From daniel.clemens at packetninjas.net Mon Dec 1 11:32:25 2008 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Mon, 1 Dec 2008 10:32:25 -0600 Subject: [Emerging-Sigs] Russian based worm exploiting MS08-067 In-Reply-To: <492D5820.6060301@jonkmans.com> References: <492D5820.6060301@jonkmans.com> Message-ID: On Nov 26, 2008, at 8:07 AM, Matt Jonkman wrote: > Great reasearch from Daniel Clemens and Mcafee: > > http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/ > > http://www.packetninjas.net/?p=73 > > Daniel has put up a signature that ought to be reliable. It's in > CURRENT_EVENTS as this worm may not last long. We'll drp it ina > couple > weeks if so. Matt, thanks for your email. I think there may have been a bit of confusion on the timing of my blog post. My research was based on the first chinese version that had been 'wormized'. I think we had signatures already posted, but not real documentation as to why they had been posted or what the actions had been tied to. McAfee's was based on the latest russian variant which seems to behave a bit differently. > > > As far as we know the existing sigs for the actual MS08-067 will catch > the exploit attempts internally. > This is true. The SecureWorks sigs should catch the internal exploitation. | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "The secret to creativity is knowing how to hide your sources" Einstein From staneyre at bol.com.br Mon Dec 1 13:44:59 2008 From: staneyre at bol.com.br (Sandro Reis) Date: Mon, 01 Dec 2008 16:44:59 -0200 Subject: [Emerging-Sigs] Rule for detection use HTTP-TUNNEL to Anonymous Access Internet Message-ID: <493430AB.6010400@bol.com.br> #By Sandro Reis alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Use HTTP-TUNNEL to Anonymous Access"; content:"GET http://cachenetwork.net/login/FetchProtocolVersion2.htm"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; sid:2009017; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Use HTTP-TUNNEL to Anonymous Access"; content:"GET http://cachenetwork.net/login/fetchFreeServersVersion2.aspx"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; sid:2009018; rev:1;) From emerging at emergingthreats.net Mon Dec 1 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 1 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081201210008.9ADC64501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Dec 1 16:00:08 2008 [***] [+++] Added rules: [+++] 2008805 - ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start (emerging-virus.rules) 2008806 - ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response (emerging-virus.rules) 2008807 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start (emerging-virus.rules) 2008808 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2008805 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start 2008806 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response 2008807 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start 2008808 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (6): 2008805 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start 2008806 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response 2008807 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start 2008808 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (2): #By pedromarinho and matt jonkman. #Downloader.Agent.bnm and dnschange.bnm, etc From sun at vakharia.info Tue Dec 2 02:27:54 2008 From: sun at vakharia.info (=?iso-8859-1?Q?=AF`=B7.=5FThe_Sun=5F.=B7=B4=AF?=) Date: Tue, 2 Dec 2008 12:57:54 +0530 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster (Joel Esler) In-Reply-To: References: Message-ID: My apologies for the delay in response. I am running Version 2.8.3.1 (Build 17) which seems to be the latest out there. Please help. > Date: Wed, 26 Nov 2008 08:48:12 -0500 > From: Joel Esler > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > Oinkmaster > To: ?`?._The Sun_.??? > Cc: emerging-sigs at emergingthreats.net > Message-ID: <52C42CD3-9613-494A-AA08-9D60E26AF5B2 at sourcefire.com> > Content-Type: text/plain; charset="windows-1252" > > Are you running the current version of Snort? > > Joel > > On Nov 26, 2008, at 7:18 AM, ?`?._The Sun_.??? wrote: > > > Thank you for helping me out. > > > > > > Rule application order: activation->dynamic->pass->drop->alert->log > > Log directory = /var/log/snort > > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > > Disabling this rule. > > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > > Disabling this rule. > > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > > Disabling this rule. > > Encoded Rule Plugin SID: 10126, GID: 3 not registered properly. > > Disabling this rule. > > -------------------------------------------------------------------------------------------------------- > > > > Looked like it didn't work so far. > > > > Since I got a warning (see above) "/usr/local/lib/snort_dynamicrule/ > > does not exist!", I went back to edit my snort.conf with the > > following: > > dynamicdetection directory /usr/local/lib/snort_dynamicrules/ > > (notice the "s" at the end). > > > > Here is what I get after running snort again > > -------------------------------------------------------------------------------------------------------- > > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > > libsf_engine.so... done > > Loading all dynamic detection libs from /usr/local/lib/ > > snort_dynamicrules/... > > Loading dynamic detection library /usr/local/lib/ > > snort_dynamicrules//lib_sfdynamic_example_rule.so... done > > Finished Loading all dynamic detection libs from /usr/local/lib/ > > snort_dynamicrules/ > > Loading all dynamic preprocessor libs from /usr/local/lib/ > > snort_dynamicpreprocessor/... > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > > done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > > Finished Loading all dynamic preprocessor libs from /usr/local/lib/ > > snort_dynamicpreprocessor/ > > ERROR: Dynamic detection lib /usr/local/lib/snort_dynamicrules// > > lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current > > dynamic engine library /usr/local/lib/snort_dynamicengine/ > > libsf_engine.so 1.9. > > The dynamic detection lib is compiled with an older version of the > > dynamic engine. > > -------------------------------------------------------------------------------------------------------- > > > > > > Any ideas on what I should be doing next? > > > > > > > > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > > Oinkmaster > > From: dxp2532 at gmail.com > > To: sun at vakharia.info > > CC: joel.esler at sourcefire.com; emerging-sigs at emergingthreats.net > > Date: Wed, 19 Nov 2008 13:59:16 -0500 > > > > Make sure line similar to this is enabled in the Snort's config file: > > "dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules/" > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > On Mon, 2008-11-17 at 18:22 +0530, ?`?._The Sun_.??? wrote: > > Thanks Joel for your help so far. > > I have gone through the two links (the Snort doc link seems to be > > over simplified and the TechTarget link seems to be unduly > > complicated for me). > > I am not sure if I have configured Snort with the --enable-dynamic- > > plugin in the first place. > > At the moment, when I run Snort I get this: > > > > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > > libsf_engine.so... done > > Loading all dynamic preprocessor libs from /usr/local/lib/ > > snort_dynamicpreprocessor/... > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > > done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > > Loading dynamic preprocessor library /usr/local/lib/ > > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > > Finished Loading all dynamic preprocessor libs from /usr/local/lib/ > > snort_dynamicpreprocessor/ > > > > I assume that dynamic-plugins are enabled for me. > > > > Further I see this: > > 8924 Option Chains linked into 357 Chain Headers > > 0 Dynamic rules > > > > And still further down in the output I see this: > > +-----------------------[thresholding- > > local]----------------------------------- > > | gen-id=1 sig-id=2003279 type=Both tracking=src > > count=1 seconds=900 > > | gen-id=1 sig-id=2001872 type=Limit tracking=src > > count=1 seconds=360 > > | gen-id=1 sig-id=2001663 type=Limit tracking=src > > count=2 seconds=360 > > | gen-id=1 sig-id=2003276 type=Both tracking=src > > count=1 seconds=900 > > | gen-id=1 sig-id=2002911 type=Threshold tracking=src > > count=5 seconds=60 > > | gen-id=1 sig-id=2003257 type=Both tracking=src > > count=2 seconds=900 > > ...... > > > > After this: > > Rule application order: activation->dynamic->pass->drop->alert->log > > Log directory = /var/log/snort > > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > > Disabling this rule. > > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > > Disabling this rule. > > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > > Disabling this rule. > > ........ > > > > Taking the first SID: 13922 > > root at desktop:/etc/snort/so_rules# grep -r 13922 * > > Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so matches > > web-misc.rules:alert tcp $HOME_NET ...truncated text > > > > root at desktop:/etc/snort/so_rules/src# make > > ls: cannot access web-misc_*.c: No such file or directory > > ls: cannot access sql_*.c: No such file or directory > > .. > > .. > > p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in this > > function) > > make: *** [p2p_winny] Error 1 > > > > > > What's the next step that I need to take? > > _________________________________________________________________ Register once and play all contests. Increase your scores with bonus credits for logging in daily on MSN. http://specials.msn.co.in/msncontest/index.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081202/026eee13/attachment.html From signatures at stillsecure.com Tue Dec 2 06:32:52 2008 From: signatures at stillsecure.com (signatures) Date: Tue, 2 Dec 2008 04:32:52 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-02-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2914@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/listtest.php?"; nocase; uricontent:"r="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32591/; reference:url,milw0rm.com/exploits/7035; sid:10051; rev:1;) 2. DevelopItEasy Photo Gallery cat_id paramter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DevelopItEasy Photo Gallery cat_id paramter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gallery_category.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; sid:2008118; rev:1;) 3. DevelopItEasy Photo Gallery photo_id paramter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DevelopItEasy Photo Gallery photo_id paramter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gallery_photo.php?"; nocase; uricontent:"photo_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; sid:2008119; rev:1;) 4. DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.php?"; nocase; uricontent:"siteid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,frsirt.com/english/advisories/2008/3079; reference:bugtraq,32191; sid:2009128; rev:1;) 5. Enthusiast path parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Enthusiast path parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/show_joined.php?"; nocase; uricontent:"path="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; sid:2009200; rev:1;) 6. Enthusiast path parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Enthusiast path parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/show_joined.php?"; nocase; uricontent:"path="; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; sid:2009201; rev:1;) 7. DevelopItEasy News And Article aid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DevelopItEasy News And Article aid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/article_details.php?"; nocase; uricontent:"aid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7014; reference:url,secunia.com/Advisories/32595/; sid:2009120; rev:1;) 8. MyioSoft EasyBookMarker Parent parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bookmarker_backend.php?"; nocase; uricontent:"Parent="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32636/; reference:url,milw0rm.com/exploits/7053; sid:2008134; rev:1;) 9. Five Dollar Scripts Drinks Script recid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Five Dollar Scripts Drinks Script recid parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cmd=6"; nocase; uricontent:"recid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32579/; reference:url,www.milw0rm.com/exploits/7007 ; sid:806152; rev:1;) 10. Maran PHP Shop id Parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/prodshow.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; sid:2008112; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081202/769297eb/attachment-0001.html From jonkman at jonkmans.com Tue Dec 2 09:15:04 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Dec 2008 09:15:04 -0500 Subject: [Emerging-Sigs] Russian based worm exploiting MS08-067 In-Reply-To: <839aec700811301614g73dad05bn766074bb8798d86a@mail.gmail.com> References: <492D5820.6060301@jonkmans.com> <839aec700811300839r838af32i9bb46ae84b37f084@mail.gmail.com> <4932D680.3030905@jonkmans.com> <839aec700811301614g73dad05bn766074bb8798d86a@mail.gmail.com> Message-ID: <493542E8.2090508@jonkmans.com> Hey Darren, good questions. The loadadv.exe will be coming (as I understand) from the server. It'll be in a config file to tell it where to pull the next stage infection, clear text. Normally we'd not want to look in all return data from web servers, even for just a static string. high load possibilities. But in this case it's only from the one IP. So your next question, that IP/domain has been taken down. Should we go external_net, I don't want to do that. I think the load would be significant, and we'd false positive like crazy on any site even discussion that name. I put it in current events as we knew this one wouldn't last long, but I think it'll be even shorter-lived than expected. Unless anyone has an idea to fix the sig I'll drop it today. There are sigs for other parts of the secondary infection, so we aren't being blinded. Thanks Matt Darren Spruell wrote: > Something about the rule header strikes me as funny about 2008800: > > alert tcp 84.16.240.233 $HTTP_PORTS -> $HOME_NET any (msg:"ET > CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December > 2008"; flow:to_server,established; content:"/loadadv.exe"; > classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; > sid:2008800; rev:2;) > > It's expected that the string of the requested file name will be sent > from the web server to the client? > > I'd expect this rather (uricontent instead of content): > > alert tcp $HOME_NET any -> 84.16.240.233 $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December > 2008"; flow:to_server,established; uricontent:"/loadadv.exe"; > classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; > sid:2008800; rev:3;) > > As far as the remote IP address goes (84.16.240.233 above), the > expected download URL is also on trafficconverter.biz which has since > stopped resolving (domain takedown at .biz registry level.) While > communication with the domain may be broken, the worm payload > scheduled to start at 11/25 communicates with 1700+ randomly generated > domains and may still reach out for an update (for example, to receive > a new download location for the binary.) In this case, although it > could be a completely different file name, maybe it would be better to > just drop the IP and use $EXTERNAL_NET in this rule...? > > Darren > > > On Sun, Nov 30, 2008 at 11:08 AM, Matt Jonkman wrote: >> Cool. I'll just remove that and separate them into 2 matches. >> >> Thanks Darren! >> >> Matt >> >> Darren Spruell wrote: >>> On Wed, Nov 26, 2008 at 7:07 AM, Matt Jonkman wrote: >>>> Great reasearch from Daniel Clemens and Mcafee: >>>> >>>> http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/ >>>> >>>> http://www.packetninjas.net/?p=73 >>>> >>>> Daniel has put up a signature that ought to be reliable. It's in >>>> CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple >>>> weeks if so. >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET >>> CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates >>> 25/11-01/12 2008"; flow:to_server,established; >>> uricontent:"/search?q=%d&aq=7"; classtype:trojan-activity; >>> reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; >>> sid:2008801; rev:1;) >>> >>> The 'q' parameter in the above string I believe is expanded into a >>> number in the actual request (not a literal %d). It indicates exploit >>> attempts or similar in the reports I've seen. >>> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 2 09:31:03 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Dec 2008 09:31:03 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> Message-ID: <493546A7.7020909@jonkmans.com> Posted (sorry for the delay) Great stuff guys! Matt signatures wrote: > Hi Matt, > > > > Please find 10 New Signatures below: > > > > *1. **MW6 Technologies Barcode ActiveX Barcode.dll Multiple > Arbitrary File Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 > Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File > Overwrite"; flow:to_client,established; content:"CLSID"; nocase; > content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; distance:0; > pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; > reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; > sid:10033; rev:1;) > > > > *2. **MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary > File Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 PDF417 > MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; > flow:to_client,established; content:"CLSID"; nocase; > content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; distance:0; > pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; > reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; > sid:10034; rev:1;) > > > > *3. **MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple > Arbitrary File Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 > DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File > Overwrite"; flow:to_client,established; content:"CLSID"; nocase; > content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; distance:0; > pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; > reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; > sid:10035; rev:1;) > > > > *4. **MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple > Arbitrary File Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 Aztec > ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; > flow:to_client,established; content:"CLSID"; nocase; > content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; distance:0; > pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; > reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; > sid:10036; rev:1;) > > > > *5. **e107 Plugin lyrics_menu lyrics_song.php l_id Parameter > Remote SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"e107 > Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/lyrics_song.php?"; nocase; uricontent:"l_id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32477/; > reference:url,milw0rm.com/exploits/6885; sid:10039; rev:1;) > > > > *6. **Chilkat Crypt ActiveX Component WriteFile Insecure Method * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Chilkat Crypt > ActiveX Component WriteFile Insecure Method"; > flow:to_client,established; content:"CLSID"; nocase; > content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; distance:0; > content:"WriteFile"; nocase; classtype:web-application-attack; > reference:url,secunia.com/Advisories/32513/; > reference:url,/milw0rm.com/exploits/6963; sid:10041; rev:1;) > > > > *7. **SFS EZ Hotscripts-like Site showcategory.php cid Parameter > SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ > Hotscripts-like Site showcategory.php cid Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32536/; > reference:url,milw0rm.com/exploits/6903; sid:10042; rev:1;) > > > > *8. **SFS EZ Hotscripts-like Site software-description.php id > Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ > Hotscripts-like Site software-description.php id Parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/software-description.php?"; nocase; uricontent:"id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32536/; > reference:url,milw0rm.com/exploits/6915; sid:10043; rev:1;) > > * * > > *9. **YourFreeWorld Autoresponder hosting tr.php id Parameter SQL > Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"YourFreeWorld Autoresponder hosting tr.php id Parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/autoresponderhosting/tr.php?"; nocase; uricontent:"id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32504/; > reference:url,milw0rm.com/exploits/6938; sid:10044; rev:1;) > > > > *10. **YourFreeWorld Reminder Service tr.php id Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"YourFreeWorld Reminder Service tr.php id Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/reminderservice/tr.php?"; nocase; uricontent:"id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32504/; > reference:url,milw0rm.com/exploits/6943; sid:10045; rev:1;) > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 2 09:36:43 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Dec 2008 09:36:43 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-28-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2913@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2913@webmail.latis.com> Message-ID: <493547FB.7000601@jonkmans.com> Also posted! signatures wrote: > Hi Matt, > > > > Please find 10 New Signatures below: > > > > *1. **YourFreeWorld Classifieds Blaster tr.php id Parameter SQL > Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"YourFreeWorld Classifieds Blaster tr.php id Parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/classifiedsblaster/tr.php?"; nocase; uricontent:"id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32504/; > reference:url,milw0rm.com/exploits/6944; sid:10046; rev:1;) > > > > *2. **TBmnetCMS index.php content Parameter Local File Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TBmnetCMS > index.php content Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index.php?"; nocase; uricontent:"content="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32462/; > reference:url,milw0rm.com/exploits/6973; sid:10046; rev:1;) > > > > *3. **Tours Manager cityview.php cityid Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Tours > Manager cityview.php cityid Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/cityview.php?"; nocase; uricontent:"cityid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32503/; > reference:url,milw0rm.com/exploits/6988; sid:10047; rev:1;) > > > > *4. **Joomla Pro Desk Component include_file Local File Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla > Pro Desk Component include_file Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index.php?"; nocase; uricontent:"option=com_pro_desk"; > nocase; uricontent:"include_file="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32523/; > reference:url,milw0rm.com/exploits/6980; sid:10048; rev:1;) > > > > *5. **Pre Podcast Portal tour.php id SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pre > Podcast Portal tour.php id SQL Injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/Tour.php?"; nocase; > uricontent:"id="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32563/; > reference:url,milw0rm.com/exploits/6997; sid:10049; rev:1;) > > > > *6. **Way Of The Warrior visualizza.php plancia Parameter Local > File Inclusion* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of > The Warrior visualizza.php plancia Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/visualizza.php?"; nocase; uricontent:"plancia="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32515/; > reference:url,milw0rm.com/exploits/6992; sid:10050; rev:1;) > > > > *7. **Way Of The Warrior crea.php plancia Parameter Local File > Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of > The Warrior crea.php plancia Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32515/; > reference:url,milw0rm.com/exploits/6992; sid:10051; rev:1;) > > > > *8. **Way Of The Warrior crea.php plancia Remote File Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of > The Warrior crea.php plancia Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; > pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32515/; > reference:url,milw0rm.com/exploits/6992; sid:10052; rev:1;) > > > > *9. **TurnkeyForms Business Survey Pro id parameter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"TurnkeyForms Business Survey Pro id parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/survey_results_text.php?"; nocase; uricontent:"id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32561/;reference:url,milw0rm.com/exploits/7029; > sid:2009115; rev:1;) > > > > *10. **Turnkeyforms Software Directory showcategory.php cid parameter > SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"Turnkeyforms Software Directory showcategory.php cid parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32568/; > reference:url,milw0rm.com/exploits/7027; sid:10050; rev:1;) > > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 2 09:43:36 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Dec 2008 09:43:36 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-02-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2914@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2914@webmail.latis.com> Message-ID: <49354998.9030604@jonkmans.com> Also added. That makes 30+ signatures from stillsecure in a couple weeks. My great thanks to all of you, Stillsecure has been a great friend of ET for many years. This is a significant thing they contribute to the community each week. Thanks!!! Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *TurnkeyForms Local Classifieds listtest.php r parameter SQL > Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"TurnkeyForms Local Classifieds listtest.php r parameter SQL > Injection"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/listtest.php?"; nocase; uricontent:"r="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32591/; > reference:url,milw0rm.com/exploits/7035; sid:10051; rev:1;) > > 2. *DevelopItEasy Photo Gallery cat_id paramter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"DevelopItEasy Photo Gallery cat_id paramter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/gallery_category.php?"; nocase; uricontent:"cat_id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32593/; > reference:url,milw0rm.com/exploits/7016; sid:2008118; rev:1;) > > 3. *DevelopItEasy Photo Gallery photo_id paramter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"DevelopItEasy Photo Gallery photo_id paramter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/gallery_photo.php?"; nocase; uricontent:"photo_id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32593/; > reference:url,milw0rm.com/exploits/7016; sid:2008119; rev:1;) > > 4. *DeltaScripts PHP Classifieds siteid parameter Remote SQL > Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"DeltaScripts PHP Classifieds siteid parameter Remote SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/detail.php?"; nocase; uricontent:"siteid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,frsirt.com/english/advisories/2008/3079; > reference:bugtraq,32191; sid:2009128; rev:1;) > > 5. *Enthusiast path parameter Local File Inclusion* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"Enthusiast path parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/show_joined.php?"; nocase; uricontent:"path="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32628/; > reference:url,bugreport.ir/index_57.htm; sid:2009200; rev:1;) > > 6. *Enthusiast path parameter Remote File Inclusion* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"Enthusiast path parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/show_joined.php?"; nocase; uricontent:"path="; nocase; > pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32628/; > reference:url,bugreport.ir/index_57.htm; sid:2009201; rev:1;) > > 7. *DevelopItEasy News And Article aid parameter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"DevelopItEasy News And Article aid parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/article_details.php?"; nocase; uricontent:"aid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7014; > reference:url,secunia.com/Advisories/32595/; sid:2009120; rev:1;) > > 8. *MyioSoft EasyBookMarker Parent parameter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MyioSoft > EasyBookMarker Parent parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/bookmarker_backend.php?"; nocase; uricontent:"Parent="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32636/; > reference:url,milw0rm.com/exploits/7053; sid:2008134; rev:1;) > > 9. *Five Dollar Scripts Drinks Script recid parameter SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Five > Dollar Scripts Drinks Script recid parameter SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/index.php?"; nocase; uricontent:"cmd=6"; nocase; > uricontent:"recid="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/32579/; > reference:url,www.milw0rm.com/exploits/7007 > ; sid:806152; rev:1;) > > 10. *Maran PHP Shop id Parameter Remote SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Maran PHP > Shop id Parameter Remote SQL Injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/prodshow.php?"; nocase; > uricontent:"id="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; reference:bugtraq,32043; > reference:url,frsirt.com/english/advisories/2008/2976; sid:2008112; rev:1;) > > > > Looking forward for your comments if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Tue Dec 2 10:21:42 2008 From: dxp2532 at gmail.com (dxp) Date: Tue, 02 Dec 2008 10:21:42 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster (Joel Esler) In-Reply-To: References: Message-ID: <1228231302.6481.4.camel@kinta> I think the source of the example rule requires an older detection engine (1.0). Look for the following line in "src/dynamic-examples/dynamic-rule/detection_lib_meta.h": #define REQ_ENGINE_LIB_MINOR 0 It should be 9 instead of 0. Change and recompile. - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-12-02 at 12:57 +0530, ?`?._The Sun_.??? wrote: > My apologies for the delay in response. > > > I am running Version 2.8.3.1 (Build 17) which seems to be the latest > out there. > > Please help. > > > > Date: Wed, 26 Nov 2008 08:48:12 -0500 > > From: Joel Esler > > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > > Oinkmaster > > To: ?`?._The Sun_.??? > > Cc: emerging-sigs at emergingthreats.net > > Message-ID: <52C42CD3-9613-494A-AA08-9D60E26AF5B2 at sourcefire.com> > > Content-Type: text/plain; charset="windows-1252" > > > > Are you running the current version of Snort? > > > > Joel > > > > On Nov 26, 2008, at 7:18 AM, ?`?._The Sun_.??? wrote: > > > > > Thank you for helping me out. > > > > > > > > > > Rule application order: > activation->dynamic->pass->drop->alert->log > > > Log directory = /var/log/snort > > > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > > > Disabling this rule. > > > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > > > Disabling this rule. > > > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > > > Disabling this rule. > > > Encoded Rule Plugin SID: 10126, GID: 3 not registered properly. > > > Disabling this rule. > > > > -------------------------------------------------------------------------------------------------------- > > > > > > Looked like it didn't work so far. > > > > > > Since I got a warning (see above) > "/usr/local/lib/snort_dynamicrule/ > > > does not exist!", I went back to edit my snort.conf with the > > > following: > > > dynamicdetection directory /usr/local/lib/snort_dynamicrules/ > > > (notice the "s" at the end). > > > > > > Here is what I get after running snort again > > > > -------------------------------------------------------------------------------------------------------- > > > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > > > libsf_engine.so... done > > > Loading all dynamic detection libs from /usr/local/lib/ > > > snort_dynamicrules/... > > > Loading dynamic detection library /usr/local/lib/ > > > snort_dynamicrules//lib_sfdynamic_example_rule.so... done > > > Finished Loading all dynamic detection libs from /usr/local/lib/ > > > snort_dynamicrules/ > > > Loading all dynamic preprocessor libs from /usr/local/lib/ > > > snort_dynamicpreprocessor/... > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > > > done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > > > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/ > > > snort_dynamicpreprocessor/ > > > ERROR: Dynamic detection lib /usr/local/lib/snort_dynamicrules// > > > lib_sfdynamic_example_rule.so 1.0 isn't compatible with the > current > > > dynamic engine library /usr/local/lib/snort_dynamicengine/ > > > libsf_engine.so 1.9. > > > The dynamic detection lib is compiled with an older version of > the > > > dynamic engine. > > > > -------------------------------------------------------------------------------------------------------- > > > > > > > > > Any ideas on what I should be doing next? > > > > > > > > > > > > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules > and > > > Oinkmaster > > > From: dxp2532 at gmail.com > > > To: sun at vakharia.info > > > CC: joel.esler at sourcefire.com; emerging-sigs at emergingthreats.net > > > Date: Wed, 19 Nov 2008 13:59:16 -0500 > > > > > > Make sure line similar to this is enabled in the Snort's config > file: > > > "dynamicdetection > directory /usr/local/snort/lib/snort_dynamicrules/" > > > - > > > > > > -=[ dxp ]=- > > > 0xA3F3C6E3 > > > > > > > > > > > > On Mon, 2008-11-17 at 18:22 +0530, ?`?._The Sun_.??? wrote: > > > Thanks Joel for your help so far. > > > I have gone through the two links (the Snort doc link seems to be > > > over simplified and the TechTarget link seems to be unduly > > > complicated for me). > > > I am not sure if I have configured Snort with the > --enable-dynamic- > > > plugin in the first place. > > > At the moment, when I run Snort I get this: > > > > > > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > > > libsf_engine.so... done > > > Loading all dynamic preprocessor libs from /usr/local/lib/ > > > snort_dynamicpreprocessor/... > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > > > done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > > > Loading dynamic preprocessor library /usr/local/lib/ > > > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > > > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/ > > > snort_dynamicpreprocessor/ > > > > > > I assume that dynamic-plugins are enabled for me. > > > > > > Further I see this: > > > 8924 Option Chains linked into 357 Chain Headers > > > 0 Dynamic rules > > > > > > And still further down in the output I see this: > > > +-----------------------[thresholding- > > > local]----------------------------------- > > > | gen-id=1 sig-id=2003279 type=Both tracking=src > > > count=1 seconds=900 > > > | gen-id=1 sig-id=2001872 type=Limit tracking=src > > > count=1 seconds=360 > > > | gen-id=1 sig-id=2001663 type=Limit tracking=src > > > count=2 seconds=360 > > > | gen-id=1 sig-id=2003276 type=Both tracking=src > > > count=1 seconds=900 > > > | gen-id=1 sig-id=2002911 type=Threshold tracking=src > > > count=5 seconds=60 > > > | gen-id=1 sig-id=2003257 type=Both tracking=src > > > count=2 seconds=900 > > > ...... > > > > > > After this: > > > Rule application order: > activation->dynamic->pass->drop->alert->log > > > Log directory = /var/log/snort > > > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > > > Disabling this rule. > > > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > > > Disabling this rule. > > > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > > > Disabling this rule. > > > ........ > > > > > > Taking the first SID: 13922 > > > root at desktop:/etc/snort/so_rules# grep -r 13922 * > > > Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so > matches > > > web-misc.rules:alert tcp $HOME_NET ...truncated text > > > > > > root at desktop:/etc/snort/so_rules/src# make > > > ls: cannot access web-misc_*.c: No such file or directory > > > ls: cannot access sql_*.c: No such file or directory > > > .. > > > .. > > > p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in > this > > > function) > > > make: *** [p2p_winny] Error 1 > > > > > > > > > What's the next step that I need to take? > > > > > > > > ______________________________________________________________________ > It is a cricketing clash meant for the Gods! Be there when we track > the T-20 Champions League this December Try it now! > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081202/cee76dd6/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081202/cee76dd6/attachment-0001.bin From jonkman at jonkmans.com Tue Dec 2 10:22:51 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 02 Dec 2008 10:22:51 -0500 Subject: [Emerging-Sigs] Rule for detection use HTTP-TUNNEL to Anonymous Access Internet In-Reply-To: <493430AB.6010400@bol.com.br> References: <493430AB.6010400@bol.com.br> Message-ID: <493552CB.6060206@jonkmans.com> Thanks for sending these over Sandro. I have a question though. Is this going to be a normal http request? If so I'd assume the hostname would be separated from the uri into a host: field, ya? If so we can separate that and the rules should remain as accurate. Thanks Matt Sandro Reis wrote: > #By Sandro Reis > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible > Use HTTP-TUNNEL to Anonymous Access"; content:"GET > http://cachenetwork.net/login/FetchProtocolVersion2.htm"; > classtype:policy-violation; threshold:type limit, track by_src,count 1, > seconds 30; sid:2009017; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible > Use HTTP-TUNNEL to Anonymous Access"; content:"GET > http://cachenetwork.net/login/fetchFreeServersVersion2.aspx"; > classtype:policy-violation; threshold:type limit, track by_src,count 1, > seconds 30; sid:2009018; rev:1;) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From joel.esler at sourcefire.com Tue Dec 2 10:34:01 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Tue, 2 Dec 2008 10:34:01 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster (Joel Esler) In-Reply-To: <1228231302.6481.4.camel@kinta> References: <1228231302.6481.4.camel@kinta> Message-ID: On Dec 2, 2008, at 10:21 AM, dxp wrote: > I think the source of the example rule requires an older detection > engine (1.0). > Look for the following line in "src/dynamic-examples/dynamic-rule/ > detection_lib_meta.h": > #define REQ_ENGINE_LIB_MINOR 0 > > It should be 9 instead of 0. Change and recompile. Might want to try updating the ruleset? Joel From emerging at emergingthreats.net Tue Dec 2 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 2 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081202210008.775434501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Dec 2 16:00:08 2008 [***] [+++] Added rules: [+++] 2008809 - ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite (emerging-web.rules) 2008810 - ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008811 - ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008812 - ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008813 - ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008814 - ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method (emerging-web.rules) 2008815 - ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008816 - ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008817 - ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008818 - ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008819 - ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008820 - ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008821 - ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008822 - ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion (emerging-web_sql_injection.rules) 2008823 - ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection (emerging-web_sql_injection.rules) 2008824 - ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008825 - ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008826 - ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion (emerging-web_sql_injection.rules) 2008827 - ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection (emerging-web_sql_injection.rules) 2008828 - ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection (emerging-web_sql_injection.rules) 2008829 - ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection (emerging-web_sql_injection.rules) 2008830 - ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection (emerging-web_sql_injection.rules) 2008831 - ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection (emerging-web_sql_injection.rules) 2008832 - ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008833 - ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008834 - ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection (emerging-web_sql_injection.rules) 2008835 - ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection (emerging-web_sql_injection.rules) 2008836 - ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection (emerging-web_sql_injection.rules) 2008837 - ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008838 - ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection (emerging-web_sql_injection.rules) [---] Removed rules: [---] 2008800 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (30): 2008809 || ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6871 || bugtraq,31979 2008810 || ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6873 || bugtraq,31983 2008811 || ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6872 || bugtraq,31980 2008812 || ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6870 || bugtraq,31974 2008813 || ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6885 || url,secunia.com/advisories/32477/ 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008815 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection || url,milw0rm.com/exploits/6903 || url,secunia.com/advisories/32536/ 2008816 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection || url,milw0rm.com/exploits/6915 || url,secunia.com/advisories/32536/ 2008817 || ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6938 || url,secunia.com/advisories/32504/ 2008818 || ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6943 || url,secunia.com/advisories/32504/ 2008819 || ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6944 || url,secunia.com/advisories/32504/ 2008820 || ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion || url,milw0rm.com/exploits/6973 || url,secunia.com/advisories/32462/ 2008821 || ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection || url,milw0rm.com/exploits/6988 || url,secunia.com/advisories/32503/ 2008822 || ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion || url,milw0rm.com/exploits/6980 || url,secunia.com/advisories/32523/ 2008823 || ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection || url,milw0rm.com/exploits/6997 || url,secunia.com/advisories/32563/ 2008824 || ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008825 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008826 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008827 || ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection || url,milw0rm.com/exploits/7029 || url,secunia.com/advisories/32561/ 2008828 || ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection || url,milw0rm.com/exploits/7027 || url,secunia.com/advisories/32568/ 2008829 || ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection || url,milw0rm.com/exploits/7035 || url,secunia.com/advisories/32591/ 2008830 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008831 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008832 || ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008833 || ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008834 || ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection || url,secunia.com/Advisories/32595/ || url,milw0rm.com/exploits/7014 2008835 || ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection || url,milw0rm.com/exploits/7053 || url,secunia.com/advisories/32636/ 2008836 || ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection || url,www.milw0rm.com/exploits/7007 || url,secunia.com/Advisories/32579/ 2008837 || ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection || url,frsirt.com/english/advisories/2008/2976 || bugtraq,32043 2008838 || ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection || bugtraq,32191 || url,frsirt.com/english/advisories/2008/3079 -> Added to emerging-sid-msg.map.txt (30): 2008809 || ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6871 || bugtraq,31979 2008810 || ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6873 || bugtraq,31983 2008811 || ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6872 || bugtraq,31980 2008812 || ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6870 || bugtraq,31974 2008813 || ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6885 || url,secunia.com/advisories/32477/ 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008815 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection || url,milw0rm.com/exploits/6903 || url,secunia.com/advisories/32536/ 2008816 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection || url,milw0rm.com/exploits/6915 || url,secunia.com/advisories/32536/ 2008817 || ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6938 || url,secunia.com/advisories/32504/ 2008818 || ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6943 || url,secunia.com/advisories/32504/ 2008819 || ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6944 || url,secunia.com/advisories/32504/ 2008820 || ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion || url,milw0rm.com/exploits/6973 || url,secunia.com/advisories/32462/ 2008821 || ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection || url,milw0rm.com/exploits/6988 || url,secunia.com/advisories/32503/ 2008822 || ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion || url,milw0rm.com/exploits/6980 || url,secunia.com/advisories/32523/ 2008823 || ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection || url,milw0rm.com/exploits/6997 || url,secunia.com/advisories/32563/ 2008824 || ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008825 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008826 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008827 || ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection || url,milw0rm.com/exploits/7029 || url,secunia.com/advisories/32561/ 2008828 || ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection || url,milw0rm.com/exploits/7027 || url,secunia.com/advisories/32568/ 2008829 || ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection || url,milw0rm.com/exploits/7035 || url,secunia.com/advisories/32591/ 2008830 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008831 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008832 || ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008833 || ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008834 || ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection || url,secunia.com/Advisories/32595/ || url,milw0rm.com/exploits/7014 2008835 || ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection || url,milw0rm.com/exploits/7053 || url,secunia.com/advisories/32636/ 2008836 || ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection || url,www.milw0rm.com/exploits/7007 || url,secunia.com/Advisories/32579/ 2008837 || ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection || url,frsirt.com/english/advisories/2008/2976 || bugtraq,32043 2008838 || ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection || bugtraq,32191 || url,frsirt.com/english/advisories/2008/3079 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A -> Removed from emerging-sid-msg.map.txt (1): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A From emerging at emergingthreats.net Wed Dec 3 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 3 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081203210008.D023F4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Dec 3 16:00:08 2008 [***] [+++] Added rules: [+++] 2008839 - ET TROJAN AdWare.Win32.MWGuide checkin (emerging-virus.rules) 2008840 - ET TROJAN AdWare.Win32.MWGuide keepalive (emerging-virus.rules) 2008841 - ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP (emerging-virus.rules) [///] Modified active rules: [///] 2002400 - ET MALWARE Suspicious User Agent (Microsoft Internet Explorer) (emerging-malware.rules) 2003020 - ET POLICY TLS/SSL Encrypted Application Data on Unusual Port (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2008839 || ET TROJAN AdWare.Win32.MWGuide checkin 2008840 || ET TROJAN AdWare.Win32.MWGuide keepalive 2008841 || ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP -> Added to emerging-sid-msg.map.txt (3): 2008839 || ET TROJAN AdWare.Win32.MWGuide checkin 2008840 || ET TROJAN AdWare.Win32.MWGuide keepalive 2008841 || ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP -> Added to emerging-virus.rules (4): # Ikarus: AdWare.Win32.MWGuide, #re a98bb554bf012dd25d94b764bc4a0678 # Ikarus: Trojan-PWS.Win32.Small.gs, #re d752a38abd5327552d5b51cd0e091436 From signatures at stillsecure.com Thu Dec 4 06:35:30 2008 From: signatures at stillsecure.com (signatures) Date: Thu, 4 Dec 2008 04:35:30 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-04-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2916@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. PozScripts Business Directory Script cid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PozScripts Business Directory Script cid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,frsirt.com/english/advisories/2008/3118; reference:url,milw0rm.com/exploits/7098; sid:8999; rev:1;) 2. ClipShare Pro channel_detail.php chid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ClipShare Pro channel_detail.php chid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/channel_detail.php?"; nocase; uricontent:"chid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32311; reference:url,milw0rm.com/exploits/7128; sid:9000; rev:1;) 3. SlimCMS edit.php pageid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SlimCMS edit.php pageid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edit.php?"; nocase; uricontent:"pageID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32300; sid:9001; rev:1;) 4. VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; distance:0; content:"OpenPDF"; nocase; classtype:web-application-attack; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; sid:9002; rev:1;) 5. Chilkat Socket ACTIVEX Remote Arbitrary File Creation alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; content:"CLSID"; nocase; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; distance:0; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,32333; reference:milw0rm.com/exploits/7142; sid:9003; rev:1;) 6. phpFan init.php Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/init.php?"; nocase; uricontent:"includepath=";nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; sid:9004; rev:1;) 7. Ultrastats serverid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"serverid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; sid:9005; rev:1;) 8. PHPStore Wholesales id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHPStore Wholesales id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/track.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32741/; reference:url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt; sid:9006; rev:1;) 9. PHPStore Yahoo Answers id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cmd=4"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; sid:9007; rev:1;) 10. Vlog System note parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Vlog System note parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/blog.php?"; nocase; uricontent:"user="; nocase; uricontent:"note="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32784/; reference:url,www.milw0rm.com/exploits/7186; sid:9008; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081204/9a3ff2ce/attachment.html From emerging at emergingthreats.net Thu Dec 4 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 4 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081204210009.252D94501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Dec 4 16:00:09 2008 [***] [+++] Added rules: [+++] 2008842 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (emerging-policy.rules) 2008843 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) (emerging-policy.rules) 2008844 - ET TROJAN Mydoom.O at mm HTTP Checkin (emerging-virus.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 85 # Updated 2008-12-04 08:06:07 -> Added to emerging-rbn.rules (2): # VERSION 85 # Updated 2008-12-04 08:06:07 -> Added to emerging-sid-msg.map (47): 2008842 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access 2008843 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2406105 || ET RBN Known Russian Business Network Monitored Domains (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406106 || ET RBN Known Russian Business Network Monitored Domains (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406107 || ET RBN Known Russian Business Network Monitored Domains (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406108 || ET RBN Known Russian Business Network Monitored Domains (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406109 || ET RBN Known Russian Business Network Monitored Domains (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406110 || ET RBN Known Russian Business Network Monitored Domains (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406111 || ET RBN Known Russian Business Network Monitored Domains (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406112 || ET RBN Known Russian Business Network Monitored Domains (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406113 || ET RBN Known Russian Business Network Monitored Domains (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406114 || ET RBN Known Russian Business Network Monitored Domains (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406115 || ET RBN Known Russian Business Network Monitored Domains (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406116 || ET RBN Known Russian Business Network Monitored Domains (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406117 || ET RBN Known Russian Business Network Monitored Domains (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406118 || ET RBN Known Russian Business Network Monitored Domains (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406119 || ET RBN Known Russian Business Network Monitored Domains (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406120 || ET RBN Known Russian Business Network Monitored Domains (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406121 || ET RBN Known Russian Business Network Monitored Domains (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406122 || ET RBN Known Russian Business Network Monitored Domains (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406123 || ET RBN Known Russian Business Network Monitored Domains (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406124 || ET RBN Known Russian Business Network Monitored Domains (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406125 || ET RBN Known Russian Business Network Monitored Domains (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406126 || ET RBN Known Russian Business Network Monitored Domains (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407105 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407106 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407107 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407108 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407109 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407110 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407111 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407112 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407113 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407114 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407115 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407116 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407117 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407118 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407119 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407120 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407121 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407122 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407123 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407124 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407125 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407126 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (47): 2008842 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access 2008843 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2406105 || ET RBN Known Russian Business Network Monitored Domains (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406106 || ET RBN Known Russian Business Network Monitored Domains (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406107 || ET RBN Known Russian Business Network Monitored Domains (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406108 || ET RBN Known Russian Business Network Monitored Domains (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406109 || ET RBN Known Russian Business Network Monitored Domains (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406110 || ET RBN Known Russian Business Network Monitored Domains (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406111 || ET RBN Known Russian Business Network Monitored Domains (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406112 || ET RBN Known Russian Business Network Monitored Domains (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406113 || ET RBN Known Russian Business Network Monitored Domains (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406114 || ET RBN Known Russian Business Network Monitored Domains (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406115 || ET RBN Known Russian Business Network Monitored Domains (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406116 || ET RBN Known Russian Business Network Monitored Domains (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406117 || ET RBN Known Russian Business Network Monitored Domains (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406118 || ET RBN Known Russian Business Network Monitored Domains (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406119 || ET RBN Known Russian Business Network Monitored Domains (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406120 || ET RBN Known Russian Business Network Monitored Domains (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406121 || ET RBN Known Russian Business Network Monitored Domains (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406122 || ET RBN Known Russian Business Network Monitored Domains (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406123 || ET RBN Known Russian Business Network Monitored Domains (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406124 || ET RBN Known Russian Business Network Monitored Domains (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406125 || ET RBN Known Russian Business Network Monitored Domains (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406126 || ET RBN Known Russian Business Network Monitored Domains (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407105 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407106 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407107 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407108 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407109 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407110 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407111 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407112 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407113 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407114 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407115 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407116 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407117 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407118 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407119 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407120 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407121 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407122 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407123 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407124 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407125 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407126 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Removed from emerging-rbn.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 From emerging at emergingthreats.net Fri Dec 5 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 5 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081205210009.1269645026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Dec 5 16:00:09 2008 [***] [+++] Added rules: [+++] 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2008846 - ET TROJAN Worm.Win32.Evolmi Checkin (emerging-virus.rules) 2008847 - ET MALWARE Suspicious User-Agent (Mozil1a) (emerging-malware.rules) 2008848 - ET TROJAN Worm.Win32.Koobface.C User-Agent (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (3): #by Victor Julien # Ikarus: Trojan.Fakeav.BU, # re 78dd2ddaf75b8d8676d0b5f2e73045a8 -> Added to emerging-sid-msg.map (4): 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008846 || ET TROJAN Worm.Win32.Evolmi Checkin 2008847 || ET MALWARE Suspicious User-Agent (Mozil1a) 2008848 || ET TROJAN Worm.Win32.Koobface.C User-Agent -> Added to emerging-sid-msg.map.txt (4): 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008846 || ET TROJAN Worm.Win32.Evolmi Checkin 2008847 || ET MALWARE Suspicious User-Agent (Mozil1a) 2008848 || ET TROJAN Worm.Win32.Koobface.C User-Agent -> Added to emerging-virus.rules (2): # Ikarus: Worm.Win32.Koobface.C, #re e3e392688b15f1077daec4dfc1ca7530 From emerging at emergingthreats.net Sat Dec 6 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 6 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081206210008.88DAB4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 6 16:00:08 2008 [***] [+++] Added rules: [+++] 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2008839 - ET TROJAN AdWare.Win32.MWGuide checkin (emerging-virus.rules) 2008840 - ET TROJAN AdWare.Win32.MWGuide keepalive (emerging-virus.rules) 2008841 - ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP (emerging-virus.rules) 2008847 - ET MALWARE Suspicious User-Agent (Mozil1a) (emerging-malware.rules) 2008848 - ET TROJAN Worm.Win32.Koobface.C User-Agent (emerging-virus.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Added to emerging-rbn.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Added to emerging-sid-msg.map (8): 2406127 || ET RBN Known Russian Business Network Monitored Domains (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406128 || ET RBN Known Russian Business Network Monitored Domains (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406129 || ET RBN Known Russian Business Network Monitored Domains (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406130 || ET RBN Known Russian Business Network Monitored Domains (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407127 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407128 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407129 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407130 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (8): 2406127 || ET RBN Known Russian Business Network Monitored Domains (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406128 || ET RBN Known Russian Business Network Monitored Domains (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406129 || ET RBN Known Russian Business Network Monitored Domains (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406130 || ET RBN Known Russian Business Network Monitored Domains (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407127 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407128 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407129 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407130 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 85 # Updated 2008-12-04 08:06:07 -> Removed from emerging-rbn.rules (2): # VERSION 85 # Updated 2008-12-04 08:06:07 From emerging at emergingthreats.net Sat Dec 6 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 6 Dec 2008 18:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081206230008.CCA114501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 6 18:00:08 2008 [***] [+++] Added rules: [+++] 2008802 - ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008804 - ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) 2008805 - ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start (emerging-virus.rules) 2008806 - ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response (emerging-virus.rules) 2008807 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start (emerging-virus.rules) 2008808 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic (emerging-virus.rules) 2008809 - ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite (emerging-web.rules) 2008810 - ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008811 - ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008812 - ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite (emerging-web.rules) 2008813 - ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008814 - ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method (emerging-web.rules) 2008815 - ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008816 - ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008817 - ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008818 - ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008819 - ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008820 - ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008821 - ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008822 - ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion (emerging-web_sql_injection.rules) 2008823 - ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection (emerging-web_sql_injection.rules) 2008824 - ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008825 - ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008826 - ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion (emerging-web_sql_injection.rules) 2008827 - ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection (emerging-web_sql_injection.rules) 2008828 - ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection (emerging-web_sql_injection.rules) 2008829 - ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection (emerging-web_sql_injection.rules) 2008830 - ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection (emerging-web_sql_injection.rules) 2008831 - ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection (emerging-web_sql_injection.rules) 2008832 - ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008833 - ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008834 - ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection (emerging-web_sql_injection.rules) 2008835 - ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection (emerging-web_sql_injection.rules) 2008836 - ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection (emerging-web_sql_injection.rules) 2008837 - ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008838 - ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008839 - ET TROJAN AdWare.Win32.MWGuide checkin (emerging-virus.rules) 2008840 - ET TROJAN AdWare.Win32.MWGuide keepalive (emerging-virus.rules) 2008841 - ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP (emerging-virus.rules) 2008842 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (emerging-policy.rules) 2008843 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) (emerging-policy.rules) 2008844 - ET TROJAN Mydoom.O at mm HTTP Checkin (emerging-virus.rules) 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2008846 - ET TROJAN Worm.Win32.Evolmi Checkin (emerging-virus.rules) 2008847 - ET MALWARE Suspicious User-Agent (Mozil1a) (emerging-malware.rules) 2008848 - ET TROJAN Worm.Win32.Koobface.C User-Agent (emerging-virus.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002400 - ET MALWARE Suspicious User Agent (Microsoft Internet Explorer) (emerging-malware.rules) 2003020 - ET POLICY TLS/SSL Encrypted Application Data on Unusual Port (emerging-policy.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008800 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1380 # Generated 2008-12-06 00:03:01 EDT -> Added to emerging-drop.rules (2): # VERSION 1380 # Generated 2008-12-06 00:03:01 EDT -> Added to emerging-malware.rules (3): #by Victor Julien # Ikarus: Trojan.Fakeav.BU, # re 78dd2ddaf75b8d8676d0b5f2e73045a8 -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Added to emerging-rbn.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Added to emerging-sid-msg.map (105): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008805 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start 2008806 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response 2008807 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start 2008808 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic 2008809 || ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6871 || bugtraq,31979 2008810 || ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6873 || bugtraq,31983 2008811 || ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6872 || bugtraq,31980 2008812 || ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6870 || bugtraq,31974 2008813 || ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6885 || url,secunia.com/advisories/32477/ 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008815 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection || url,milw0rm.com/exploits/6903 || url,secunia.com/advisories/32536/ 2008816 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection || url,milw0rm.com/exploits/6915 || url,secunia.com/advisories/32536/ 2008817 || ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6938 || url,secunia.com/advisories/32504/ 2008818 || ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6943 || url,secunia.com/advisories/32504/ 2008819 || ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6944 || url,secunia.com/advisories/32504/ 2008820 || ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion || url,milw0rm.com/exploits/6973 || url,secunia.com/advisories/32462/ 2008821 || ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection || url,milw0rm.com/exploits/6988 || url,secunia.com/advisories/32503/ 2008822 || ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion || url,milw0rm.com/exploits/6980 || url,secunia.com/advisories/32523/ 2008823 || ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection || url,milw0rm.com/exploits/6997 || url,secunia.com/advisories/32563/ 2008824 || ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008825 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008826 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008827 || ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection || url,milw0rm.com/exploits/7029 || url,secunia.com/advisories/32561/ 2008828 || ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection || url,milw0rm.com/exploits/7027 || url,secunia.com/advisories/32568/ 2008829 || ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection || url,milw0rm.com/exploits/7035 || url,secunia.com/advisories/32591/ 2008830 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008831 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008832 || ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008833 || ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008834 || ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection || url,secunia.com/Advisories/32595/ || url,milw0rm.com/exploits/7014 2008835 || ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection || url,milw0rm.com/exploits/7053 || url,secunia.com/advisories/32636/ 2008836 || ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection || url,www.milw0rm.com/exploits/7007 || url,secunia.com/Advisories/32579/ 2008837 || ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection || url,frsirt.com/english/advisories/2008/2976 || bugtraq,32043 2008838 || ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection || bugtraq,32191 || url,frsirt.com/english/advisories/2008/3079 2008839 || ET TROJAN AdWare.Win32.MWGuide checkin 2008840 || ET TROJAN AdWare.Win32.MWGuide keepalive 2008841 || ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP 2008842 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access 2008843 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008846 || ET TROJAN Worm.Win32.Evolmi Checkin 2008847 || ET MALWARE Suspicious User-Agent (Mozil1a) 2008848 || ET TROJAN Worm.Win32.Koobface.C User-Agent 2406105 || ET RBN Known Russian Business Network Monitored Domains (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406106 || ET RBN Known Russian Business Network Monitored Domains (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406107 || ET RBN Known Russian Business Network Monitored Domains (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406108 || ET RBN Known Russian Business Network Monitored Domains (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406109 || ET RBN Known Russian Business Network Monitored Domains (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406110 || ET RBN Known Russian Business Network Monitored Domains (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406111 || ET RBN Known Russian Business Network Monitored Domains (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406112 || ET RBN Known Russian Business Network Monitored Domains (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406113 || ET RBN Known Russian Business Network Monitored Domains (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406114 || ET RBN Known Russian Business Network Monitored Domains (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406115 || ET RBN Known Russian Business Network Monitored Domains (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406116 || ET RBN Known Russian Business Network Monitored Domains (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406117 || ET RBN Known Russian Business Network Monitored Domains (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406118 || ET RBN Known Russian Business Network Monitored Domains (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406119 || ET RBN Known Russian Business Network Monitored Domains (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406120 || ET RBN Known Russian Business Network Monitored Domains (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406121 || ET RBN Known Russian Business Network Monitored Domains (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406122 || ET RBN Known Russian Business Network Monitored Domains (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406123 || ET RBN Known Russian Business Network Monitored Domains (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406124 || ET RBN Known Russian Business Network Monitored Domains (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406125 || ET RBN Known Russian Business Network Monitored Domains (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406126 || ET RBN Known Russian Business Network Monitored Domains (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406127 || ET RBN Known Russian Business Network Monitored Domains (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406128 || ET RBN Known Russian Business Network Monitored Domains (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406129 || ET RBN Known Russian Business Network Monitored Domains (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406130 || ET RBN Known Russian Business Network Monitored Domains (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407105 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407106 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407107 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407108 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407109 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407110 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407111 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407112 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407113 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407114 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407115 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407116 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407117 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407118 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407119 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407120 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407121 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407122 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407123 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407124 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407125 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407126 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407127 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407128 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407129 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407130 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (105): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008805 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start 2008806 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response 2008807 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start 2008808 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic 2008809 || ET WEB_ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6871 || bugtraq,31979 2008810 || ET WEB_ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6873 || bugtraq,31983 2008811 || ET WEB_ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6872 || bugtraq,31980 2008812 || ET WEB_ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite || url,milw0rm.com/exploits/6870 || bugtraq,31974 2008813 || ET WEB_SPECIFIC e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6885 || url,secunia.com/advisories/32477/ 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008815 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection || url,milw0rm.com/exploits/6903 || url,secunia.com/advisories/32536/ 2008816 || ET WEB_SPECIFIC SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection || url,milw0rm.com/exploits/6915 || url,secunia.com/advisories/32536/ 2008817 || ET WEB_SPECIFIC YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6938 || url,secunia.com/advisories/32504/ 2008818 || ET WEB_SPECIFIC YourFreeWorld Reminder Service tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6943 || url,secunia.com/advisories/32504/ 2008819 || ET WEB_SPECIFIC YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection || url,milw0rm.com/exploits/6944 || url,secunia.com/advisories/32504/ 2008820 || ET WEB_SPECIFIC TBmnetCMS index.php content Parameter Local File Inclusion || url,milw0rm.com/exploits/6973 || url,secunia.com/advisories/32462/ 2008821 || ET WEB_SPECIFIC Tours Manager cityview.php cityid Parameter SQL Injection || url,milw0rm.com/exploits/6988 || url,secunia.com/advisories/32503/ 2008822 || ET WEB_SPECIFIC Joomla Pro Desk Component include_file Local File Inclusion || url,milw0rm.com/exploits/6980 || url,secunia.com/advisories/32523/ 2008823 || ET WEB_SPECIFIC Pre Podcast Portal tour.php id SQL Injection || url,milw0rm.com/exploits/6997 || url,secunia.com/advisories/32563/ 2008824 || ET WEB_SPECIFIC Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008825 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Parameter Local File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008826 || ET WEB_SPECIFIC Way Of The Warrior crea.php plancia Remote File Inclusion || url,milw0rm.com/exploits/6992 || url,secunia.com/advisories/32515/ 2008827 || ET WEB_SPECIFIC TurnkeyForms Business Survey Pro id parameter SQL Injection || url,milw0rm.com/exploits/7029 || url,secunia.com/advisories/32561/ 2008828 || ET WEB_SPECIFIC Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection || url,milw0rm.com/exploits/7027 || url,secunia.com/advisories/32568/ 2008829 || ET WEB_SPECIFIC TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection || url,milw0rm.com/exploits/7035 || url,secunia.com/advisories/32591/ 2008830 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery cat_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008831 || ET WEB_SPECIFIC DevelopItEasy Photo Gallery photo_id paramter SQL Injection || url,milw0rm.com/exploits/7016 || url,secunia.com/advisories/32593/ 2008832 || ET WEB_SPECIFIC Enthusiast path parameter Local File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008833 || ET WEB_SPECIFIC Enthusiast path parameter Remote File Inclusion || url,bugreport.ir/index_57.htm || url,secunia.com/advisories/32628/ 2008834 || ET WEB_SPECIFIC DevelopItEasy News And Article aid parameter SQL Injection || url,secunia.com/Advisories/32595/ || url,milw0rm.com/exploits/7014 2008835 || ET WEB_SPECIFIC MyioSoft EasyBookMarker Parent parameter SQL Injection || url,milw0rm.com/exploits/7053 || url,secunia.com/advisories/32636/ 2008836 || ET WEB_SPECIFIC Five Dollar Scripts Drinks Script recid parameter SQL Injection || url,www.milw0rm.com/exploits/7007 || url,secunia.com/Advisories/32579/ 2008837 || ET WEB_SPECIFIC Maran PHP Shop id Parameter Remote SQL Injection || url,frsirt.com/english/advisories/2008/2976 || bugtraq,32043 2008838 || ET WEB_SPECIFIC DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection || bugtraq,32191 || url,frsirt.com/english/advisories/2008/3079 2008839 || ET TROJAN AdWare.Win32.MWGuide checkin 2008840 || ET TROJAN AdWare.Win32.MWGuide keepalive 2008841 || ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP 2008842 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access 2008843 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008846 || ET TROJAN Worm.Win32.Evolmi Checkin 2008847 || ET MALWARE Suspicious User-Agent (Mozil1a) 2008848 || ET TROJAN Worm.Win32.Koobface.C User-Agent 2406105 || ET RBN Known Russian Business Network Monitored Domains (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406106 || ET RBN Known Russian Business Network Monitored Domains (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406107 || ET RBN Known Russian Business Network Monitored Domains (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406108 || ET RBN Known Russian Business Network Monitored Domains (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406109 || ET RBN Known Russian Business Network Monitored Domains (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406110 || ET RBN Known Russian Business Network Monitored Domains (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406111 || ET RBN Known Russian Business Network Monitored Domains (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406112 || ET RBN Known Russian Business Network Monitored Domains (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406113 || ET RBN Known Russian Business Network Monitored Domains (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406114 || ET RBN Known Russian Business Network Monitored Domains (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406115 || ET RBN Known Russian Business Network Monitored Domains (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406116 || ET RBN Known Russian Business Network Monitored Domains (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406117 || ET RBN Known Russian Business Network Monitored Domains (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406118 || ET RBN Known Russian Business Network Monitored Domains (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406119 || ET RBN Known Russian Business Network Monitored Domains (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406120 || ET RBN Known Russian Business Network Monitored Domains (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406121 || ET RBN Known Russian Business Network Monitored Domains (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406122 || ET RBN Known Russian Business Network Monitored Domains (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406123 || ET RBN Known Russian Business Network Monitored Domains (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406124 || ET RBN Known Russian Business Network Monitored Domains (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406125 || ET RBN Known Russian Business Network Monitored Domains (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406126 || ET RBN Known Russian Business Network Monitored Domains (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406127 || ET RBN Known Russian Business Network Monitored Domains (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406128 || ET RBN Known Russian Business Network Monitored Domains (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406129 || ET RBN Known Russian Business Network Monitored Domains (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406130 || ET RBN Known Russian Business Network Monitored Domains (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407105 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407106 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407107 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407108 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407109 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407110 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407111 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407112 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407113 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407114 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407115 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407116 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407117 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407118 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407119 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407120 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407121 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407122 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407123 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407124 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407125 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407126 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407127 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407128 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407129 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407130 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (8): #By pedromarinho and matt jonkman. #Downloader.Agent.bnm and dnschange.bnm, etc # Ikarus: Worm.Win32.Koobface.C, #re e3e392688b15f1077daec4dfc1ca7530 # Ikarus: AdWare.Win32.MWGuide, #re a98bb554bf012dd25d94b764bc4a0678 # Ikarus: Trojan-PWS.Win32.Small.gs, #re d752a38abd5327552d5b51cd0e091436 [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1373 # Generated 2008-11-29 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1373 # Generated 2008-11-29 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Removed from emerging-rbn.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Removed from emerging-sid-msg.map (1): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A -> Removed from emerging-sid-msg.map.txt (1): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A From emerging at emergingthreats.net Sun Dec 7 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 7 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081207210008.89B264501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Dec 7 16:00:08 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (164): 2500003 || ET COMPROMISED Known Compromised or Hostile Host Traffic (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500004 || ET COMPROMISED Known Compromised or Hostile Host Traffic (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500005 || ET COMPROMISED Known Compromised or Hostile Host Traffic (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500006 || ET COMPROMISED Known Compromised or Hostile Host Traffic (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500007 || ET COMPROMISED Known Compromised or Hostile Host Traffic (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500008 || ET COMPROMISED Known Compromised or Hostile Host Traffic (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500009 || ET COMPROMISED Known Compromised or Hostile Host Traffic (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500010 || ET COMPROMISED Known Compromised or Hostile Host Traffic (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500011 || ET COMPROMISED Known Compromised or Hostile Host Traffic (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500025 || ET COMPROMISED Known Compromised or Hostile Host Traffic (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500026 || ET COMPROMISED Known Compromised or Hostile Host Traffic (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500027 || ET COMPROMISED Known Compromised or Hostile Host Traffic (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500028 || ET COMPROMISED Known Compromised or Hostile Host Traffic (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500029 || ET COMPROMISED Known Compromised or Hostile Host Traffic (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500030 || ET COMPROMISED Known Compromised or Hostile Host Traffic (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500031 || ET COMPROMISED Known Compromised or Hostile Host Traffic (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500032 || ET COMPROMISED Known Compromised or Hostile Host Traffic (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500033 || ET COMPROMISED Known Compromised or Hostile Host Traffic (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500034 || ET COMPROMISED Known Compromised or Hostile Host Traffic (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500035 || ET COMPROMISED Known Compromised or Hostile Host Traffic (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500036 || ET COMPROMISED Known Compromised or Hostile Host Traffic (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510003 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510004 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510005 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510006 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510007 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510008 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510009 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510010 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510011 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510025 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510026 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510027 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510028 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510029 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510030 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510031 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510032 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510033 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510034 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510035 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510036 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (164): 2500003 || ET COMPROMISED Known Compromised or Hostile Host Traffic (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500004 || ET COMPROMISED Known Compromised or Hostile Host Traffic (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500005 || ET COMPROMISED Known Compromised or Hostile Host Traffic (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500006 || ET COMPROMISED Known Compromised or Hostile Host Traffic (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500007 || ET COMPROMISED Known Compromised or Hostile Host Traffic (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500008 || ET COMPROMISED Known Compromised or Hostile Host Traffic (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500009 || ET COMPROMISED Known Compromised or Hostile Host Traffic (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500010 || ET COMPROMISED Known Compromised or Hostile Host Traffic (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500011 || ET COMPROMISED Known Compromised or Hostile Host Traffic (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500025 || ET COMPROMISED Known Compromised or Hostile Host Traffic (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500026 || ET COMPROMISED Known Compromised or Hostile Host Traffic (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500027 || ET COMPROMISED Known Compromised or Hostile Host Traffic (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500028 || ET COMPROMISED Known Compromised or Hostile Host Traffic (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500029 || ET COMPROMISED Known Compromised or Hostile Host Traffic (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500030 || ET COMPROMISED Known Compromised or Hostile Host Traffic (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500031 || ET COMPROMISED Known Compromised or Hostile Host Traffic (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500032 || ET COMPROMISED Known Compromised or Hostile Host Traffic (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500033 || ET COMPROMISED Known Compromised or Hostile Host Traffic (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500034 || ET COMPROMISED Known Compromised or Hostile Host Traffic (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500035 || ET COMPROMISED Known Compromised or Hostile Host Traffic (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500036 || ET COMPROMISED Known Compromised or Hostile Host Traffic (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510003 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510004 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510005 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510006 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510007 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510008 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510009 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510010 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510011 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510025 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510026 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510027 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510028 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510029 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510030 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510031 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510032 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510033 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510034 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510035 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510036 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From signatures at stillsecure.com Mon Dec 8 06:05:14 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 8 Dec 2008 04:05:14 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-08-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2917@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. evision cms add3rdparty.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms add3rdparty.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/3rdparty/adminpart/add3rdparty.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9312; rev:1;) 2. evision cms addpolling.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addpolling.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/polling/adminpart/addpolling.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9313; rev:1;) 3. evision cms addcontact.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addcontact.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/contact/adminpart/addcontact.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9314; rev:1;) 4. evision cms addbrandnews.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addbrandnews.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/brandnews/adminpart/addbrandnews.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9315; rev:1;) 5. evision cms addnewsletter.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addnewsletter.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/newsletter/adminpart/addnewsletter.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9316; rev:1;) 6. evision cms addgame.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addgame.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/game/adminpart/addgame.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9317; rev:1;) 7. evision cms addtour.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addtour.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/tour/adminpart/addtour.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9318; rev:1;) 8. evision cms addarticles.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addarticles.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/articles/adminpart/addarticles.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9319; rev:1;) 9. evision cms addproduct.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addproduct.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/product/adminpart/addproduct.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9320; rev:1;) 10. evision cms addplain.php module parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision cms addplain.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/plain/adminpart/addplain.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; sid:9321; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081208/a8142e3b/attachment.html From jonkman at jonkmans.com Mon Dec 8 10:40:35 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 08 Dec 2008 10:40:35 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-08-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2917@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2917@webmail.latis.com> Message-ID: <493D3FF3.2060904@jonkmans.com> Great sigs, thanks! Posting them now. Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below:** > > *1. **evision cms add3rdparty.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms add3rdparty.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/3rdparty/adminpart/add3rdparty.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9312; rev:1;) > > > > *2. **evision cms addpolling.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addpolling.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/polling/adminpart/addpolling.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9313; rev:1;) > > > > *3. **evision cms addcontact.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addcontact.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/contact/adminpart/addcontact.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9314; rev:1;) > > > > *4. **evision cms addbrandnews.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addbrandnews.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/brandnews/adminpart/addbrandnews.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9315; rev:1;) > > > > *5. **evision cms addnewsletter.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addnewsletter.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/newsletter/adminpart/addnewsletter.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9316; rev:1;) > > > > *6. **evision cms addgame.php module parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addgame.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/game/adminpart/addgame.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9317; rev:1;) > > > > *7. **evision cms addtour.php module parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addtour.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/tour/adminpart/addtour.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9318; rev:1;) > > > > *8. **evision cms addarticles.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addarticles.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/articles/adminpart/addarticles.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9319; rev:1;) > > > > *9. **evision cms addproduct.php module parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addproduct.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/product/adminpart/addproduct.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9320; rev:1;) > > > > *10. **evision cms addplain.php module parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"evision > cms addplain.php module parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/modules/plain/adminpart/addplain.php?"; nocase; > uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32180; > reference:url,milw0rm.com/exploits/7031; sid:9321; rev:1;) > > Looking forward for your comments if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Dec 8 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 8 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081208210008.F208E45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Dec 8 16:00:08 2008 [***] [+++] Added rules: [+++] 2008849 - ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008850 - ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008851 - ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008852 - ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008853 - ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008854 - ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008855 - ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008856 - ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008857 - ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008858 - ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008859 - ET TROJAN Downloader Win32.Small.agoy Checkin (emerging-virus.rules) 2008860 - ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) (emerging-policy.rules) 2008861 - ET POLICY External Telnet Login To Cisco Device (emerging-policy.rules) 2008862 - ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) (emerging-policy.rules) 2008863 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) (emerging-virus.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2001239 - ET Cisco Device in Config Mode (emerging-policy.rules) 2001240 - ET Cisco Device New Config Built (emerging-policy.rules) 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 87 # Updated 2008-12-08 11:12:52 -> Added to emerging-rbn.rules (2): # VERSION 87 # Updated 2008-12-08 11:12:52 -> Added to emerging-sid-msg.map (43): 2008849 || ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008850 || ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008851 || ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008852 || ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008853 || ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008854 || ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008855 || ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008856 || ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008857 || ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008858 || ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008859 || ET TROJAN Downloader Win32.Small.agoy Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F || url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39 2008860 || ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008861 || ET POLICY External Telnet Login To Cisco Device || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008862 || ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) || url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP 2008863 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) || url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html 2406131 || ET RBN Known Russian Business Network Monitored Domains (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406132 || ET RBN Known Russian Business Network Monitored Domains (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406133 || ET RBN Known Russian Business Network Monitored Domains (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406134 || ET RBN Known Russian Business Network Monitored Domains (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406135 || ET RBN Known Russian Business Network Monitored Domains (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406136 || ET RBN Known Russian Business Network Monitored Domains (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406137 || ET RBN Known Russian Business Network Monitored Domains (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406138 || ET RBN Known Russian Business Network Monitored Domains (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406139 || ET RBN Known Russian Business Network Monitored Domains (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406140 || ET RBN Known Russian Business Network Monitored Domains (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406141 || ET RBN Known Russian Business Network Monitored Domains (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406142 || ET RBN Known Russian Business Network Monitored Domains (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406143 || ET RBN Known Russian Business Network Monitored Domains (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406144 || ET RBN Known Russian Business Network Monitored Domains (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407131 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407132 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407133 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407134 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407135 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407136 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407137 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407138 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407139 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407140 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407141 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407142 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407143 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407144 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (43): 2008849 || ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008850 || ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008851 || ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008852 || ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008853 || ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008854 || ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008855 || ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008856 || ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008857 || ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008858 || ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008859 || ET TROJAN Downloader Win32.Small.agoy Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F || url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39 2008860 || ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008861 || ET POLICY External Telnet Login To Cisco Device || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008862 || ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) || url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP 2008863 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) || url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html 2406131 || ET RBN Known Russian Business Network Monitored Domains (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406132 || ET RBN Known Russian Business Network Monitored Domains (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406133 || ET RBN Known Russian Business Network Monitored Domains (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406134 || ET RBN Known Russian Business Network Monitored Domains (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406135 || ET RBN Known Russian Business Network Monitored Domains (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406136 || ET RBN Known Russian Business Network Monitored Domains (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406137 || ET RBN Known Russian Business Network Monitored Domains (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406138 || ET RBN Known Russian Business Network Monitored Domains (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406139 || ET RBN Known Russian Business Network Monitored Domains (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406140 || ET RBN Known Russian Business Network Monitored Domains (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406141 || ET RBN Known Russian Business Network Monitored Domains (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406142 || ET RBN Known Russian Business Network Monitored Domains (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406143 || ET RBN Known Russian Business Network Monitored Domains (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406144 || ET RBN Known Russian Business Network Monitored Domains (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407131 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407132 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407133 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407134 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407135 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407136 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407137 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407138 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407139 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407140 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407141 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407142 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407143 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407144 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (2): #by robert grabowsky #by robert grabowsky [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Removed from emerging-rbn.