAD-TRAFFIC udp port 0 traffic References: <4649A9A3.6050906@bleedingthreats.net> Message-ID: Don't think so, this client usually runs 100% packet capture. And I hve see it twice already. > -----Original Message----- > From: bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf > Of Matt Jonkman > Sent: Tuesday, May 15, 2007 8:38 AM > To: Bleeding Sigs > Subject: Re: [Bleeding-sigs] interesting port 0 traffic: FW: > alert: New event:BAD-TRAFFIC udp port 0 traffic > > Don't recognize the payload pattern right off, but it's > interesting that it's padded with 1's up front. > > Wonder if it's a scan tool that was overloaded, or misconfigured. > > Any chance the snort instance was overloaded and mangled it > at that second? > > Matt > > SECNAP Network Security wrote: > > What do you make of this? > > > > It almost looks like the slammer/udp 1434 stuff: > > > > 05/11-20:10:37 UDP 150.101.167.237:0 --> 192.168.3.4:0 [1:525:9] > > BAD-TRAFFIC > udp port 0 > > traffic > > [Classification: Misc activity] [Priority: 3] > > > > > > length = 376 > > > > 000 : 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 010 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 020 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 030 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 040 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 050 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > ................ > > 060 : 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE > ....B.........p. > > 070 : 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 > B.p.B........h.. > > 080 : B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 > .B.....1...P..5. > > 090 : 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 > ...P..Qh.dllhel3 > > 0a0 : 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B > 2hkernQhounthick > > 0b0 : 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 > ChGetTf.llQh32.d > > 0c0 : 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 > hws2_f.etQhsockf > > 0d0 : B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 > .toQhsend....B.E > > 0e0 : D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 > .P..P.E.P.E.P..P > > 0f0 : BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 > ....B....=U..Qt. > > 100 : BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 > ....B....1.QQP.. > > 110 : 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B > ..........Q.E.P. > > 120 : 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 > E.P..j.j.j...P.E > > 130 : C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 > .P.E.P........ > 140 : D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 > ...E...@........ > > 150 : C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D > ...).......E.j.. > > 160 : 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 > E.P1.Qf..x.Q.E.P > > 170 : 8B 45 AC 50 FF D6 EB CA .E.P.... > > > > > > > > > ---------------------------------------------------------------------- > > -- This email has been scanned and certified safe by > SpammerTrap^(TM). > > For Information please see www.spammertrap.com > > > > > ---------------------------------------------------------------------- > > -- > > > > > > > ---------------------------------------------------------------------- > > -- > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs@bleedingthreats.net > > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sig > > s > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/blee ding-sigs > > > _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ From jonkman at bleedingthreats.net Thu May 17 13:00:19 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu May 17 13:04:02 2007 Subject: [Bleeding-sigs] Lots of new sigs in the next week or so Message-ID: <464C51E3.8000704@bleedingthreats.net> We have a very generous researcher that is giving bleeding a lot of new signatures in the next days/weeks. This person has been doing a good deal of research in correlating sigs to exploits and cve numbers, and is finding of course a number of vulnerabilities that don't have sigs for them. Many of these cases are for lesser known apps, or just weren't handled. Some are covered by more general sigs, but a specific one is more useful and informative, and often less load. We have a bunch of them coming through today. Please look them over and let me know how they run. We'll probably try to push through no more than 100/day as they come in to us. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Thu May 17 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu May 17 20:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070517200006.3278322C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu May 17 16:00:05 2007 [***] [+++] Added rules: [+++] 0 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot (bleeding-web.rules) 2003638 - BLEEDING-EDGE VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J) (bleeding-virus.rules) 2003660 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt - Headerfile.php System (bleeding-web.rules) 2003661 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_files.php System (bleeding-web.rules) 2003662 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_posts.php System (bleeding-web.rules) 2003663 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System (bleeding-web.rules) 2003664 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System (bleeding-web.rules) 2003665 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- links.php System (bleeding-web.rules) 2003666 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System (bleeding-web.rules) 2003667 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_news.php System (bleeding-web.rules) 2003668 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System (bleeding-web.rules) 2003669 - BLEEDING-EDGE WEB TopTree Remote Inclusion Attempt -- tpl_message.php right_file (bleeding-web.rules) 2003670 - BLEEDING-EDGE WEB Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path (bleeding-web.rules) 2003671 - BLEEDING-EDGE WEB Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo (bleeding-web.rules) 2003672 - BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_image_index.php config[pathMod] (bleeding-web.rules) 2003673 - BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_liens_index.php config[pathMod] (bleeding-web.rules) 2003674 - BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_liste_index.php config[pathMod] (bleeding-web.rules) 2003675 - BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_special_index.php config[pathMod] (bleeding-web.rules) 2003676 - BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_texte_index.php config[pathMod] (bleeding-web.rules) 2003677 - BLEEDING-EDGE WEB Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot (bleeding-web.rules) 2003678 - BLEEDING-EDGE WEB Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH (bleeding-web.rules) 2003679 - BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir (bleeding-web.rules) 2003680 - BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt -- index.php HomeDir (bleeding-web.rules) 2003681 - BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- users_headerfile.php System (bleeding-web.rules) 2003682 - BLEEDING-EDGE WEB E-Gads Remote Inclusion Attempt -- common.php locale (bleeding-web.rules) 2003683 - BLEEDING-EDGE WEB PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS[tcore] (bleeding-web.rules) 2003684 - BLEEDING-EDGE WEB MXBB Remote Inclusion Attempt -- faq.php module_root_path (bleeding-web.rules) 2003685 - BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH (bleeding-web.rules) 2003686 - BLEEDING-EDGE WEB Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH (bleeding-web.rules) 2003687 - BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path (bleeding-web.rules) 2003688 - BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path (bleeding-web.rules) 2003689 - BLEEDING-EDGE WEB TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path (bleeding-web.rules) 2003690 - BLEEDING-EDGE WEB Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT (bleeding-web.rules) 2003691 - BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg[sys][base_path] (bleeding-web.rules) 2003692 - BLEEDING-EDGE WEB VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR (bleeding-web.rules) 2003693 - BLEEDING-EDGE WEB PHPtree Remote Inclusion Attempt -- cms2.php s_dir (bleeding-web.rules) 2003694 - BLEEDING-EDGE WEB NoAH Remote Inclusion Attempt -- mfa_theme.php tpls (bleeding-web.rules) 2003696 - BLEEDING-EDGE WEB Wikivi5 Remote Inclusion Attempt -- show.php sous_rep (bleeding-web.rules) 2003698 - BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php abs_path (bleeding-web.rules) 2003699 - BLEEDING-EDGE WEB pfa CMS Remote Inclusion checkout.php abs_path (bleeding-web.rules) 2003700 - BLEEDING-EDGE WEB pfa CMS Remote Inclusion libsecure.php abs_path (bleeding-web.rules) 2003701 - BLEEDING-EDGE WEB pfa CMS Remote Inclusion index.php repinc (bleeding-web.rules) 2003702 - BLEEDING-EDGE WEB Pixaria Gallery Remote Inclusion class.Smarty.php cfg[sys][base_path] (bleeding-web.rules) 2003703 - BLEEDING-EDGE WEB phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS[CHEMINMODULES] (bleeding-web.rules) 2003704 - BLEEDING-EDGE WEB AForum Remote Inclusion func.php CommonAbsDir (bleeding-web.rules) 2003705 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe (bleeding-web.rules) 2003706 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot (bleeding-web.rules) 2003707 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot (bleeding-web.rules) 2003708 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot (bleeding-web.rules) 2003709 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot (bleeding-web.rules) 2003710 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot (bleeding-web.rules) 2003711 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot (bleeding-web.rules) 2003712 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot (bleeding-web.rules) 2003713 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot (bleeding-web.rules) 2003714 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion lay.php tt_docroot (bleeding-web.rules) 2003715 - BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot (bleeding-web.rules) 2003716 - BLEEDING-EDGE WEB LaVague Remote Inclusion Attempt -- printbar.php views_path (bleeding-web.rules) 2003717 - BLEEDING-EDGE WEB miplex2 Remote Inclusion SmartyFU.class.php system (bleeding-web.rules) 2003718 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php ETCDIR (bleeding-web.rules) 2003719 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR (bleeding-web.rules) 2003720 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR (bleeding-web.rules) 2003721 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR (bleeding-web.rules) 2003722 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- logout.php ETCDIR (bleeding-web.rules) 2003723 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- help.php ETCDIR (bleeding-web.rules) 2003724 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- index.php ETCDIR (bleeding-web.rules) 2003725 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- login.php ETCDIR (bleeding-web.rules) 2003726 - BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX (bleeding-web.rules) 2003727 - BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX (bleeding-web.rules) 2003728 - BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- logingecon.php