List Info

Thread: Bleeding Edge Threats Daily Signature Changes
Bleeding Edge Threats Daily Signature Changes
country flaguser name
United States		 2007-06-10 15:00:06 
[***] Results from Oinkmaster started Sun Jun 10 16:00:06
2007 [***]

[+++]          Added rules:          [+++]

 2004343 - BLEEDING-EDGE WEB X-Ice News System SQL Injection
Attempt -- devami.asp id SELECT (bleeding-web.rules)
 2004598 - BLEEDING-EDGE POLICY Known SSL traffic on port
9001 (aol) being excluded from SSL Alerts
(bleeding-policy.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 8)  (bleeding-botcc.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source -
BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server
Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic
(group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 210

     -> Added to bleeding-drop.rules (1):
        #  VERSION 210

     -> Added to bleeding-sid-msg.map (4):
        2004343 || BLEEDING-EDGE WEB X-Ice News System SQL
Injection Attempt -- devami.asp id SELECT ||
url,www.milw0rm.com/exploits/3469 || cve,CVE-2007-1438
        2004598 || BLEEDING-EDGE POLICY Known SSL traffic on
port 9001 (aol) being excluded from SSL Alerts
        2404007 || BLEEDING-EDGE DROP Known Bot C&C
Server Traffic (group 8)  || url,www.shadowserver.org
        2405007 || BLEEDING-EDGE DROP Known Bot C&C
Traffic (group 8) - BLOCKING SOURCE ||
url,www.shadowserver.org

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 209

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 209

     -> Removed from bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"BLEEDING-EDGE WEB X-Ice News System
SQL Injection Attempt -- devami.asp id SELECT";
flow:established,to_server;
uricontent:"/devami.asp?"; nocase;
uricontent:"id="; nocase;
pcre:"/SELECT.+FROM/Ui";
classtype:web-application-attack;
reference:cve,CVE-2007-1438;
reference:url,www.milw0rm.com/exploits/3469; sid:i2004343;
rev:1;)

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Find the fish
country flaguser name
United States		 2007-06-11 09:52:17 
Tell me what is wrong with these signatures 

#by tinytwitty
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
SELECT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+SELECT.+FROM/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003981;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
UNION SELECT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+UNIONs+SELECT/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003982;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
INSERT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+INSERT.+INTO/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003983;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
DELETE"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+DELETE.+FROM/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003984;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
ASCII"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+ASCII(.+SELECT/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003985;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
UPDATE"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+UPDATE.+SET/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003986;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
SELECT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+SELECT.+FROM/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003975;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
UNION SELECT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+UNIONs+SELECT/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003976;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
INSERT"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+INSERT.+INTO/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003977;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
DELETE"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+DELETE.+FROM/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003978;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
ASCII"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+ASCII(.+SELECT/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003979;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE 
WEB Zomplog SQL Injection Attempt -- mp3playlist.php speler
UPDATE"; 
flow:established,to_server; 
uricontent:"/plugins/mp3playlist/mp3playlist.php?"
; nocase; 
uricontent:"speler="; nocase;
pcre:"/.+UPDATE.+SET/Ui"; 
classtype:web-application-attack;
reference:cve,CVE-2007-2773; 
reference:url,www.milw0rm.com/exploits/3955; sid:2003980;
rev:2;)



2003975-2003980 are exactly the same as 2003981-2003986

Shirkdog
' or 1=1--
http://www.shirkdog.us

____________________________________________________________
_____
Make every IM count. Download Messenger and join the i’m
Initiative now. 
It’s free. http://im.live.com/messenger/im/home/?source=TAGHM_June
07

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )