Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules Fri Dec 2 00:40:21 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 2 | # $Id: bleeding.rules $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 3 | # Bleeding Snort rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.. yet.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 10 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 12 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 14 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 15 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 16 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 18 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 19 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 21 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 22 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 23 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 24 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 25 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 26 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 27 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 28 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 29 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 30 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 31 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 32 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 33 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 34 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 35 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 36 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 37 | #by jnorcross
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 38 | #This will false some, but should be minimal. This should be removed in a month or so. Reevaluate on 1/1/07
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 39 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host"; flow: established,to_server; pcre:"//.*/w.php/Ui"; classtype: trojan-activity; sid:2002692; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 40 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 41 | # The rules below were written in response to an ISC Diary that listed known
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 42 | # evil, poisoning name servers .
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 43 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 44 | # Added by Frank Knobbe
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 45 | alert udp $HOME_NET any - > [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary"; reference: url,isc.sans.org/diary.php?date=2005-03-30; reference: url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 45 | alert udp $HOME_NET any - > [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary"; reference: url,isc.sans.org/diary.php?date=2005-03-30; reference: url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 46 | alert tcp $HOME_NET any - > [209.123.63.168,64.21.61.5,205.162.201.11,217.16.26.148] any (msg: "BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary"; reference: url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001835; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 47 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary"; flow: established,to_server; uricontent:"/g7/anticheatsys.php?id=36381"; nocase; reference: url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001836; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 48 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 49 | # Submitted by Stephane Nasdrovisky
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 50 | alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108"; content:"|da 26 0d 6c|"; classtype: bad-unknown; sid: 2001837; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 51 | alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148"; content:"|d9 10 1a 94|"; classtype: bad-unknown; sid: 2001838; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 52 | alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11"; content:"|cd a2 c9 0b|"; classtype: bad-unknown; sid: 2001839; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 53 | alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr"; content:"|08 62 65 73 74 68 6f 73 74 02 63 6f 02 6b 72 00|"; classtype: bad-unknown; sid: 2001840; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 54 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 55 | #Matt Jonkman, related to dns poisoning
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 56 | alert udp $HOME_NET any - > any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com"; content:"|05|7sir7|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001842; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 57 | alert udp $HOME_NET any - > any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com"; content:"|06|123xxl|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001843; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 58 | alert udp $HOME_NET any - > any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com"; content:"|04|abx4|03|com"; nocase; reference: url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001844; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 59 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 60 | #from dajackman re incidents.org entry
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 61 | alert tcp $HOME_NET any - > 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp)"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002670; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 62 | alert udp $HOME_NET any - > 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp)"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002672; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 63 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 64 | #by Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 65 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/ < [^ > ]+on[^ > ]+window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 65 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/ < [^ > ]+on[^ > ]+window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 66 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 67 | # Created 2005/08/14 by Frank Knobbe in response to first information posted on ISC
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 68 | alert tcp any any - > any 1024:65535 (msg:"BLEEDING-EDGE Possible MS05-039 PnP worm infection"; flow:established,to_server; content:"get winpnp.exe"; depth:200; nocase; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:trojan-activity; sid:2002185; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 69 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 70 | #matt Jonkman, from full-disclosure post. Unknown variant of upnp worm
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 71 | alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events Possible UPnP Infection - gc.exe download"; flow:to_server,established; uricontent:"/gc.exe"; nocase; classtype:trojan-activity; sid:2002190; rev: 1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 72 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 73 | #by Tom at Doctorunix.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 74 | #This should be looked at for removal about 1/1/06, this will be evaded soon surely
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 75 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT shellbot code injection attempt"; flow: established,from_client; uricontent:"/fbi.gif?&cmd"; nocase; classtype: web-application-attack; sid:2002701; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 76 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 77 | #matt Jonkman from ISC diary entry of 9/21/05
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 78 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Hostile Javascript s_ta_ts.js Requested"; flow:established,to_server; uricontent:"/s_ta_ts.js"; nocase; reference:url,isc.sans.org/diary.php?date=2005-09-21; classtype:suspicious-filename-detect; sid:2002378; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 79 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 80 | # From forum post by merphie. We should remove this around 8/25 or so assuming the threat has passed
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 81 | alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events OSA4.GIF Detected Possible Trojan.Tooso Infection"; flow:to_server; uricontent:"/osa4.gif"; nocase; depth:50; classtype:trojan-activity; sid:2002189; rev: 5;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding.rules : 82 |
|