pathCGX (bleeding-web.rules) 2003729 - BLEEDING-EDGE WEB CGX Remote Inclusion Attempt -- login.php pathCGX (bleeding-web.rules) 2003730 - BLEEDING-EDGE WEB PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib (bleeding-web.rules) 2003731 - BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local (bleeding-web.rules) 2003732 - BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt -- db.php path_local (bleeding-web.rules) 2003733 - BLEEDING-EDGE WEB PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local (bleeding-web.rules) 2003735 - BLEEDING-EDGE WEB PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH (bleeding-web.rules) 2003736 - BLEEDING-EDGE WEB AForum Remote Inclusion Attempt -- errormsg.php header (bleeding-web.rules) 2003737 - BLEEDING-EDGE WEB CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir (bleeding-web.rules) 2003738 - BLEEDING-EDGE WEB Beacon Remote Inclusion Attempt -- splash.lang.php languagePath (bleeding-web.rules) 2003739 - BLEEDING-EDGE WEB Yaap Remote Inclusion Attempt -- common.php root_path (bleeding-web.rules) 2003740 - BLEEDING-EDGE WEB PHPFirstPost Remote Inclusion Attempt block.php Include (bleeding-web.rules) 2003741 - BLEEDING-EDGE WEB Open Translation Engine Remote Inclusion Attempt -- header.php ote_home (bleeding-web.rules) 2003742 - BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt -- language.php config (bleeding-web.rules) 2003743 - BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path (bleeding-web.rules) 2003744 - BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path (bleeding-web.rules) 2003745 - BLEEDING-EDGE WEB PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path (bleeding-web.rules) 2003746 - BLEEDING-EDGE WEB Simple PHP Script Gallery Remote Inclusion index.php gallery (bleeding-web.rules) 2003747 - BLEEDING-EDGE WEB gnuedu Remote Inclusion Attempt -- lom.php ETCDIR (bleeding-web.rules) [///] Modified active rules: [///] 2003302 - BLEEDING-EDGE TROJAN psyBNC IRC Server Connection (bleeding-virus.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003633 - BLEEDING-EDGE CURRENT EVENTS Traffic with a window of 55808 - Unknown likely hostile scanning - Please report hits to Bleeding Edge or ISC (bleeding.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 186 -> Added to bleeding-drop.rules (1): # VERSION 186 -> Added to bleeding-sid-msg.map (87): 0000000 || BLEEDING-EDGE WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot || url,www.milw0rm.com/exploits/3885 || cve,CVE-2007-2597 2003638 || BLEEDING-EDGE VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J) 2003660 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt - Headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003661 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_files.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003662 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_posts.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003663 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003664 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003665 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- links.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003666 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003667 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- latest_news.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003668 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003669 || BLEEDING-EDGE WEB TopTree Remote Inclusion Attempt -- tpl_message.php right_file || url,www.milw0rm.com/exploits/3854 || cve,CVE-2007-2544 2003670 || BLEEDING-EDGE WEB Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path || url,www.milw0rm.com/exploits/3848 || cve,CVE-2007-2542 2003671 || BLEEDING-EDGE WEB Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo || url,www.milw0rm.com/exploits/3847 || cve,CVE-2007-2541 2003672 || BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_image_index.php config[pathMod] || url,www.milw0rm.com/exploits/3852 || cve,CVE-2007-2540 2003673 || BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_liens_index.php config[pathMod] || url,www.milw0rm.com/exploits/3852 || cve,CVE-2007-2540 2003674 || BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_liste_index.php config[pathMod] || url,www.milw0rm.com/exploits/3852 || cve,CVE-2007-2540 2003675 || BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_special_index.php config[pathMod] || url,www.milw0rm.com/exploits/3852 || cve,CVE-2007-2540 2003676 || BLEEDING-EDGE WEB PMECMS Remote Inclusion Attempt -- mod_texte_index.php config[pathMod] || url,www.milw0rm.com/exploits/3852 || cve,CVE-2007-2540 2003677 || BLEEDING-EDGE WEB Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot || url,www.milw0rm.com/exploits/3869 || cve,CVE-2007-2531 2003678 || BLEEDING-EDGE WEB Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH || url,www.milw0rm.com/exploits/3865 || cve,CVE-2007-2530 2003679 || BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir || url,milw0rm.com/exploits/3868 || cve,CVE-2007-2527 2003680 || BLEEDING-EDGE WEB DynamicPAD Remote Inclusion Attempt -- index.php HomeDir || url,milw0rm.com/exploits/3868 || cve,CVE-2007-2527 2003681 || BLEEDING-EDGE WEB Persism CMS Remote Inclusion Attempt -- users_headerfile.php System || url,www.milw0rm.com/exploits/3853 || cve,CVE-2007-2545 2003682 || BLEEDING-EDGE WEB E-Gads Remote Inclusion Attempt -- common.php locale || url,www.milw0rm.com/exploits/3846 || cve,CVE-2007-2521 2003683 || BLEEDING-EDGE WEB PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS[tcore] || url,www.securityfocus.com/bid/23580 || cve,CVE-2007-2504 2003684 || BLEEDING-EDGE WEB MXBB Remote Inclusion Attempt -- faq.php module_root_path || url,www.milw0rm.c