From bleeding at bleedingthreats.net Wed Nov 1 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Nov 1 01:00:42 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061101010009.1D7315502A3@gort.offsitefilter.com> [***] Results from Oinkmaster started Tue Oct 31 20:00:09 2006 [***] [+++] Added rules: [+++] 2003157 - BLEEDING-EDGE TROJAN Agobot-SDBot Commands (bleeding-virus.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (1): 2003157 || BLEEDING-EDGE TROJAN Agobot-SDBot Commands -> Added to bleeding-virus.rules (1): #agobot, sdbot stuff, from JB [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (2): 2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org From bleeding at bleedingthreats.net Thu Nov 2 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Nov 2 01:00:33 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061102010009.E433955026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Wed Nov 1 20:00:09 2006 [***] [+++] Added rules: [+++] 2003158 - BLEEDING-EDGE EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (bleeding-exploit.rules) 2003159 - BLEEDING-EDGE EXPLOIT Microsoft VsmIDE.DTE object call CSLID (bleeding-exploit.rules) 2003160 - BLEEDING-EDGE EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID (bleeding-exploit.rules) 2003161 - BLEEDING-EDGE EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID (bleeding-exploit.rules) 2003162 - BLEEDING-EDGE EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (bleeding-exploit.rules) 2003163 - BLEEDING-EDGE EXPLOIT Microsoft VsaIDE.DTE object call CSLID (bleeding-exploit.rules) 2003164 - BLEEDING-EDGE EXPLOIT Microsoft Business Object Factory object call CSLID (bleeding-exploit.rules) 2003165 - BLEEDING-EDGE EXPLOIT Microsoft Outlook Data Object object call CSLID (bleeding-exploit.rules) 2003166 - BLEEDING-EDGE EXPLOIT Microsoft Outlook.Application object call CSLID (bleeding-exploit.rules) 2003167 - BLEEDING-EDGE tikiwiki featured link XSS attempt (bleeding-web.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-exploit.rules (1): # Submitted 2006-11-01 by Frank Knobbe -> Added to bleeding-sid-msg.map (10): 2003158 || BLEEDING-EDGE EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || BLEEDING-EDGE EXPLOIT Microsoft VsmIDE.DTE object call CSLID 2003160 || BLEEDING-EDGE EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || BLEEDING-EDGE EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || BLEEDING-EDGE EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || BLEEDING-EDGE EXPLOIT Microsoft VsaIDE.DTE object call CSLID 2003164 || BLEEDING-EDGE EXPLOIT Microsoft Business Object Factory object call CSLID 2003165 || BLEEDING-EDGE EXPLOIT Microsoft Outlook Data Object object call CSLID 2003166 || BLEEDING-EDGE EXPLOIT Microsoft Outlook.Application object call CSLID 2003167 || BLEEDING-EDGE tikiwiki featured link XSS attempt || url,www.securityfocus.com/archive/1/450268/30/0 -> Added to bleeding-web.rules (1): # Submitted 2006-11-01 by Victor Julien as sighted on Bugtraq From jonkman at bleedingthreats.net Sat Nov 4 00:12:18 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Nov 4 00:19:23 2006 Subject: [Bleeding-sigs] Winamp Sig Message-ID: <454BDAE2.8030902@bleedingthreats.net> Interesting new one: #by Andrew Wood alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinampMPEG/i"; classtype:policy-violation; sid: 2003168; rev:1;) Posting now -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.com -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Sat Nov 4 01:00:08 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat Nov 4 01:07:50 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061104010008.DB1715502A1@gort.offsitefilter.com> [***] Results from Oinkmaster started Fri Nov 3 20:00:08 2006 [***] [+++] Added rules: [+++] 2003168 - BLEEDING-EDGE POLICY Winamp Streaming User Agent (bleeding-policy.rules) [///] Modified active rules: [///] 2003167 - BLEEDING-EDGE WEB tikiwiki featured link XSS attempt (bleeding-web.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-policy.rules (1): #by Andrew Wood -> Added to bleeding-sid-msg.map (2): 2003167 || BLEEDING-EDGE WEB tikiwiki featured link XSS attempt || url,www.securityfocus.com/archive/1/450268/30/0 2003168 || BLEEDING-EDGE POLICY Winamp Streaming User Agent [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (1): 2003167 || BLEEDING-EDGE tikiwiki featured link XSS attempt || url,www.securityfocus.com/archive/1/450268/30/0 From jonkman at bleedingthreats.net Mon Nov 6 17:24:07 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Nov 6 17:24:44 2006 Subject: [Bleeding-sigs] MS XMLHTTPD Sig Message-ID: <454F6FB7.8080302@bleedingthreats.net> Till we get more info, a sig for the clsid is posted. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack"; flow:from_server,established; content:"CLSID"; nocase; content:"88d969c5-f192-11d4-a65f-0040963251e5"; nocase; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2006/4334; reference:url,www.microsoft.com/technet/security/advisory/927892.mspx; sid:2003168; rev:1;) If anyone gets a hold of an exploit or hostile site please let us know so we can make a real sig. This will do for the time being though. NOTE: It is not looking for any exploit, etc. Just the vulnerable clsid. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Tue Nov 7 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Nov 7 01:32:26 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061107010009.4F33A5502A1@gort.offsitefilter.com> [***] Results from Oinkmaster started Mon Nov 6 20:00:09 2006 [***] [+++] Added rules: [+++] 2003169 - BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack (bleeding.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003123 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (mail from) (bleeding-policy.rules) 2003124 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (rcpt to) (bleeding-policy.rules) 2003125 - BLEEDING-EDGE POLICY SSL/TLS traffic on port 25 (01) (bleeding-policy.rules) 2003126 - BLEEDING-EDGE POLICY NON-SMTP and NON-SSL/TLS traffic on port 25 (bleeding-policy.rules) 2003127 - BLEEDING-EDGE POLICY SSL/TLS traffic on port 25 (00) (bleeding-policy.rules) 2003128 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (ehlo) (bleeding-policy.rules) 2003129 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (starttls) (bleeding-policy.rules) 2003130 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (helo) (bleeding-policy.rules) 2003131 - BLEEDING-EDGE POLICY SMTP traffic on port 25 (authsmtp) (bleeding-policy.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (1): 2003169 || BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack || url,www.microsoft.com/technet/security/advisory/927892.mspx || url,www.frsirt.com/english/advisories/2006/4334 -> Added to bleeding.rules (2): #may not last long, so putting this in current events until more information and a better sig is available. #matt Jonkman [---] Removed non-rule lines: [---] -> Removed from bleeding-policy.rules (1): #intention is to catch traffic on port 25 that is NOT smtp or ssl/tls. -> Removed from bleeding-sid-msg.map (9): 2003123 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (mail from) 2003124 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (rcpt to) 2003125 || BLEEDING-EDGE POLICY SSL/TLS traffic on port 25 (01) 2003126 || BLEEDING-EDGE POLICY NON-SMTP and NON-SSL/TLS traffic on port 25 2003127 || BLEEDING-EDGE POLICY SSL/TLS traffic on port 25 (00) 2003128 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (ehlo) 2003129 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (starttls) 2003130 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (helo) 2003131 || BLEEDING-EDGE POLICY SMTP traffic on port 25 (authsmtp) From bleeding at bleedingthreats.net Wed Nov 8 01:00:08 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Nov 8 01:00:42 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061108010008.5B5425502A1@gort.offsitefilter.com> [***] Results from Oinkmaster started Tue Nov 7 20:00:08 2006 [***] [+++] Added rules: [+++] 2003170 - BLEEDING-EDGE MALWARE Zango Spyware Activity (bleeding-malware.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-malware.rules (1): #New zango url -> Added to bleeding-sid-msg.map (3): 2003170 || BLEEDING-EDGE MALWARE Zango Spyware Activity || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html 2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org From scheidell at secnap.net Wed Nov 8 14:12:35 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Nov 8 14:43:01 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <454F6FB7.8080302@bleedingthreats.net> References: <454F6FB7.8080302@bleedingthreats.net> Message-ID: <4551E5D3.60307@secnap.net> redirect-v01.blue.aol.com BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) {TCP} 192.168.168.76:1991 -> 205.188.251.120:80 someone hacked aol? or mistake? -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 From jonkman at bleedingthreats.net Wed Nov 8 14:57:15 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Nov 8 14:57:54 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <4551E5D3.60307@secnap.net> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> Message-ID: <4551F04B.7000008@bleedingthreats.net> I would have to assume it's a residential assignment of theirs. The entry in the C&C is 205.188.251.120:80. Andre, you know anything more about this host? Matt Michael Scheidell wrote: > redirect-v01.blue.aol.com > > BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) {TCP} > 192.168.168.76:1991 -> 205.188.251.120:80 > > someone hacked aol? or mistake? > > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Wed Nov 8 14:57:41 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Nov 8 14:58:11 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <4551E5D3.60307@secnap.net> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> Message-ID: <4551F065.4030305@bleedingthreats.net> BTW: You know what tripped the traffic to there? Matt Michael Scheidell wrote: > redirect-v01.blue.aol.com > > BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) {TCP} > 192.168.168.76:1991 -> 205.188.251.120:80 > > someone hacked aol? or mistake? > > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Wed Nov 8 15:46:27 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Nov 8 15:48:01 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? Message-ID: > -----Original Message----- > From: Matt Jonkman [mailto:jonkman@bleedingthreats.net] > Sent: Wednesday, November 08, 2006 9:57 AM > To: Andre' M. Di Mino > Cc: Bleeding Sigs; Michael Scheidell > Subject: Re: [Bleeding-sigs] aol on C & C BOTNET? > > I would have to assume it's a residential assignment of theirs. > > The entry in the C&C is 205.188.251.120:80. Rdns says: redirect-v01.blue.aol.com From sempersecurus at gmail.com Wed Nov 8 15:55:18 2006 From: sempersecurus at gmail.com (Andre' - SemperSecurus) Date: Wed Nov 8 15:56:55 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <4551F04B.7000008@bleedingthreats.net> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> <4551F04B.7000008@bleedingthreats.net> Message-ID: <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> It looks to be a false positive via a submittal apart from our honeypots. We're tweaking our verification process for these submittals. Sorry for the confusion.. Andre' -- Andre' M. Di Mino - SemperSecurus The Shadowserver Foundation http://www.shadowserver.org On 11/8/06, Matt Jonkman wrote: > I would have to assume it's a residential assignment of theirs. > > The entry in the C&C is 205.188.251.120:80. > > Andre, you know anything more about this host? > > Matt > > Michael Scheidell wrote: > > redirect-v01.blue.aol.com > > > > BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) {TCP} > > 192.168.168.76:1991 -> 205.188.251.120:80 > > > > someone hacked aol? or mistake? > > > > > > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From scheidell at secnap.net Wed Nov 8 15:55:37 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Nov 8 15:57:13 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? Message-ID: Not sure, client has not returned call yet. Here is packet. ------------------------------------------------------------------------ ------ #(1 - 133066) [2006-11-02 19:36:36] [url/www.shadowserver.org] [snort/2410006] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) IPv4: 192.168.168.76 -> 205.188.251.120 hlen=5 TOS=0 dlen=40 ID=22897 flags=2 offset=0 TTL=128 chksum=28468 TCP: port=1336 -> dport: 80 flags=***A**** seq=3393484300 ack=3093781834 off=5 res=0 win=65472 urp=0 chksum=8798 Payload: none ------------------------------------------------------------------------ ------ #(1 - 141432) [2006-11-08 14:09:05] [url/www.shadowserver.org] [snort/2410006] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) IPv4: 192.168.168.76 -> 205.188.251.120 hlen=5 TOS=0 dlen=40 ID=4730 flags=2 offset=0 TTL=128 chksum=46635 TCP: port=1991 -> dport: 80 flags=***A**** seq=1583444056 ack=352330570 off=5 res=0 win=65472 urp=0 chksum=28366 Payload: none > -----Original Message----- > From: bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf > Of Matt Jonkman > Sent: Wednesday, November 08, 2006 9:58 AM > To: Bleeding Sigs > Subject: Re: [Bleeding-sigs] aol on C & C BOTNET? > > BTW: You know what tripped the traffic to there? > > Matt > > Michael Scheidell wrote: > > redirect-v01.blue.aol.com > > > > BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) {TCP} > > 192.168.168.76:1991 -> 205.188.251.120:80 > > > > someone hacked aol? or mistake? > > > > > > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/blee > ding-sigs > > > From scheidell at secnap.net Wed Nov 8 17:07:01 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Nov 8 17:08:42 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> <4551F04B.7000008@bleedingthreats.net> <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> Message-ID: <45520EB5.6090605@secnap.net> Andre' - SemperSecurus wrote: > It looks to be a false positive via a submittal apart from our > honeypots. We're tweaking our verification process for these > submittals. > > Sorry for the confusion.. > > Andre' > > no problem, as the saying goes: all of us together are smarter than one of us alone! Thanks for the work! -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 From jonkman at bleedingthreats.net Wed Nov 8 17:23:20 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Nov 8 17:25:18 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> <4551F04B.7000008@bleedingthreats.net> <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> Message-ID: <45521288.5040601@bleedingthreats.net> Ahh, no problem. I'll update the rulesets now for anyone that wants to update. Thanks Andre! By the way, how would you prefer we report any possible issues? Email to you, or do you have a set of handlers we could email? THanks for the work you guys are doing!!!! Matt Andre' - SemperSecurus wrote: > It looks to be a false positive via a submittal apart from our > honeypots. We're tweaking our verification process for these > submittals. > > Sorry for the confusion.. > > Andre' > > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From sempersecurus at gmail.com Wed Nov 8 21:04:28 2006 From: sempersecurus at gmail.com (Andre' - SemperSecurus) Date: Wed Nov 8 21:05:00 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <45521288.5040601@bleedingthreats.net> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> <4551F04B.7000008@bleedingthreats.net> <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> <45521288.5040601@bleedingthreats.net> Message-ID: <53b7021b0611081304v39b4dc66ga8cbc22df11a684d@mail.gmail.com> Thanks guys.. much appreciated. We work well *together* ! In the future, you can send any such issues to shadowops@shadowserver.org We'll then route it appropriately. Tx again. Andre' -- Andre' M. Di Mino - SemperSecurus The Shadowserver Foundation http://www.shadowserver.org On 11/8/06, Matt Jonkman wrote: > Ahh, no problem. I'll update the rulesets now for anyone that wants to > update. > > Thanks Andre! > > By the way, how would you prefer we report any possible issues? Email to > you, or do you have a set of handlers we could email? > > THanks for the work you guys are doing!!!! > > Matt > > Andre' - SemperSecurus wrote: > > It looks to be a false positive via a submittal apart from our > > honeypots. We're tweaking our verification process for these > > submittals. > > > > Sorry for the confusion.. > > > > Andre' > > > > > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From bleeding at bleedingthreats.net Thu Nov 9 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Nov 9 01:00:40 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061109010009.570D655026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Wed Nov 8 20:00:09 2006 [***] [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 2055 -> Added to bleeding-drop.rules (1): # VERSION 2055 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 2054 -> Removed from bleeding-drop.rules (1): # VERSION 2054 From jscheidell at secnap.net Thu Nov 9 16:13:34 2006 From: jscheidell at secnap.net (Jonathan Scheidell) Date: Thu Nov 9 16:31:23 2006 Subject: [Bleeding-sigs] New Sig to detect Network-Services-Auditor Message-ID: This sig should detect the use of Network-Services-Auditor (NSA). This is used by at least IBM for their vulnerabilities assessments. Payload for reference: 000 : 47 45 54 20 2F 62 69 6E 2F 73 69 74 65 55 73 65 GET /bin/siteUse 010 : 72 4D 6F 64 2E 63 67 69 20 48 54 54 50 2F 31 2E rMod.cgi HTTP/1. 020 : 30 0D 0A 48 6F 73 74 3A 20 31 37 30 2E 32 32 34 0..Host: 170.224 030 : 2E 31 30 33 2E 31 34 36 3A 38 30 0D 0A 55 73 65 .103.146:80..Use 040 : 72 2D 41 67 65 6E 74 3A 20 4E 65 74 77 6F 72 6B r-Agent: Network 050 : 2D 53 65 72 76 69 63 65 73 2D 41 75 64 69 74 6F -Services-Audito 060 : 72 2F 31 2E 34 0D 0A 41 63 63 65 70 74 3A 20 2A r/1.4..Accept: * 070 : 2F 2A 0D 0A 58 2D 4E 53 41 2D 4C 69 63 65 6E 73 /*..X-NSA-Licens 080 : 65 3A 20 30 62 31 38 33 64 37 38 33 64 37 64 38 e: 0b183d783d7d8 090 : 64 38 63 62 31 38 34 32 63 32 39 37 32 32 39 31 d8cb1842c2972291 0a0 : 32 38 30 66 32 62 37 31 61 32 37 31 32 32 31 65 280f2b71a271221e 0b0 : 63 33 61 30 38 63 63 30 34 63 39 34 63 35 36 37 c3a08cc04c94c567 0c0 : 33 61 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 3a9..Connection: 0d0 : 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D close..Content- 0e0 : 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D Type: text/html. 0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 100 : 20 34 32 0D 0A 0D 0A 63 6F 6D 6D 61 6E 64 3D 58 42....command=X 110 : 26 74 79 70 65 3D 22 3B 63 61 74 20 2F 65 74 63 &type=";cat /etc 120 : 2F 70 61 73 73 77 64 3B 22 26 43 68 65 63 6B 3D /passwd;"&Check= 130 : 58 X Sig: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE SCAN NSA User Agent"; flow: established,to_server; content:"User-Agent\:"; depth:300; nocase; pcre:"/User-Agent\:[^\n]+Network-Services-Auditor/i"; threshold: type limit, track by_src,count 1, seconds 60; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; classtype: attempted-recon; sid:2002***; rev:1;) It's basically ripped off from Bob Grabowsky's Nessus detection sig. -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061109/b0e1fe67/attachment.html From jonkman at bleedingthreats.net Thu Nov 9 17:01:47 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 9 17:36:51 2006 Subject: [Bleeding-sigs] New Sig to detect Network-Services-Auditor In-Reply-To: References: Message-ID: <45535EFB.9010609@bleedingthreats.net> Nice... I like these sigs. Good for a sec group to give a clue as to whether they're being pen tested or attacked. :) I'll post asap, thanks for sending it in! Matt Jonathan Scheidell wrote: > This sig should detect the use of Network-Services-Auditor (NSA). This > is used by at least IBM for their vulnerabilities assessments. > > > > Payload for reference: > > > > 000 : 47 45 54 20 2F 62 69 6E 2F 73 69 74 65 55 73 65 GET /bin/siteUse > > 010 : 72 4D 6F 64 2E 63 67 69 20 48 54 54 50 2F 31 2E rMod.cgi HTTP/1. > > 020 : 30 0D 0A 48 6F 73 74 3A 20 31 37 30 2E 32 32 34 0..Host: 170.224 > > 030 : 2E 31 30 33 2E 31 34 36 3A 38 30 0D 0A 55 73 65 .103.146:80..Use > > 040 : 72 2D 41 67 65 6E 74 3A 20 4E 65 74 77 6F 72 6B r-Agent: Network > > 050 : 2D 53 65 72 76 69 63 65 73 2D 41 75 64 69 74 6F -Services-Audito > > 060 : 72 2F 31 2E 34 0D 0A 41 63 63 65 70 74 3A 20 2A r/1.4..Accept: * > > 070 : 2F 2A 0D 0A 58 2D 4E 53 41 2D 4C 69 63 65 6E 73 /*..X-NSA-Licens > > 080 : 65 3A 20 30 62 31 38 33 64 37 38 33 64 37 64 38 e: 0b183d783d7d8 > > 090 : 64 38 63 62 31 38 34 32 63 32 39 37 32 32 39 31 d8cb1842c2972291 > > 0a0 : 32 38 30 66 32 62 37 31 61 32 37 31 32 32 31 65 280f2b71a271221e > > 0b0 : 63 33 61 30 38 63 63 30 34 63 39 34 63 35 36 37 c3a08cc04c94c567 > > 0c0 : 33 61 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 3a9..Connection: > > 0d0 : 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D close..Content- > > 0e0 : 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D Type: text/html. > > 0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: > > 100 : 20 34 32 0D 0A 0D 0A 63 6F 6D 6D 61 6E 64 3D 58 42....command=X > > 110 : 26 74 79 70 65 3D 22 3B 63 61 74 20 2F 65 74 63 &type=";cat /etc > > 120 : 2F 70 61 73 73 77 64 3B 22 26 43 68 65 63 6B 3D /passwd;"&Check= > > 130 : 58 X > > > > > > Sig: > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE SCAN NSA User Agent"; flow: established,to_server; > content:"User-Agent\:"; > > depth:300; nocase; pcre:"/User-Agent\:[^\n]+Network-Services-Auditor/i"; > threshold: type limit, track by_src,count 1, seconds 60; > > reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; > classtype: attempted-recon; sid:2002***; rev:1;) > > > > > > It?s basically ripped off from Bob Grabowsky?s Nessus detection sig. > > > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Nov 9 17:01:47 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 9 17:36:55 2006 Subject: [Bleeding-sigs] New Sig to detect Network-Services-Auditor In-Reply-To: References: Message-ID: <45535EFB.9010609@bleedingthreats.net> Nice... I like these sigs. Good for a sec group to give a clue as to whether they're being pen tested or attacked. :) I'll post asap, thanks for sending it in! Matt Jonathan Scheidell wrote: > This sig should detect the use of Network-Services-Auditor (NSA). This > is used by at least IBM for their vulnerabilities assessments. > > > > Payload for reference: > > > > 000 : 47 45 54 20 2F 62 69 6E 2F 73 69 74 65 55 73 65 GET /bin/siteUse > > 010 : 72 4D 6F 64 2E 63 67 69 20 48 54 54 50 2F 31 2E rMod.cgi HTTP/1. > > 020 : 30 0D 0A 48 6F 73 74 3A 20 31 37 30 2E 32 32 34 0..Host: 170.224 > > 030 : 2E 31 30 33 2E 31 34 36 3A 38 30 0D 0A 55 73 65 .103.146:80..Use > > 040 : 72 2D 41 67 65 6E 74 3A 20 4E 65 74 77 6F 72 6B r-Agent: Network > > 050 : 2D 53 65 72 76 69 63 65 73 2D 41 75 64 69 74 6F -Services-Audito > > 060 : 72 2F 31 2E 34 0D 0A 41 63 63 65 70 74 3A 20 2A r/1.4..Accept: * > > 070 : 2F 2A 0D 0A 58 2D 4E 53 41 2D 4C 69 63 65 6E 73 /*..X-NSA-Licens > > 080 : 65 3A 20 30 62 31 38 33 64 37 38 33 64 37 64 38 e: 0b183d783d7d8 > > 090 : 64 38 63 62 31 38 34 32 63 32 39 37 32 32 39 31 d8cb1842c2972291 > > 0a0 : 32 38 30 66 32 62 37 31 61 32 37 31 32 32 31 65 280f2b71a271221e > > 0b0 : 63 33 61 30 38 63 63 30 34 63 39 34 63 35 36 37 c3a08cc04c94c567 > > 0c0 : 33 61 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 3a9..Connection: > > 0d0 : 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D close..Content- > > 0e0 : 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D Type: text/html. > > 0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: > > 100 : 20 34 32 0D 0A 0D 0A 63 6F 6D 6D 61 6E 64 3D 58 42....command=X > > 110 : 26 74 79 70 65 3D 22 3B 63 61 74 20 2F 65 74 63 &type=";cat /etc > > 120 : 2F 70 61 73 73 77 64 3B 22 26 43 68 65 63 6B 3D /passwd;"&Check= > > 130 : 58 X > > > > > > Sig: > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE SCAN NSA User Agent"; flow: established,to_server; > content:"User-Agent\:"; > > depth:300; nocase; pcre:"/User-Agent\:[^\n]+Network-Services-Auditor/i"; > threshold: type limit, track by_src,count 1, seconds 60; > > reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; > classtype: attempted-recon; sid:2002***; rev:1;) > > > > > > It?s basically ripped off from Bob Grabowsky?s Nessus detection sig. > > > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bhartstein at demarc.com Thu Nov 9 22:28:14 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Nov 9 22:47:50 2006 Subject: [Bleeding-sigs] Rule Submit: P2P Manolito Search Query Message-ID: <20061109222821.3AA41E11F@corp.demarc.com> Blubster and other p2p software using the Manolito protocol consume a lot of bandwidth using udp to query and respond to peer to peer requests for file downloads and may indicate a policy violation. Blubster also had a "User-Agent: Wise" which is already detected by 2002167 This rule detects when a search is being performed, either from your network or to your network. alert udp any any -> any 41170 (msg:"BLEEDING-EDGE P2P Manolito Search Query"; content:"|01 02 00|"; distance:16; depth:3; content:"FN"; distance:1; depth:2; classtype:policy-violation; reference:url,www.blubster.com; sid:2003???; rev:1; ) Please add this rule to our ruleset. Thanks, -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From jonkman at bleedingthreats.net Fri Nov 10 00:38:43 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Nov 10 00:39:15 2006 Subject: [Bleeding-sigs] Rule Submit: P2P Manolito Search Query In-Reply-To: <20061109222821.3AA41E11F@corp.demarc.com> References: <20061109222821.3AA41E11F@corp.demarc.com> Message-ID: <4553CA13.9050707@bleedingthreats.net> Got it! THanks Blake Posting now. Matt Blake Hartstein wrote: > Blubster and other p2p software using the Manolito protocol consume a > lot of bandwidth using udp to query and respond to peer to peer requests > for file downloads and may indicate a policy violation. > > Blubster also had a > "User-Agent: Wise" which is already detected by 2002167 > > > This rule detects when a search is being performed, either from your > network or to your network. > > alert udp any any -> any 41170 (msg:"BLEEDING-EDGE P2P Manolito Search > Query"; content:"|01 02 00|"; distance:16; depth:3; content:"FN"; > distance:1; depth:2; classtype:policy-violation; > reference:url,www.blubster.com; sid:2003???; rev:1; ) > > Please add this rule to our ruleset. > > Thanks, > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Nov 10 00:38:43 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Nov 10 00:39:18 2006 Subject: [Bleeding-sigs] Rule Submit: P2P Manolito Search Query In-Reply-To: <20061109222821.3AA41E11F@corp.demarc.com> References: <20061109222821.3AA41E11F@corp.demarc.com> Message-ID: <4553CA13.9050707@bleedingthreats.net> Got it! THanks Blake Posting now. Matt Blake Hartstein wrote: > Blubster and other p2p software using the Manolito protocol consume a > lot of bandwidth using udp to query and respond to peer to peer requests > for file downloads and may indicate a policy violation. > > Blubster also had a > "User-Agent: Wise" which is already detected by 2002167 > > > This rule detects when a search is being performed, either from your > network or to your network. > > alert udp any any -> any 41170 (msg:"BLEEDING-EDGE P2P Manolito Search > Query"; content:"|01 02 00|"; distance:16; depth:3; content:"FN"; > distance:1; depth:2; classtype:policy-violation; > reference:url,www.blubster.com; sid:2003???; rev:1; ) > > Please add this rule to our ruleset. > > Thanks, > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Nov 10 01:00:12 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Nov 10 01:01:52 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061110010012.6530A55026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Thu Nov 9 20:00:12 2006 [***] [+++] Added rules: [+++] 2003171 - BLEEDING-EDGE SCAN IBM NSA User Agent (bleeding-scan.rules) 2003172 - BLEEDING-EDGE P2P Manolito Search Query (bleeding-p2p.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-p2p.rules (1): #by Blake Hartstein -> Added to bleeding-scan.rules (1): #by Jonathan Scheidell -> Added to bleeding-sid-msg.map (2): 2003171 || BLEEDING-EDGE SCAN IBM NSA User Agent || url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf 2003172 || BLEEDING-EDGE P2P Manolito Search Query || url,www.blubster.com From bleeding at bleedingthreats.net Sat Nov 11 01:00:10 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat Nov 11 01:00:44 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061111010010.3E1E455026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Fri Nov 10 20:00:10 2006 [***] [///] Modified active rules: [///] 2001720 - BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color (bleeding-exploit.rules) 2001721 - BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE (bleeding-exploit.rules) 2001722 - BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST (bleeding-exploit.rules) 2001807 - BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http (bleeding-exploit.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified inactive rules: [///] 2001718 - BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width (bleeding-exploit.rules) 2001719 - BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height (bleeding-exploit.rules) 2001723 - BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG (bleeding-exploit.rules) [---] Removed rules: [---] 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (6): 2001718 || BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width || cve,2004-1214 2001719 || BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height || cve,2004-1214 2001720 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color || cve,2004-0597 2001721 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE || cve,2004-0597 2001722 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST || cve,2004-0597 2001807 || BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http || cve,2005-0399 [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (8): 2001718 || BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width 2001719 || BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height 2001720 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color 2001721 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE 2001722 || BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST 2001807 || BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http 2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org From adimino at shadowserver.org Wed Nov 8 17:34:45 2006 From: adimino at shadowserver.org (Andre M. DiMino) Date: Mon Nov 13 21:17:33 2006 Subject: [Bleeding-sigs] aol on C & C BOTNET? In-Reply-To: <45521288.5040601@bleedingthreats.net> References: <454F6FB7.8080302@bleedingthreats.net> <4551E5D3.60307@secnap.net> <4551F04B.7000008@bleedingthreats.net> <53b7021b0611080755g152eaf6pefcf25ea5fc0c712@mail.gmail.com> <45521288.5040601@bleedingthreats.net> Message-ID: <45521535.70904@shadowserver.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks guys.. much appreciated. We work well *together* ! You can send any such issues to shadowops@shadowserver.org We'll then route it appropriately. Tx again. Andre' M. Di Mino - SemperSecurus The Shadowserver Foundation http://www.shadowserver.org Matt Jonkman wrote: > Ahh, no problem. I'll update the rulesets now for anyone that wants to > update. > > Thanks Andre! > > By the way, how would you prefer we report any possible issues? Email to > you, or do you have a set of handlers we could email? > > THanks for the work you guys are doing!!!! > > Matt > > Andre' - SemperSecurus wrote: >> It looks to be a false positive via a submittal apart from our >> honeypots. We're tweaking our verification process for these >> submittals. >> >> Sorry for the confusion.. >> >> Andre' >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFUhU0PJaIJoADD64RAjpgAKC8yFc1cOI4AIA2wz/MML91N9wjcwCfb/nN RcI+w8tNz3/7MvgnyDA+I+s= =fnp4 -----END PGP SIGNATURE----- From swaugh at infotex.com Wed Nov 8 20:03:17 2006 From: swaugh at infotex.com (Sean Waugh) Date: Mon Nov 13 21:17:33 2006 Subject: [Bleeding-sigs] TROJAN Agobot-SDBot Message-ID: <20061108150317.9h9clxzoq5wkwc4c@webmail.infotex.com> Have yet to see a positive threat on the 1000's of alerts this sig has generated. It's falsing on a lot of random legit traffic. SID #2003157 Sean Waugh, MCSA Network Administrator Infotex, Inc. Office: 866-679-5177 Mobile: 765-490-4578 Fax: 765-236-2333 www.infotex.com / www.sifterplus.com NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. infotex complies with all provisions of the CAN-SPAM ACT of 2003. If you have received this e-mail and wish to opt-out of future commercial E-mails please fill out the form located at: http://www.infotex.com/opt_out.html. From martin.holste at wisconsin.gov Mon Nov 13 21:00:02 2006 From: martin.holste at wisconsin.gov (Holste, Martin C - DOA) Date: Mon Nov 13 21:17:34 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <4553CA13.9050707@bleedingthreats.net> Message-ID: <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> While decoding yet another piece of obfuscated javascript, it occurred to me how nice it would be to have a preprocessor for Snort that would interpret any incoming javascript before signature matching. That way, we wouldn't have to write signatures to catch char code and other obfuscation tricks, we could continue matching on things like CLSID's. I think that the easiest way to accomplish this would be by using the Firefox source code for JS parsing and splicing that with the http_inspect Snort preprocessor code to make a javascript_inspect preprocessor. Alternatively, functionality could be added to the http_inspect so that it will interpret javascript based on configuration. It would be a big task, but I think that the return on investment would be incredible. Unfortunately, I'm more comfortable editing C than creating in C and so I'm looking for some help exploring this solution. Would anyone be interested in helping or providing comment? Thanks, Martin From martin.holste at gmail.com Mon Nov 13 21:49:50 2006 From: martin.holste at gmail.com (Martin Holste) Date: Mon Nov 13 21:51:36 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor Message-ID: <6d15e6030611131349r59595294se71fd2b068e364fe@mail.gmail.com> While decoding yet another piece of obfuscated javascript, it occurred to me how nice it would be to have a preprocessor for Snort that would interpret any incoming javascript before signature matching. That way, we wouldn't have to write signatures to catch char code and other obfuscation tricks, we could continue matching on things like CLSID's. I think that the easiest way to accomplish this would be by using the Firefox source code for JS parsing and splicing that with the http_inspect Snort preprocessor code to make a javascript_inspect preprocessor. Alternatively, functionality could be added to the http_inspect so that it will interpret javascript based on configuration. It would be a big task, but I think that the return on investment would be incredible. Unfortunately, I'm more comfortable editing C than creating in C and so I'm looking for some help exploring this solution. Would anyone be interested in helping or providing comment? Thanks, Martin From jonkman at bleedingthreats.net Mon Nov 13 21:57:28 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Nov 13 21:59:11 2006 Subject: [Bleeding-sigs] UTF Encoding Message-ID: <4558EA48.6000800@bleedingthreats.net> These from Andre and his anonymous advisor. Idea is to try to get some generic coverage for exploit shellcode. these are experimental, although they have fared well in some basic testing. please let us know how they do for you so we can tweak or improve if necessary. Thanks Andre! ------------ #Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible UTF-8 encoded Shellcode Detected";flow:fro m_server,established;pcre:"/(%[uU]([0-9A-Fa-f]{2})){2}/";classtype:trojan-activity;sid:2003173; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible UTF-16 encoded Shellcode Detected";flow:fr om_server,established;pcre:"/(%[uU]([0-9A-Fa-f]{4})){2}/";classtype:trojan-activity;sid:2003174; rev:1;) This will/should hit on %u or %U (thanks for the suggestion mr anon!) followed by hex. It should be noted that there must be two %U9090's one after another in order for this to hit (that can of course be changed). This has been done to eliminate possible false positives (again thanks mr anon). -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bamm.visscher at gmail.com Mon Nov 13 23:30:57 2006 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Mon Nov 13 23:32:43 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> References: <4553CA13.9050707@bleedingthreats.net> <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> Message-ID: <27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> That'd be great, but I think you would need the abillity farm that function out to a different process or take a serious performance hit. RUMINT is snort might be able to do something like that in an upcoming version (3 cough dot cough oh cough). Bammkkkk On 11/13/06, Holste, Martin C - DOA wrote: > While decoding yet another piece of obfuscated javascript, it occurred > to me how nice it would be to have a preprocessor for Snort that would > interpret any incoming javascript before signature matching. That way, > we wouldn't have to write signatures to catch char code and other > obfuscation tricks, we could continue matching on things like CLSID's. > > I think that the easiest way to accomplish this would be by using the > Firefox source code for JS parsing and splicing that with the > http_inspect Snort preprocessor code to make a javascript_inspect > preprocessor. Alternatively, functionality could be added to the > http_inspect so that it will interpret javascript based on > configuration. > > It would be a big task, but I think that the return on investment would > be incredible. Unfortunately, I'm more comfortable editing C than > creating in C and so I'm looking for some help exploring this solution. > Would anyone be interested in helping or providing comment? > > Thanks, > > Martin > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- sguil - The Analyst Console for NSM http://sguil.sf.net From bleeding at bleedingthreats.net Tue Nov 14 01:00:08 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Nov 14 01:01:57 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061114010008.D26FB55025E@gort.offsitefilter.com> [***] Results from Oinkmaster started Mon Nov 13 20:00:08 2006 [***] [+++] Added rules: [+++] 2003173 - BLEEDING-EDGE EXPLOIT Possible UTF-8 encoded Shellcode Detected (bleeding-exploit.rules) 2003174 - BLEEDING-EDGE EXPLOIT Possible UTF-16 encoded Shellcode Detected (bleeding-exploit.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-exploit.rules (2): #by Andre and mr anon #Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions -> Added to bleeding-sid-msg.map (4): 2003173 || BLEEDING-EDGE EXPLOIT Possible UTF-8 encoded Shellcode Detected 2003174 || BLEEDING-EDGE EXPLOIT Possible UTF-16 encoded Shellcode Detected 2410009 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2411009 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org From bhartstein at demarc.com Tue Nov 14 00:49:21 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Tue Nov 14 01:09:09 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> References: <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> Message-ID: <20061114004924.E7FA2E28E@corp.demarc.com> Martin, I think you have quite a challenge here. Remember javascript is a fully functional programming language, and the language itself is capable of javascript ouput independent of it's own code. The complexities of interpreting javascript are as difficult as rendering it. It seems more practical to use client-side techniques to interpret the javascript as a runtime environment. Not to mention client side encodings (chunked, gzip) to name a few. See this paper if you are interested "Detecting *Malicious JavaScript* Code in Mozilla" (registration / membership may be required) http://ieeexplore.ieee.org/iel5/9905/31477/01467889.pdf -Blake Holste, Martin C - DOA wrote: > While decoding yet another piece of obfuscated javascript, it occurred > to me how nice it would be to have a preprocessor for Snort that would > interpret any incoming javascript before signature matching. That way, > we wouldn't have to write signatures to catch char code and other > obfuscation tricks, we could continue matching on things like CLSID's. > > I think that the easiest way to accomplish this would be by using the > Firefox source code for JS parsing and splicing that with the > http_inspect Snort preprocessor code to make a javascript_inspect > preprocessor. Alternatively, functionality could be added to the > http_inspect so that it will interpret javascript based on > configuration. > > It would be a big task, but I think that the return on investment would > be incredible. Unfortunately, I'm more comfortable editing C than > creating in C and so I'm looking for some help exploring this solution. > Would anyone be interested in helping or providing comment? > > Thanks, > > Martin > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From jonkman at bleedingthreats.net Tue Nov 14 01:09:32 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 01:11:17 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <6d15e6030611131349r59595294se71fd2b068e364fe@mail.gmail.com> References: <6d15e6030611131349r59595294se71fd2b068e364fe@mail.gmail.com> Message-ID: <4559174C.5000308@bleedingthreats.net> I definitely think it's worthwhile, although could be big on load. I'm not the guy to code it, but will offer any resources required from bleeding edge. Any takers to help? :) Matt Martin Holste wrote: > While decoding yet another piece of obfuscated javascript, it occurred > to me how nice it would be to have a preprocessor for Snort that would > interpret any incoming javascript before signature matching. That > way, we wouldn't have to write signatures to catch char code and other > obfuscation tricks, we could continue matching on things like CLSID's. > > I think that the easiest way to accomplish this would be by using the > Firefox source code for JS parsing and splicing that with the > http_inspect Snort preprocessor code to make a javascript_inspect > preprocessor. Alternatively, functionality could be added to the > http_inspect so that it will interpret javascript based on > configuration. > > It would be a big task, but I think that the return on investment > would be incredible. Unfortunately, I'm more comfortable editing C > than creating in C and so I'm looking for some help exploring this > solution. Would anyone be interested in helping or providing comment? > > Thanks, > > Martin > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Nov 14 01:09:32 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 01:11:36 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <6d15e6030611131349r59595294se71fd2b068e364fe@mail.gmail.com> References: <6d15e6030611131349r59595294se71fd2b068e364fe@mail.gmail.com> Message-ID: <4559174C.5000308@bleedingthreats.net> I definitely think it's worthwhile, although could be big on load. I'm not the guy to code it, but will offer any resources required from bleeding edge. Any takers to help? :) Matt Martin Holste wrote: > While decoding yet another piece of obfuscated javascript, it occurred > to me how nice it would be to have a preprocessor for Snort that would > interpret any incoming javascript before signature matching. That > way, we wouldn't have to write signatures to catch char code and other > obfuscation tricks, we could continue matching on things like CLSID's. > > I think that the easiest way to accomplish this would be by using the > Firefox source code for JS parsing and splicing that with the > http_inspect Snort preprocessor code to make a javascript_inspect > preprocessor. Alternatively, functionality could be added to the > http_inspect so that it will interpret javascript based on > configuration. > > It would be a big task, but I think that the return on investment > would be incredible. Unfortunately, I'm more comfortable editing C > than creating in C and so I'm looking for some help exploring this > solution. Would anyone be interested in helping or providing comment? > > Thanks, > > Martin > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Nov 14 13:28:19 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 13:28:56 2006 Subject: [Bleeding-sigs] UTF Encoding In-Reply-To: <4558EA48.6000800@bleedingthreats.net> References: <4558EA48.6000800@bleedingthreats.net> Message-ID: <4559C473.1050000@bleedingthreats.net> Anyone get a good chance to test these? Any false positives to speak of? Matt Matt Jonkman wrote: > These from Andre and his anonymous advisor. Idea is to try to get some > generic coverage for exploit shellcode. > > these are experimental, although they have fared well in some basic > testing. please let us know how they do for you so we can tweak or > improve if necessary. > > Thanks Andre! > > ------------ > > #Intended to catch common shellcode encoding in exploit scripts coming > to clients in web sessions > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > EXPLOIT Possible UTF-8 encoded Shellcode Detected";flow:fro > m_server,established;pcre:"/(%[uU]([0-9A-Fa-f]{2})){2}/";classtype:trojan-activity;sid:2003173; > rev:1;) > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > EXPLOIT Possible UTF-16 encoded Shellcode Detected";flow:fr > om_server,established;pcre:"/(%[uU]([0-9A-Fa-f]{4})){2}/";classtype:trojan-activity;sid:2003174; > rev:1;) > > > This will/should hit on %u or %U (thanks for the suggestion mr anon!) > followed by hex. It should be noted that there must be two %U9090's > one after another in order for this to hit (that can of course be > changed). This has been done to eliminate possible false positives > (again thanks mr anon). > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Nov 14 13:39:34 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 13:40:22 2006 Subject: [Bleeding-sigs] TROJAN Agobot-SDBot In-Reply-To: <20061108150317.9h9clxzoq5wkwc4c@webmail.infotex.com> References: <20061108150317.9h9clxzoq5wkwc4c@webmail.infotex.com> Message-ID: <4559C716.6050305@bleedingthreats.net> Still seeing this? How's the load on sensors these are coming from? Matt Sean Waugh wrote: > Have yet to see a positive threat on the 1000's of alerts this sig has > generated. It's falsing on a lot of random legit traffic. > > SID #2003157 > > Sean Waugh, MCSA > Network Administrator > Infotex, Inc. > > Office: 866-679-5177 > Mobile: 765-490-4578 > Fax: 765-236-2333 > > www.infotex.com / www.sifterplus.com > > > NOTICE: The information contained in this email is confidential and > intended > solely for the intended recipient. Any use, distribution, transmittal or > retransmittal of information contained in this email by persons who are not > intended recipients may be a violation of law and is strictly > prohibited. If > you are not the intended recipient, please contact the sender and delete > all > copies. > > infotex complies with all provisions of the CAN-SPAM ACT of 2003. If you > have received this e-mail and wish to opt-out of future commercial E-mails > please fill out the form located at: http://www.infotex.com/opt_out.html. > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Nov 14 20:09:19 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 20:09:36 2006 Subject: [Bleeding-sigs] Warezov catch idea Message-ID: <455A226F.5000908@bleedingthreats.net> Playing with a couple warezov samples, I noticed they do a spamhaus sbl-xbl lookup to make sure they're not listed. Anyone think there'd be value in a sig that'd look for spamhaus dns lookups from anyone except mail servers? Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Nov 14 20:38:17 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Nov 14 20:39:37 2006 Subject: [Bleeding-sigs] Warezov Sigs Message-ID: <455A2939.6050407@bleedingthreats.net> Playing with a few samples, saw it make a connection that doesn't seem to be documented in other analysis' of the trojan. These sigs catch it, but I'm not sure what it is. Frankly, don't care what it is, as long as we see it. :) #Experimental, may only apply to a few variants, but worth testing alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"JONKMAN Warezov Challenge TEST"; flow:established,to_server; dsize:1; content:"|3 8|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; classtype:not-suspicious; sid:2003175; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JONKMAN Warezov Challenge Response TEST"; flowbits:isset,BEposs.warezov.challenge ; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; classtype:trojan-activity; sid:2003176; rev:1;) Please report experience with it. And if you have any older warezov samples, either shoot them over or test them with these running. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Tue Nov 14 23:12:30 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Tue Nov 14 23:13:11 2006 Subject: [Bleeding-sigs] Warezov catch idea In-Reply-To: <455A226F.5000908@bleedingthreats.net> References: <455A226F.5000908@bleedingthreats.net> Message-ID: <455A4D5E.2080003@secnap.net> Matt Jonkman wrote: > Playing with a couple warezov samples, I noticed they do a spamhaus > sbl-xbl lookup to make sure they're not listed. > > Anyone think there'd be value in a sig that'd look for spamhaus dns > lookups from anyone except mail servers? > > Matt > > hey, id even write it, but we are swamped. darn salesdroids got us booked up doing audits for clients who decided till NOVEMBER then needed audits before end of year... -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 From bleeding at bleedingthreats.net Wed Nov 15 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Nov 15 01:00:46 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061115010009.E073F55026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Tue Nov 14 20:00:09 2006 [***] [+++] Added rules: [+++] 2003175 - JONKMAN Warezov Challenge TEST (bleeding-virus.rules) 2003176 - JONKMAN Warezov Challenge Response TEST (bleeding-virus.rules) 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) (bleeding.rules) [///] Modified active rules: [///] 2003169 - BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack (bleeding.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-exploit.rules (1): #by Anonymous Researchers(tm) -> Added to bleeding-sid-msg.map (4): 2003169 || BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack || cve,2006-5745 || url,www.microsoft.com/technet/security/Bulletin/MS06-071.mspx || url,www.microsoft.com/technet/security/advisory/927892.mspx || url,www.frsirt.com/english/advisories/2006/4334 2003175 || JONKMAN Warezov Challenge TEST 2003176 || JONKMAN Warezov Challenge Response TEST 2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) || url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx -> Added to bleeding-virus.rules (1): #Experimental, may only apply to a few variants, but worth testing -> Added to bleeding.rules (1): #by Shirkdog [---] Removed non-rule lines: [---] -> Removed from bleeding-exploit.rules (1): #by Andre and mr anon -> Removed from bleeding-sid-msg.map (1): 2003169 || BLEEDING-EDGE CURRENT EVENTS Microsoft XMLHTTPD CLSID in use - Possible Attack || url,www.microsoft.com/technet/security/advisory/927892.mspx || url,www.frsirt.com/english/advisories/2006/4334 From bhartstein at demarc.com Wed Nov 15 16:56:09 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Wed Nov 15 16:56:54 2006 Subject: [Bleeding-sigs] Rule Submit: WinZip ActiveX Control Access Message-ID: <20061115165615.58845E306@corp.demarc.com> This rule detects an access to a vulnerable ActiveX control which is used to view web-based files in a format that makes them appear local through a browser. This is installed with WinZip < 10.0.7245, and an exploit has been developed. See http://www.winzip.com/wz7245.htm for more information. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT Microsoft Internet Explorer WinZip FileView ActiveX Control Access"; flow:from_server,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; reference:cve,2006-5198; classtype:web-application-activity; sid:2003???; rev:1;) -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From jonkman at bleedingthreats.net Wed Nov 15 17:01:11 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Nov 15 16:59:51 2006 Subject: [Bleeding-sigs] Rule Submit: WinZip ActiveX Control Access In-Reply-To: <20061115165615.58845E306@corp.demarc.com> References: <20061115165615.58845E306@corp.demarc.com> Message-ID: <455B47D7.2060405@bleedingthreats.net> Got it, posting now. Thanks Blake! matt Blake Hartstein wrote: > This rule detects an access to a vulnerable ActiveX control which is > used to view web-based files in a format that makes them appear local > through a browser. This is installed with WinZip < 10.0.7245, and an > exploit has been developed. > > See http://www.winzip.com/wz7245.htm for more information. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > WEB-CLIENT Microsoft Internet Explorer WinZip FileView ActiveX Control > Access"; flow:from_server,established; content:"CLSID"; nocase; > content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; > reference:cve,2006-5198; classtype:web-application-activity; > sid:2003???; rev:1;) > > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Wed Nov 15 17:01:11 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Nov 15 17:00:09 2006 Subject: [Bleeding-sigs] Rule Submit: WinZip ActiveX Control Access In-Reply-To: <20061115165615.58845E306@corp.demarc.com> References: <20061115165615.58845E306@corp.demarc.com> Message-ID: <455B47D7.2060405@bleedingthreats.net> Got it, posting now. Thanks Blake! matt Blake Hartstein wrote: > This rule detects an access to a vulnerable ActiveX control which is > used to view web-based files in a format that makes them appear local > through a browser. This is installed with WinZip < 10.0.7245, and an > exploit has been developed. > > See http://www.winzip.com/wz7245.htm for more information. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > WEB-CLIENT Microsoft Internet Explorer WinZip FileView ActiveX Control > Access"; flow:from_server,established; content:"CLSID"; nocase; > content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; > reference:cve,2006-5198; classtype:web-application-activity; > sid:2003???; rev:1;) > > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From martin.holste at gmail.com Wed Nov 15 18:56:47 2006 From: martin.holste at gmail.com (Martin Holste) Date: Wed Nov 15 18:58:32 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> References: <4553CA13.9050707@bleedingthreats.net> <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> <27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> Message-ID: <6d15e6030611151056v430c1751i6d66036be082ced4@mail.gmail.com> I suppose that a separate program which piped the sanitized javascript to snort for analysis could be made. That way on an SMP box one processor would handle doing the JS decoding while the other would handle Snort. This would also be handy for running batches of snort or ngrep against pcap files, or it could be stuck in the snort startup scripts so that it was always piping the interface-read data to snort. The challenge in having a non-snort process do it would be taking all of the code from the stream preprocessor for snort and implementing it. I wonder if tcpflow does an adequate job of parsing packets into full streams for this. Obviously you wouldn't be able to defragment streams, but it would go a long way. So, I guess it could work something like tcpflow -r pcapfile -w - | nonexistentJSinterpreter | snort . So all that would really need to be coded is a command-line version of the Firefox JS parser that could read and write stdin/out. I understand Blake's comment regarding the difficulty in catching everything through JS interpreting, but I think that this would greatly increase the usefulness of a lot of the CLSID sigs that we seem to be churning out more and more of. --Martin On 11/13/06, Bamm Visscher wrote: > That'd be great, but I think you would need the abillity farm that > function out to a different process or take a serious performance hit. > RUMINT is snort might be able to do something like that in an > upcoming version (3 cough dot cough oh cough). > > Bammkkkk > > On 11/13/06, Holste, Martin C - DOA wrote: > > While decoding yet another piece of obfuscated javascript, it occurred > > to me how nice it would be to have a preprocessor for Snort that would > > interpret any incoming javascript before signature matching. That way, > > we wouldn't have to write signatures to catch char code and other > > obfuscation tricks, we could continue matching on things like CLSID's. > > > > I think that the easiest way to accomplish this would be by using the > > Firefox source code for JS parsing and splicing that with the > > http_inspect Snort preprocessor code to make a javascript_inspect > > preprocessor. Alternatively, functionality could be added to the > > http_inspect so that it will interpret javascript based on > > configuration. > > > > It would be a big task, but I think that the return on investment would > > be incredible. Unfortunately, I'm more comfortable editing C than > > creating in C and so I'm looking for some help exploring this solution. > > Would anyone be interested in helping or providing comment? > > > > Thanks, > > > > Martin > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs@bleedingthreats.net > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > > -- > sguil - The Analyst Console for NSM > http://sguil.sf.net > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From bhartstein at demarc.com Wed Nov 15 22:10:31 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Wed Nov 15 22:11:06 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity Message-ID: <20061115221033.9171DE323@corp.demarc.com> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: to_server,established; content:"User-Agent\: agent"; nocase; classtype: trojan-activity; sid: 2001891; rev:6;) Alerted on this traffic: GET /search?hl=en&q=bangface HTTP/1.1 Connection: close Host: www.google.com User-Agent: AgentName/0.1 libwww-perl/5.805 Do you have any further information that would help reduce this alert case? Thanks, -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From bleeding at bleedingthreats.net Thu Nov 16 01:00:13 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Nov 16 01:00:50 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061116010013.CA49355026A@gort.offsitefilter.com> [***] Results from Oinkmaster started Wed Nov 15 20:00:13 2006 [***] [+++] Added rules: [+++] 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access (bleeding.rules) [///] Modified active rules: [///] 2003175 - BLEEDING-EDGE TROJAN Warezov Challenge TEST (bleeding-virus.rules) 2003176 - BLEEDING-EDGE TROJAN Warezov Challenge Response TEST (bleeding-virus.