New sigs

Some interesting ones from Scott. These are posted. We'll
probably
follow up with a few more proxy urls as well.

#These sigs are for the unique things that spam bots do in
how they talk
#Submitted by Scott Melnick
alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"BLEEDING-EDGE VIRUS
Suspicious SMTP EHLO Outbound - Possible Bot";
flow:to_server,established; content:"EHLO
billy"; nocase;
classtype:trojan-activity; sid:2003049; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25
(msg:"BLEEDING-EDGE VIRUS
Suspicious SMTP EHLO Intbound - Possible Bot";
flow:to_server,established; content:"EHLO
billy"; nocase;
classtype:trojan-activity; sid:2003050; rev:1;)

#Seeing some bots and proxy evasion apps use these proxy
judges to find
their way out
#by Scotty Melnick
alert tcp any any -> any $HTTP_PORTS (msg:
"BLEEDING-EDGE POLICY Proxy
Judge Discovery/Evasion (prxjdg.cgi)"; flow:
established,to_server;
uricontent:"/prxjdg.cgi"; nocase;
classtype:policy-violation;
sid:2003047; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:
"BLEEDING-EDGE POLICY Proxy
Judge Discovery/Evasion (proxyjudge.cgi)"; flow:
established,to_server;
uricontent:"/proxyjudge.cgi"; nocase;
classtype:policy-violation;
sid:2003048; rev:1;)


-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

>
> #These sigs are for the unique things that spam bots do
in how they talk
> #Submitted by Scott Melnick
> alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"BLEEDING-EDGE VIRUS
> Suspicious SMTP EHLO Outbound - Possible Bot";
> flow:to_server,established; content:"EHLO
billy"; nocase;
> classtype:trojan-activity; sid:2003049; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25
(msg:"BLEEDING-EDGE VIRUS
> Suspicious SMTP EHLO Intbound - Possible Bot";
> flow:to_server,established; content:"EHLO
billy"; nocase;
> classtype:trojan-activity; sid:2003050; rev:1;)

Is the "billy" hardwired in the exe? or is that
the hostname of the lab 
system that created the packet dump?   I had some other
traces that had 
"billy" in them, but when I ran them on my net,
it used my hostname 
instead.

jp

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    servicesdoctorunix.com


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

We're looking into it, that's very possible. 

Matt

Jack Pepper wrote:
>>
>> #These sigs are for the unique things that spam
bots do in how they talk
>> #Submitted by Scott Melnick
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"BLEEDING-EDGE VIRUS
>> Suspicious SMTP EHLO Outbound - Possible
Bot";
>> flow:to_server,established; content:"EHLO
billy"; nocase;
>> classtype:trojan-activity; sid:2003049; rev:1;)
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 25
(msg:"BLEEDING-EDGE VIRUS
>> Suspicious SMTP EHLO Intbound - Possible
Bot";
>> flow:to_server,established; content:"EHLO
billy"; nocase;
>> classtype:trojan-activity; sid:2003050; rev:1;)
> 
> Is the "billy" hardwired in the exe? or is
that the hostname of the lab
> system that created the packet dump?   I had some other
traces that had
> "billy" in them, but when I ran them on my
net, it used my hostname
> instead.
> 
> jp
> 
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and
extrication,
> security services, systems integration.
> Contact:    servicesdoctorunix.com
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs