#
# $Id: bleeding.rules $
# Bleeding Snort rules. 
#  These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.. yet.
#  Someday some may be, at which time they'll be removed from this list and be available via Snort.org
#  This is for the bleeding edge junkies. Use at your own risk!!!
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#  Copyright (c) 2005, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by jnorcross
#This will false some, but should be minimal. This should be removed in a month or so. Reevaluate on 1/1/07
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host"; flow: established,to_server; pcre:"//.*/w.php/Ui"; classtype: trojan-activity; sid:2002692; rev:1;)

# The rules below were written in response to an ISC Diary that listed known
# evil, poisoning name servers .

# Added by Frank Knobbe
alert udp $HOME_NET any -> [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary"; reference: url,isc.sans.org/diary.php?date=2005-03-30; reference: url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834; rev:3; )
alert tcp $HOME_NET any -> [209.123.63.168,64.21.61.5,205.162.201.11,217.16.26.148] any (msg: "BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary"; reference: url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001835; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary"; flow: established,to_server; uricontent:"/g7/anticheatsys.php?id=36381"; nocase; reference: url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001836; rev:7; )

# Submitted by Stephane Nasdrovisky
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108"; content:"|da 26 0d 6c|"; classtype: bad-unknown; sid: 2001837; rev:3; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148"; content:"|d9 10 1a 94|"; classtype: bad-unknown; sid: 2001838; rev:2; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11"; content:"|cd a2 c9 0b|"; classtype: bad-unknown; sid: 2001839; rev:2; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr"; content:"|08 62 65 73 74 68 6f 73 74 02 63 6f 02 6b 72 00|"; classtype: bad-unknown; sid: 2001840; rev:2; )

#Matt Jonkman, related to dns poisoning
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com"; content:"|05|7sir7|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001842; rev:4; )
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com"; content:"|06|123xxl|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001843; rev:4; )
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com"; content:"|04|abx4|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001844; rev:4; )

#from dajackman re incidents.org entry
alert tcp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp)"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002670; rev:2;)
alert udp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp)"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002672; rev:2;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/<[^>]+on[^>]+window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:3; )

# Created 2005/08/14 by Frank Knobbe in response to first information posted on ISC
alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE Possible MS05-039 PnP worm infection"; flow:established,to_server; content:"get winpnp.exe"; depth:200; nocase; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:trojan-activity; sid:2002185; rev:2;)

#matt Jonkman, from full-disclosure post. Unknown variant of upnp worm
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events Possible UPnP Infection - gc.exe download"; flow:to_server,established; uricontent:"/gc.exe"; nocase; classtype:trojan-activity; sid:2002190; rev: 1;)

#by Tom at Doctorunix.com
#This should be looked at for removal about 1/1/06, this will be evaded soon surely
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT shellbot code injection attempt"; flow: established,from_client; uricontent:"/fbi.gif?&cmd"; nocase; classtype: web-application-attack; sid:2002701; rev:1;)

#matt Jonkman from ISC diary entry of 9/21/05
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Hostile Javascript s_ta_ts.js Requested"; flow:established,to_server; uricontent:"/s_ta_ts.js"; nocase; reference:url,isc.sans.org/diary.php?date=2005-09-21; classtype:suspicious-filename-detect; sid:2002378; rev:2;)

# From forum post by merphie. We should remove this around 8/25 or so assuming the threat has passed
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events OSA4.GIF Detected Possible Trojan.Tooso Infection"; flow:to_server; uricontent:"/osa4.gif"; nocase; depth:50; classtype:trojan-activity; sid:2002189; rev: 5;)