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (3): 2003175 || BLEEDING-EDGE TROJAN Warezov Challenge TEST 2003176 || BLEEDING-EDGE TROJAN Warezov Challenge Response TEST 2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access || cve,2006-5198 -> Added to bleeding.rules (1): #by Blake Hartstein of Demarc [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (2): 2003175 || JONKMAN Warezov Challenge TEST 2003176 || JONKMAN Warezov Challenge Response TEST From jonkman at bleedingthreats.net Thu Nov 16 13:50:00 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 16 13:50:38 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <20061115221033.9171DE323@corp.demarc.com> References: <20061115221033.9171DE323@corp.demarc.com> Message-ID: <455C6C88.3010400@bleedingthreats.net> That's an interesting hit, looks like someone didn't change the defaults in the code they copied. :) Do you know what made this request? Matt Blake Hartstein wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: > to_server,established; content:"User-Agent\: agent"; nocase; classtype: > trojan-activity; sid: 2001891; rev:6;) > > Alerted on this traffic: > GET /search?hl=en&q=bangface HTTP/1.1 > Connection: close > Host: www.google.com > User-Agent: AgentName/0.1 libwww-perl/5.805 > > Do you have any further information that would help reduce this alert case? > > Thanks, > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Nov 16 13:50:00 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 16 13:50:38 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <20061115221033.9171DE323@corp.demarc.com> References: <20061115221033.9171DE323@corp.demarc.com> Message-ID: <455C6C88.3010400@bleedingthreats.net> That's an interesting hit, looks like someone didn't change the defaults in the code they copied. :) Do you know what made this request? Matt Blake Hartstein wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: > to_server,established; content:"User-Agent\: agent"; nocase; classtype: > trojan-activity; sid: 2001891; rev:6;) > > Alerted on this traffic: > GET /search?hl=en&q=bangface HTTP/1.1 > Connection: close > Host: www.google.com > User-Agent: AgentName/0.1 libwww-perl/5.805 > > Do you have any further information that would help reduce this alert case? > > Thanks, > -Blake > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Thu Nov 16 14:16:29 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Nov 16 14:17:59 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C6C88.3010400@bleedingthreats.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> Message-ID: <455C72BD.2070509@secnap.net> Matt Jonkman wrote: > That's an interesting hit, looks like someone didn't change the defaults > in the code they copied. :) > > Do you know what made this request? > > Matt > > Actually, it WOULD make a hit: someone 'forged' a User-Agent: of AgentName for their lwp stuff (libwww-perl) > Blake Hartstein wrote: > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >> trojan-activity; sid: 2001891; rev:6;) >> >> Alerted on this traffic: >> GET /search?hl=en&q=bangface HTTP/1.1 >> Connection: close >> Host: www.google.com >> User-Agent: AgentName/0.1 libwww-perl/5.805 >> >> Do you have any further information that would help reduce this alert case? >> >> Thanks, >> -Blake >> >> > > -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061116/bc575b60/attachment.html From reggers at ist.uwaterloo.ca Thu Nov 16 13:52:03 2006 From: reggers at ist.uwaterloo.ca (Reg Quinton) Date: Thu Nov 16 14:23:35 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor References: <4553CA13.9050707@bleedingthreats.net><9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us><27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> <6d15e6030611151056v430c1751i6d66036be082ced4@mail.gmail.com> Message-ID: <00fd01c70986$66307d70$6601a8c0@dilbert> wrt. obfuscated Javascript. Wouldn't it be enough to detect and alarm things that have been obfuscated? Ie. isn't obfuscation in and of itself a good marker of malcious intent. Compare - we alarm all .exes in email without trying to figure out what they do. Pretty much all exes in email are malicious. Let's keep it simple. From scheidell at secnap.net Thu Nov 16 14:16:29 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Nov 16 14:47:39 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C6C88.3010400@bleedingthreats.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> Message-ID: <455C72BD.2070509@secnap.net> Matt Jonkman wrote: > That's an interesting hit, looks like someone didn't change the defaults > in the code they copied. :) > > Do you know what made this request? > > Matt > > Actually, it WOULD make a hit: someone 'forged' a User-Agent: of AgentName for their lwp stuff (libwww-perl) > Blake Hartstein wrote: > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >> trojan-activity; sid: 2001891; rev:6;) >> >> Alerted on this traffic: >> GET /search?hl=en&q=bangface HTTP/1.1 >> Connection: close >> Host: www.google.com >> User-Agent: AgentName/0.1 libwww-perl/5.805 >> >> Do you have any further information that would help reduce this alert case? >> >> Thanks, >> -Blake >> >> > > -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061116/bc575b60/attachment.htm From jonkman at bleedingthreats.net Thu Nov 16 15:18:43 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 16 15:20:13 2006 Subject: [Bleeding-sigs] Exe downloads w/o User Agent Message-ID: <455C8153.3070805@bleedingthreats.net> Here's a sig I've run internally for a while and has proven to be VERY useful. Took some time to find common falses, but it's good now: #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; fl ow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:!"User-Agent\:"; con tent:!"download.windowsupdate.com"; content:!"mms\://"; nocase; sid:2003179; rev:1;) Can't tell you how many intereting things it's found. Warezov's, spyware, all sorts of stuff. It's just looking for an exe download without a user agent string. very unusual. Always of interest. -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Thu Nov 16 16:09:42 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Nov 16 16:11:07 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <00fd01c70986$66307d70$6601a8c0@dilbert> References: <4553CA13.9050707@bleedingthreats.net><9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us><27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> <6d15e6030611151056v430c1751i6d66036be082ced4@mail.gmail.com> <00fd01c70986$66307d70$6601a8c0@dilbert> Message-ID: <455C8D46.9060006@secnap.net> Reg Quinton wrote: > wrt. obfuscated Javascript. > > Wouldn't it be enough to detect and alarm things that have been > obfuscated? Ie. isn't obfuscation in and of itself a good marker of > malcious intent. > > Compare - we alarm all .exes in email without trying to figure out > what they do. Pretty much all exes in email are malicious. > > Let's keep it simple. > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > Some obfuscated javascript ON THE WEB SITE is used to hide email addresses from spammers. If someone emails one of those web pages, it might trigger an alert (so be it!) -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131 From jonkman at bleedingthreats.net Thu Nov 16 19:10:23 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 16 19:11:55 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C72BD.2070509@secnap.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> <455C72BD.2070509@secnap.net> Message-ID: <455CB79F.5010000@bleedingthreats.net> Ya, it was definitely a good hit. The toolbar partner spyware stuff uses the user agent "agent", but that may have been a temporary thing as I can't find any reference to it anymore. This is still an interesting hit I think. Anyone seen anything about toolbarpartners anymore? Matt Michael Scheidell wrote: > Matt Jonkman wrote: >> That's an interesting hit, looks like someone didn't change the defaults >> in the code they copied. :) >> >> Do you know what made this request? >> >> Matt >> >> > Actually, it WOULD make a hit: > > someone 'forged' a User-Agent: of AgentName for their lwp stuff > (libwww-perl) > >> Blake Hartstein wrote: >> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >>> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >>> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >>> trojan-activity; sid: 2001891; rev:6;) >>> >>> Alerted on this traffic: >>> GET /search?hl=en&q=bangface HTTP/1.1 >>> Connection: close >>> Host: www.google.com >>> User-Agent: AgentName/0.1 libwww-perl/5.805 >>> >>> Do you have any further information that would help reduce this alert case? >>> >>> Thanks, >>> -Blake >>> >>> >> >> > > > -- > Michael Scheidell, CTO > SECNAP Network Security / www.secnap.com > scheidell@secnap.net / 1+561-999-5000, x 1131 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Nov 16 19:10:23 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Nov 16 19:11:55 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C72BD.2070509@secnap.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> <455C72BD.2070509@secnap.net> Message-ID: <455CB79F.5010000@bleedingthreats.net> Ya, it was definitely a good hit. The toolbar partner spyware stuff uses the user agent "agent", but that may have been a temporary thing as I can't find any reference to it anymore. This is still an interesting hit I think. Anyone seen anything about toolbarpartners anymore? Matt Michael Scheidell wrote: > Matt Jonkman wrote: >> That's an interesting hit, looks like someone didn't change the defaults >> in the code they copied. :) >> >> Do you know what made this request? >> >> Matt >> >> > Actually, it WOULD make a hit: > > someone 'forged' a User-Agent: of AgentName for their lwp stuff > (libwww-perl) > >> Blake Hartstein wrote: >> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >>> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >>> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >>> trojan-activity; sid: 2001891; rev:6;) >>> >>> Alerted on this traffic: >>> GET /search?hl=en&q=bangface HTTP/1.1 >>> Connection: close >>> Host: www.google.com >>> User-Agent: AgentName/0.1 libwww-perl/5.805 >>> >>> Do you have any further information that would help reduce this alert case? >>> >>> Thanks, >>> -Blake >>> >>> >> >> > > > -- > Michael Scheidell, CTO > SECNAP Network Security / www.secnap.com > scheidell@secnap.net / 1+561-999-5000, x 1131 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From martin.holste at gmail.com Thu Nov 16 19:26:34 2006 From: martin.holste at gmail.com (Martin Holste) Date: Thu Nov 16 19:27:58 2006 Subject: [Bleeding-sigs] New(?) idea for preprocessor In-Reply-To: <00fd01c70986$66307d70$6601a8c0@dilbert> References: <4553CA13.9050707@bleedingthreats.net> <9E47DEF9559FC9468F00DB52DDF5BEF5014A55FE@MEWMAD1P0129.enterprise.wistate.us> <27492850611131530s3eeed73y9ebdc5caed171580@mail.gmail.com> <6d15e6030611151056v430c1751i6d66036be082ced4@mail.gmail.com> <00fd01c70986$66307d70$6601a8c0@dilbert> Message-ID: <6d15e6030611161126o3b86027blcacf30e34658dd54@mail.gmail.com> Yes, it would be great if we could detect malicious javascript obfuscation. Unfortunately, sigs that do that (matching on "encode(" and hex values, etc.) have a high FP rate because lots of sites use obfuscation to hide email addresses from spammers. (As per Michael's point that he just posted). In addition to that, I think that there is a whole lot more to be gained if something like what I'm talking about was made. It would give us a powerful layer of abstraction to work with and I'm sure that many of our sigs could be vastly simplified. At the moment, I'm working on compiling the standalone firefox JS engine to see what that yields, and I see that there are perl and ruby wrappers for it. In response to Matt's posted sig, I've been logging every Windows executable sent and received with sigs that match on permutations of content:"MZ"; content:"|20|This|20|program|20|cannot|20|be|20|run|20|in|20|DOS|20|mode"; I find that it is very helpful to run this and then check for any alerts which come from Chinese, Eastern-European, etc. IP space. I've found a lot of very interesting traffic that way, but you have to data mine to find the interesting alerts among the mostly FP's. --Martin On 11/16/06, Reg Quinton wrote: > wrt. obfuscated Javascript. > > Wouldn't it be enough to detect and alarm things that have been obfuscated? > Ie. isn't obfuscation in and of itself a good marker of malcious intent. > > Compare - we alarm all .exes in email without trying to figure out what they > do. Pretty much all exes in email are malicious. > > Let's keep it simple. > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From bhartstein at demarc.com Thu Nov 16 23:16:07 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Nov 16 23:16:44 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C6C88.3010400@bleedingthreats.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> Message-ID: <20061116231609.8AEF8E383@corp.demarc.com> This request was from an IRC Client script. -Blake Matt Jonkman wrote: > That's an interesting hit, looks like someone didn't change the defaults > in the code they copied. :) > > Do you know what made this request? > > Matt > > Blake Hartstein wrote: > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >> trojan-activity; sid: 2001891; rev:6;) >> >> Alerted on this traffic: >> GET /search?hl=en&q=bangface HTTP/1.1 >> Connection: close >> Host: www.google.com >> User-Agent: AgentName/0.1 libwww-perl/5.805 >> >> Do you have any further information that would help reduce this alert case? >> >> Thanks, >> -Blake >> >> > > -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From bhartstein at demarc.com Thu Nov 16 23:16:07 2006 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Nov 16 23:16:44 2006 Subject: [Bleeding-sigs] FP: ToolbarPartner User Agent Activity In-Reply-To: <455C6C88.3010400@bleedingthreats.net> References: <20061115221033.9171DE323@corp.demarc.com> <455C6C88.3010400@bleedingthreats.net> Message-ID: <20061116231609.8AEF8E383@corp.demarc.com> This request was from an IRC Client script. -Blake Matt Jonkman wrote: > That's an interesting hit, looks like someone didn't change the defaults > in the code they copied. :) > > Do you know what made this request? > > Matt > > Blake Hartstein wrote: > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: >> "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: >> to_server,established; content:"User-Agent\: agent"; nocase; classtype: >> trojan-activity; sid: 2001891; rev:6;) >> >> Alerted on this traffic: >> GET /search?hl=en&q=bangface HTTP/1.1 >> Connection: close >> Host: www.google.com >> User-Agent: AgentName/0.1 libwww-perl/5.805 >> >> Do you have any further information that would help reduce this alert case? >> >> Thanks, >> -Blake >> >> > > -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. From bleeding at bleedingthreats.net Fri Nov 17 01:00:09 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Nov 17 01:00:49 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061117010009.B0F965502AA@gort.offsitefilter.com> [***] Results from Oinkmaster started Thu Nov 16 20:00:09 2006 [***] [+++] Added rules: [+++] 2003179 - BLEEDING-EDGE POLICY exe download without User Agent (bleeding-policy.rules) 2003180 - BLEEDING-EDGE TROJAN Warezov/Stration Data Post to Controller (bleeding-virus.rules) 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access (bleeding.rules) 2003182 - BLEEDING-EDGE TROJAN Prg Trojan v0.1-v0.3 Data Upload (bleeding-virus.rules) 2003183 - BLEEDING-EDGE TROJAN Prg Trojan Server Reply (bleeding-virus.rules) 2003184 - BLEEDING-EDGE TROJAN Prg Trojan v0.1 Binary In Transit (bleeding-virus.rules) 2003185 - BLEEDING-EDGE TROJAN Prg Trojan v0.2 Binary In Transit (bleeding-virus.rules) 2003186 - BLEEDING-EDGE TROJAN Prg Trojan v0.3 Binary In Transit (bleeding-virus.rules) [///] Modified active rules: [///] 2003175 - BLEEDING-EDGE TROJAN Warezov/Stration Challenge (bleeding-virus.rules) 2003176 - BLEEDING-EDGE TROJAN Warezov/Stration Challenge Response (bleeding-virus.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (10): 2003175 || BLEEDING-EDGE TROJAN Warezov/Stration Challenge || url,www.sophos.com/security/analyses/w32strationbo.html 2003176 || BLEEDING-EDGE TROJAN Warezov/Stration Challenge Response || url,www.sophos.com/security/analyses/w32strationbo.html 2003179 || BLEEDING-EDGE POLICY exe download without User Agent 2003180 || BLEEDING-EDGE TROJAN Warezov/Stration Data Post to Controller || url,www.sophos.com/security/analyses/w32strationbo.html 2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access || cve,2006-5198 2003182 || BLEEDING-EDGE TROJAN Prg Trojan v0.1-v0.3 Data Upload || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf 2003183 || BLEEDING-EDGE TROJAN Prg Trojan Server Reply || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf 2003184 || BLEEDING-EDGE TROJAN Prg Trojan v0.1 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf 2003185 || BLEEDING-EDGE TROJAN Prg Trojan v0.2 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf 2003186 || BLEEDING-EDGE TROJAN Prg Trojan v0.3 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf -> Added to bleeding-virus.rules (1): #by Lance James and Michael Ligh, referenced in paper at http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf -> Added to bleeding.rules (1): #by shirkdog [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (2): 2003175 || BLEEDING-EDGE TROJAN Warezov Challenge TEST 2003176 || BLEEDING-EDGE TROJAN Warezov Challenge Response TEST From michael.ligh at mnin.org Fri Nov 17 04:10:55 2006 From: michael.ligh at mnin.org (Michael Hale Ligh) Date: Fri Nov 17 04:28:14 2006 Subject: [Bleeding-sigs] Prg Trojan Sigs Message-ID: <455D364F.6060806@mnin.org> Hey Matt, Five sigs for you on page 25 of http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf. M From jonkman at bleedingthreats.net Fri Nov 17 13:10:33 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Nov 17 13:11:15 2006 Subject: [Bleeding-sigs] Prg Trojan Sigs In-Reply-To: <455D364F.6060806@mnin.org> References: <455D364F.6060806@mnin.org> Message-ID: <455DB4C9.4060703@bleedingthreats.net> Got em, posted already. :) Excellent work by the way guys! Matt Michael Hale Ligh wrote: > Hey Matt, > > Five sigs for you on page 25 of > http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf. > > M > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Tue Nov 21 01:00:10 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Nov 21 01:00:52 2006 Subject: [Bleeding-sigs] Bleeding Snort Daily Signature Changes Message-ID: <20061121010010.B99635502AE@gort.offsitefilter.com> [***] Results from Oinkmaster started Mon Nov 20 20:00:10 2006 [***] [+++] Added rules: [+++] 2003187 - BLEEDING-EDGE TROJAN Win32.Lager Trojan Initial Checkin (bleeding-virus.rules) 2003188 - BLEEDING-EDGE TROJAN Win32.Lager Trojan Reporting (bleeding-virus.rules) 2003189 - BLEEDING-EDGE TROJAN Win32.Lager Trojan Reporting (gcu) (bleeding-virus.rules) 2003190 - BLEEDING-EDGE TROJAN Win32.Lager Trojan Reporting Spam (bleeding-virus.rules) 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control access (bleeding.rules) [///] Modified active rules: [///] 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Kn