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 From jonkman at jonkmans.com Tue Dec 9 09:04:55 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Dec 2008 09:04:55 -0500 Subject: [Emerging-Sigs] [Fwd: Re: Russian based worm exploiting MS08-067] Message-ID: <493E7B07.9050508@jonkmans.com> Forwarded for Chich. Spam filter issues... -------- Original Message -------- Subject: Re: [Emerging-Sigs] Russian based worm exploiting MS08-067 Date: Tue, 9 Dec 2008 14:59:42 +0100 From: Thierry CHICH To: Matt Jonkman Le dimanche 30 novembre 2008, Matt Jonkman a ?crit : > Cool. I'll just remove that and separate them into 2 matches. > > Thanks Darren! > > Matt > > Darren Spruell wrote: > > On Wed, Nov 26, 2008 at 7:07 AM, Matt Jonkman wrote: > >> Great reasearch from Daniel Clemens and Mcafee: > >> > >> http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067- > >>woes/ > >> > >> http://www.packetninjas.net/?p=73 > >> > >> Daniel has put up a signature that ought to be reliable. It's in > >> CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple > >> weeks if so. > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > > CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates > > 25/11-01/12 2008"; flow:to_server,established; > > uricontent:"/search?q=%d&aq=7"; classtype:trojan-activity; > > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWi > >n32%2fConficker.A; sid:2008801; rev:1;) > > > > The 'q' parameter in the above string I believe is expanded into a > > number in the actual request (not a literal %d). It indicates exploit > > attempts or similar in the reports I've seen. Hi, I just have an infection with Conficker/downadup. The worn is looking for trafficconverter.biz. The fix for the worm is in the reference. This rule could also help to localize infected computers: alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Conficker-A/downadup Worm Request for trafficconverter.biz"; content:"|01 00|"; offset:2; depth:2; content:"|10|trafficconverter|03|biz"; reference:url, www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; classtype:trojan-activity; sid:200812; rev:1;) I coul produce an other sig directly related to the exploit. I have hexdump from nepenthes, but I don't know how to write the sig. Is it someone who know how to produce snort rule from nepenthes hexdump ? -- Thierry CHICH Equipe R?seaux / Rectorat de Clermont-Ferrand Tel: +33 4 73 99 30 54 -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 9 09:07:27 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Dec 2008 09:07:27 -0500 Subject: [Emerging-Sigs] [Fwd: Re: Russian based worm exploiting MS08-067] In-Reply-To: <493E7B07.9050508@jonkmans.com> References: <493E7B07.9050508@jonkmans.com> Message-ID: <493E7B9F.3050401@jonkmans.com> Traffic converter dot biz is a long time bad domain, but this one finally got it taken down. So a rule for that domain is a moot point now. As for a snort sig from a nep hex dump, do you mean of a captured exploit attempt? matt Matt Jonkman wrote: > I just have an infection with Conficker/downadup. The worn is looking for > traffic converter .biz. The fix for the worm is in the reference. This rule > could also help to localize infected computers: > > alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS > Conficker-A/downadup > Worm Request for trafficconverter.biz"; content:"|01 00|"; offset:2; > depth:2; content:"|10|trafficconverter|03|biz"; reference:url, > www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; > classtype:trojan-activity; sid:200812; rev:1;) > > I coul produce an other sig directly related to the exploit. I have > hexdump > from nepenthes, but I don't know how to write the sig. Is it someone who > know > how to produce snort rule from nepenthes hexdump ? > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 9 10:23:47 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Dec 2008 10:23:47 -0500 Subject: [Emerging-Sigs] What Every Snort Install Should Be Doing Message-ID: <493E8D83.60502@jonkmans.com> A very good idea came around this morning. We have a lot of rules and ideas that we can't put into the ruleset because they're just too general, or too dependent on the local environment. All good stuff but they just can't be made into a one size fits all signature. So I've put up a page that'll explain some of the things I do, and that I recommend all other sites do. Off the top of my head here are the initial topics: * If You are using an Automated Blocking Tool o Unused Ports o Multiple Inbound SMTP o Traffic to Unused IP Ranges * All Sites (Blocking or Not) o Systems That Should Never Surf the Web Lets brainstorm some more. What are you doing locally, what do you recommend, what do you wish you could do that you can't, etc. Appreciate the input. I think this page will be a great help to new and old snort users alike. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Dec 9 10:25:27 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 09 Dec 2008 10:25:27 -0500 Subject: [Emerging-Sigs] What Every Snort Install Should Be Doing In-Reply-To: <493E8D83.60502@jonkmans.com> References: <493E8D83.60502@jonkmans.com> Message-ID: <493E8DE7.2030207@jonkmans.com> You probably want to know where that page is. :) http://doc.emergingthreats.net/bin/view/Main/WebHome Matt Matt Jonkman wrote: > A very good idea came around this morning. We have a lot of rules and > ideas that we can't put into the ruleset because they're just too > general, or too dependent on the local environment. All good stuff but > they just can't be made into a one size fits all signature. > > So I've put up a page that'll explain some of the things I do, and that > I recommend all other sites do. Off the top of my head here are the > initial topics: > > * If You are using an Automated Blocking Tool > o Unused Ports > o Multiple Inbound SMTP > o Traffic to Unused IP Ranges > * All Sites (Blocking or Not) > o Systems That Should Never Surf the Web > > Lets brainstorm some more. What are you doing locally, what do you > recommend, what do you wish you could do that you can't, etc. > > Appreciate the input. I think this page will be a great help to new and > old snort users alike. > > Matt > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Dec 9 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 9 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081209210009.9BDF745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Dec 9 16:00:09 2008 [***] [+++] Added rules: [+++] 2007903 - ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2007905 - ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2008864 - ET TROJAN Koobface Trojan HTTP Post Checkin (emerging-virus.rules) 2008865 - ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection (emerging-web_sql_injection.rules) 2008866 - ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008867 - ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008869 - ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow (emerging-web.rules) 2008870 - ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation (emerging-web.rules) 2008871 - ET WEB_SPECIFIC phpFan init.php Remote File Inclusion (emerging-web_sql_injection.rules) 2008872 - ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection (emerging-web_sql_injection.rules) 2008873 - ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008874 - ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection (emerging-web_sql_injection.rules) 2008875 - ET WEB_SPECIFIC Vlog System note parameter SQL Injection (emerging-web_sql_injection.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 90 # Updated 2008-12-09 12:23:54 -> Added to emerging-rbn.rules (2): # VERSION 90 # Updated 2008-12-09 12:23:54 -> Added to emerging-sid-msg.map (53): 2007903 || ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008864 || ET TROJAN Koobface Trojan HTTP Post Checkin 2008865 || ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection || url,milw0rm.com/exploits/7098 || url,frsirt.com/english/advisories/2008/3118 2008866 || ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection || url,milw0rm.com/exploits/7128 || bugtraq,32311 2008867 || ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection || bugtraq,32300 2008869 || ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow || url,milw0rm.com/exploits/7126 || bugtraq,32313 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || milw0rm.com/exploits/7142 || bugtraq,32333 2008871 || ET WEB_SPECIFIC phpFan init.php Remote File Inclusion || url,milw0rm.com/exploits/7143 || bugtraq,32335 2008872 || ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection || url,milw0rm.com/exploits/7148 || bugtraq,32340 2008873 || ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection || url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt || url,secunia.com/advisories/32741/ 2008874 || ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection || url,milw0rm.com/exploits/7131 || url,secunia.com/advisories/32717/ 2008875 || ET WEB_SPECIFIC Vlog System note parameter SQL Injection || url,www.milw0rm.com/exploits/7186 || url,secunia.com/advisories/32784/ 2406145 || ET RBN Known Russian Business Network Monitored Domains (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406146 || ET RBN Known Russian Business Network Monitored Domains (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406147 || ET RBN Known Russian Business Network Monitored Domains (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406148 || ET RBN Known Russian Business Network Monitored Domains (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406149 || ET RBN Known Russian Business Network Monitored Domains (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406150 || ET RBN Known Russian Business Network Monitored Domains (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406151 || ET RBN Known Russian Business Network Monitored Domains (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406152 || ET RBN Known Russian Business Network Monitored Domains (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406153 || ET RBN Known Russian Business Network Monitored Domains (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406154 || ET RBN Known Russian Business Network Monitored Domains (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406155 || ET RBN Known Russian Business Network Monitored Domains (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406156 || ET RBN Known Russian Business Network Monitored Domains (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406157 || ET RBN Known Russian Business Network Monitored Domains (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406158 || ET RBN Known Russian Business Network Monitored Domains (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406159 || ET RBN Known Russian Business Network Monitored Domains (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406160 || ET RBN Known Russian Business Network Monitored Domains (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406161 || ET RBN Known Russian Business Network Monitored Domains (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406162 || ET RBN Known Russian Business Network Monitored Domains (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406163 || ET RBN Known Russian Business Network Monitored Domains (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407145 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407146 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407147 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407148 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407149 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407150 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407151 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407152 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407153 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407154 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407155 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407156 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407157 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407158 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407159 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407160 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407161 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407162 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407163 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500003 || ET COMPROMISED Known Compromised or Hostile Host Traffic (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510003 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (53): 2007903 || ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008864 || ET TROJAN Koobface Trojan HTTP Post Checkin 2008865 || ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection || url,milw0rm.com/exploits/7098 || url,frsirt.com/english/advisories/2008/3118 2008866 || ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection || url,milw0rm.com/exploits/7128 || bugtraq,32311 2008867 || ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection || bugtraq,32300 2008869 || ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow || url,milw0rm.com/exploits/7126 || bugtraq,32313 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || milw0rm.com/exploits/7142 || bugtraq,32333 2008871 || ET WEB_SPECIFIC phpFan init.php Remote File Inclusion || url,milw0rm.com/exploits/7143 || bugtraq,32335 2008872 || ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection || url,milw0rm.com/exploits/7148 || bugtraq,32340 2008873 || ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection || url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt || url,secunia.com/advisories/32741/ 2008874 || ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection || url,milw0rm.com/exploits/7131 || url,secunia.com/advisories/32717/ 2008875 || ET WEB_SPECIFIC Vlog System note parameter SQL Injection || url,www.milw0rm.com/exploits/7186 || url,secunia.com/advisories/32784/ 2406145 || ET RBN Known Russian Business Network Monitored Domains (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406146 || ET RBN Known Russian Business Network Monitored Domains (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406147 || ET RBN Known Russian Business Network Monitored Domains (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406148 || ET RBN Known Russian Business Network Monitored Domains (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406149 || ET RBN Known Russian Business Network Monitored Domains (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406150 || ET RBN Known Russian Business Network Monitored Domains (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406151 || ET RBN Known Russian Business Network Monitored Domains (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406152 || ET RBN Known Russian Business Network Monitored Domains (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406153 || ET RBN Known Russian Business Network Monitored Domains (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406154 || ET RBN Known Russian Business Network Monitored Domains (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406155 || ET RBN Known Russian Business Network Monitored Domains (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406156 || ET RBN Known Russian Business Network Monitored Domains (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406157 || ET RBN Known Russian Business Network Monitored Domains (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406158 || ET RBN Known Russian Business Network Monitored Domains (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406159 || ET RBN Known Russian Business Network Monitored Domains (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406160 || ET RBN Known Russian Business Network Monitored Domains (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406161 || ET RBN Known Russian Business Network Monitored Domains (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406162 || ET RBN Known Russian Business Network Monitored Domains (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406163 || ET RBN Known Russian Business Network Monitored Domains (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407145 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407146 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407147 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407148 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407149 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407150 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407151 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407152 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407153 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407154 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407155 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407156 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407157 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407158 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407159 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407160 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407161 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407162 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407163 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500003 || ET COMPROMISED Known Compromised or Hostile Host Traffic (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510003 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-web.rules (1): #by Akash Mahajan at stillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 87 # Updated 2008-12-08 11:12:52 -> Removed from emerging-rbn.rules (2): # VERSION 87 # Updated 2008-12-08 11:12:52 -> Removed from emerging-sid-msg.map (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org From signatures at stillsecure.com Wed Dec 10 01:50:20 2008 From: signatures at stillsecure.com (signatures) Date: Tue, 9 Dec 2008 23:50:20 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-10-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2918@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/init.php?"; nocase; uricontent:"API_HOME_DIR="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; sid:9001; rev:1;) 2. Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/init.php?"; nocase; uricontent:"API_HOME_DIR="; nocase; pcre:"/API_HOME_DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; sid:9002; rev:1;) 3. PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion"; content:"GET "; depth:4; uricontent:"functions_navlinks.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; sid:9003; rev:1;) 4. PunBB profile_send.php pun_user[language] Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB profile_send.php pun_user[language] Parameter Local File Inclusion"; content:"GET "; depth:4; uricontent:"profile_send.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; sid:9004; rev:1;) 5. PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion"; content:"GET "; depth:4; uricontent:"viewtopic_PM-link.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; sid:9005; rev:1;) 6. Easyedit CMS page.php intpageID parameter sql injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit CMS page.php intpageID parameter sql injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/page.php?"; nocase; uricontent:"intPageID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; sid:9006; rev:1;) 7. Easyedit CMS subcategory.php intSubCategoryID parameter sql injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit CMS subcategory.php intSubCategoryID parameter sql injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"subcategory.php?"; nocase; uricontent:"intSubCategoryID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; sid:9007; rev:1;) 8. Easyedit CMS news.php intPageID parameter sql injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit CMS news.php intPageID parameter sql injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"news.php?"; nocase; uricontent:"intPageID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; sid:9008; rev:1;) 9. Microsoft XML Core Services DTD Cross Domain Information Disclosure object alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft XML Core Services DTD Cross Domain Information Disclosure object"; flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; content:"loadXML"; nocase; content:"parseError.srcText"; nocase; classtype:web-application-attack; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; sid:9009; rev:1;) 10. Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; content:"CLSID"; nocase; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; distance:0; content:"loadXML"; nocase; content:"parseError.srcText"; nocase; classtype:web-application-attack; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; sid:9010; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081209/798aeda4/attachment.html From jgimer at gmail.com Wed Dec 10 12:42:01 2008 From: jgimer at gmail.com (Joshua Gimer) Date: Wed, 10 Dec 2008 10:42:01 -0700 Subject: [Emerging-Sigs] Sig 0-Day Exploit for IE Message-ID: http://isc.sans.org/diary.html?storyid=5458 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XML 0-day for Internet Explorer Exploitation Attempt"; flow:established,to_server; pcre:"/document\.write\('/"; classtype:web-application-attack; reference:url, isc.sans.org/diary.html?storyid=5458; sid:2008121001; rev:1;) Could be more specific, but don't have time right now. -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081210/eb5d839b/attachment.html From jonkman at jonkmans.com Wed Dec 10 12:52:17 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 10 Dec 2008 12:52:17 -0500 Subject: [Emerging-Sigs] Sig 0-Day Exploit for IE In-Reply-To: References: Message-ID: <494001D1.20302@jonkmans.com> Good idea Joshua, thanks for the sig. Don't think we need to pcre this for now though. this should do, crude but temporarily effective till we get more info: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt"; flow:established,to_server; content:"document.write('"; nocase; classtype:web-application-attack; reference:url,isc.sans.org/diary.html?storyid=5458; sid:xxx; rev:1;) Look good to all? Anyone have other info on the exploit? Matt Joshua Gimer wrote: > http://isc.sans.org/diary.html?storyid=5458 > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XML > 0-day for Internet Explorer Exploitation Attempt"; > flow:established,to_server; pcre:"/document\.write\('/"; > classtype:web-application-attack; > reference:url,isc.sans.org/diary.html?storyid=5458 > ; sid:2008121001; rev:1;) > > Could be more specific, but don't have time right now. > > -- > Thx > Joshua Gimer > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Dec 10 13:06:39 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 10 Dec 2008 13:06:39 -0500 Subject: [Emerging-Sigs] Sig 0-Day Exploit for IE In-Reply-To: <494001D1.20302@jonkmans.com> References: <494001D1.20302@jonkmans.com> Message-ID: <4940052F.4020703@jonkmans.com> The milw0rm exploit sample is a bit different, separates the xml creation into an iframe. There are a thousand variations to make this as with all script-based exploits for web clients. So the sig below is easily evadable, but it'll catch the specific form that ISC mentioned. If we see others in the wild I may add sigs to catch those specifically considering the potential for mass exploitation here. Please let me know if you see other common versions of this out there. Matt Matt Jonkman wrote: > Good idea Joshua, thanks for the sig. Don't think we need to pcre this > for now though. this should do, crude but temporarily effective till we > get more info: > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation > Attempt"; flow:established,to_server; content:"document.write(' ID=I>"; nocase; classtype:web-application-attack; > reference:url,isc.sans.org/diary.html?storyid=5458; sid:xxx; rev:1;) > > Look good to all? Anyone have other info on the exploit? > > Matt > > > Joshua Gimer wrote: >> http://isc.sans.org/diary.html?storyid=5458 >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XML >> 0-day for Internet Explorer Exploitation Attempt"; >> flow:established,to_server; pcre:"/document\.write\('/"; >> classtype:web-application-attack; >> reference:url,isc.sans.org/diary.html?storyid=5458 >> ; sid:2008121001; rev:1;) >> >> Could be more specific, but don't have time right now. >> >> -- >> Thx >> Joshua Gimer >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Dec 10 15:11:02 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 10 Dec 2008 15:11:02 -0500 Subject: [Emerging-Sigs] What Every Snort User Should Do Message-ID: <49402256.2020900@jonkmans.com> Have added a few more things suggested, thanks to those sending in ideas: http://doc.emergingthreats.net/bin/view/Main/WhatEverySnortUserShouldDo It's worth taking a minute to look over, and please send in any other ideas. Things you do for Snort. They don't have to be just signature related. Anything is fair game. Thanks Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Dec 10 15:12:05 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 10 Dec 2008 15:12:05 -0500 Subject: [Emerging-Sigs] IE Sigs Message-ID: <49402295.4060504@jonkmans.com> There is one more temporary signature for the IE o-day up: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day We're watching for new variations, but these will help some for the short term. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Dec 10 16:02:16 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 10 Dec 2008 16:02:16 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081210210216.5401A4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Dec 10 16:02:16 2008 [***] [+++] Added rules: [+++] 2008876 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (emerging.rules) 2008877 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) (emerging.rules) [///] Modified active rules: [///] 2008860 - ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) (emerging-policy.rules) 2008861 - ET POLICY External Telnet Login To Cisco Device (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2500004 || ET COMPROMISED Known Compromised or Hostile Host Traffic (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500005 || ET COMPROMISED Known Compromised or Hostile Host Traffic (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510004 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510005 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (6): 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2500004 || ET COMPROMISED Known Compromised or Hostile Host Traffic (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500005 || ET COMPROMISED Known Compromised or Hostile Host Traffic (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510004 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510005 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging.rules (2): #by Joshua Gimer #by matt jonkman, re sllwrnm2.cn/a1/ss.htm From jonkman at jonkmans.com Wed Dec 10 16:39:50 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 10 Dec 2008 16:39:50 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-10-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2918@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2918@webmail.latis.com> Message-ID: <49403726.6090106@jonkmans.com> Posted, thanks! I added a couple of distances to the MS XML sigs, but other than that perfect! Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Free > Directory Script 1.1.1 API_HOME_DIR Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/init.php?"; nocase; uricontent:"API_HOME_DIR="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32745/; > reference:url,milw0rm.com/exploits/7155; sid:9001; rev:1;) > > > > 2. *Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Free > Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/init.php?"; nocase; uricontent:"API_HOME_DIR="; nocase; > pcre:"/API_HOME_DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32745/; > reference:url,milw0rm.com/exploits/7155; sid:9002; rev:1;) > > > > 3. *PunBB Functions_navlinks.php pun_user[language] Parameter > Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB > Functions_navlinks.php pun_user[language] Parameter Local File > Inclusion"; content:"GET "; depth:4; > uricontent:"functions_navlinks.php?"; nocase; > uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32360; > reference:url,milw0rm.com/exploits/7159; sid:9003; rev:1;) > > > > 4. *PunBB profile_send.php pun_user[language] Parameter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB > profile_send.php pun_user[language] Parameter Local File Inclusion"; > content:"GET "; depth:4; uricontent:"profile_send.php?"; nocase; > uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32360; > reference:url,milw0rm.com/exploits/7159; sid:9004; rev:1;) > > > > 5. *PunBB viewtopic_PM-link.php pun_user[language] Parameter Local > File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PunBB > viewtopic_PM-link.php pun_user[language] Parameter Local File > Inclusion"; content:"GET "; depth:4; > uricontent:"viewtopic_PM-link.php?"; nocase; > uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; reference:bugtraq,32360; > reference:url,milw0rm.com/exploits/7159; sid:9005; rev:1;) > > > > 6. *Easyedit CMS page.php intpageID parameter sql injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit > CMS page.php intpageID parameter sql injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/page.php?"; nocase; uricontent:"intPageID="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32822/; > reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; > sid:9006; rev:1;) > > > > 7. *Easyedit CMS subcategory.php intSubCategoryID parameter sql > injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit > CMS subcategory.php intSubCategoryID parameter sql injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"subcategory.php?"; nocase; uricontent:"intSubCategoryID="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32822/; > reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; > sid:9007; rev:1;) > > > > 8. *Easyedit CMS news.php intPageID parameter sql injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Easyedit > CMS news.php intPageID parameter sql injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"news.php?"; nocase; uricontent:"intPageID="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32822/; > reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; > sid:9008; rev:1;) > > > > 9. *Microsoft XML Core Services DTD Cross Domain Information > Disclosure object* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft XML > Core Services DTD Cross Domain Information Disclosure object"; > flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; > content:"loadXML"; nocase; content:"parseError.srcText"; nocase; > classtype:web-application-attack; reference:bugtraq,32155; > reference:url,milw0rm.com/exploits/7196; sid:9009; rev:1;) > > > > 10. *Microsoft XML Core Services DTD Cross Domain Information > Disclosure clsid* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft XML > Core Services DTD Cross Domain Information Disclosure clsid"; > flow:to_client,established; content:"CLSID"; nocase; > content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; distance:0; > content:"loadXML"; nocase; content:"parseError.srcText"; nocase; > classtype:web-application-attack; reference:bugtraq,32155; > reference:url,milw0rm.com/exploits/7196; sid:9010; rev:1;) > > > > Looking forward for your comments if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Wed Dec 10 18:08:58 2008 From: david.glosser at gmail.com (David Glosser) Date: Wed, 10 Dec 2008 18:08:58 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <49402295.4060504@jonkmans.com> References: <49402295.4060504@jonkmans.com> Message-ID: Would a group of dns lookup rules for 0days like this be of interest? Keep it active for a few days? Something like this (borrowing ffrom and probably messing up from the autoshun list: alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"SPYWARE-DNS DNS lookup wwwwyyyyy"; content:"|0e|wwwwyyyyy|03|cn"; nocase; classtype:trojan-activity; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17236; sid:xxxx; rev:1;) as well as sllwrnm5 .cn? Or even have a generic rule with the actual IP address assuming they aren't changing? On Wed, Dec 10, 2008 at 3:12 PM, Matt Jonkman wrote: > There is one more temporary signature for the IE o-day up: > > http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day > > We're watching for new variations, but these will help some for the > short term. > > Matt > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From jason.weir at nhrs.org Thu Dec 11 09:27:22 2008 From: jason.weir at nhrs.org (Weir, Jason) Date: Thu, 11 Dec 2008 09:27:22 -0500 Subject: [Emerging-Sigs] Possible FP on 2008576 Message-ID: I got an alert this morning on 2008576 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN TinyPE Binary - Possibly Hostile"; flow:from_server,established; content:"MZ"; content:"PE|00 00|"; within:20; reference:url,www.phreedom.org/solar/code/tinype/; reference:url,bits.packetninjas.org/eblog/?p=316; classtype:trojan-activity; sid:2008576; rev:2;) From my FW logs that server was accessing a java update x.x.x.x Accessed URL 208.111.128.7:/s/ESD5/JSCDL/jre/6u11-b90/jre-6u11-windows-i586-p-iftw.ex e?e=1229002062013&h=cd6fb6efca85944cf77a90e72484b858/&filename=jre-6u11- windows-i586-p-iftw.exe Is this a FP or does the java update contain TinyPE Binary data, tripping the rule? I put the payload below -Jason length = 1380 000 : EF 8B 07 BA FF FE FE 7E 03 D0 83 F0 FF 33 C2 83 .......~.....3.. 010 : C7 04 A9 00 01 01 81 74 E8 8B 47 FC 84 C0 74 21 .......t..G...t! 020 : 84 E4 74 18 A9 00 00 FF 00 74 0C A9 00 00 00 FF ..t......t...... 030 : 75 CF 83 EF 01 EB 0D 83 EF 02 EB 08 83 EF 03 EB u............... 040 : 03 83 EF 04 8B 74 24 14 F7 C6 03 00 00 00 75 09 .....t$.......u. 050 : 8B D9 C1 E9 02 75 5C EB 22 8A 16 83 C6 01 84 D2 .....u\."....... 060 : 74 3D 88 17 83 C7 01 83 E9 01 74 29 F7 C6 03 00 t=........t).... 070 : 00 00 75 E5 8B D9 C1 E9 02 75 38 8B CB 83 E1 03 ..u......u8..... 080 : 74 13 8A 16 83 C6 01 88 17 83 C7 01 84 D2 74 07 t.............t. 090 : 83 E9 01 75 ED 88 0F 5B 5E 8B 44 24 08 5F C3 88 ...u...[^.D$._.. 0a0 : 17 8B 44 24 10 5B 5E 5F C3 89 17 83 C7 04 83 E9 ..D$.[^_........ 0b0 : 01 74 C8 BA FF FE FE 7E 8B 06 03 D0 83 F0 FF 33 .t.....~.......3 0c0 : C2 8B 16 83 C6 04 A9 00 01 01 81 74 DC 84 D2 74 ...........t...t 0d0 : CE 84 F6 74 2A F7 C2 00 00 FF 00 74 12 F7 C2 00 ...t*......t.... 0e0 : 00 00 FF 75 C4 89 17 8B 44 24 10 5B 5E 5F C3 66 ...u....D$.[^_.f 0f0 : 89 17 33 D2 8B 44 24 10 88 57 02 5B 5E 5F C3 66 ..3..D$..W.[^_.f 100 : 89 17 8B 44 24 10 5B 5E 5F C3 E8 5A 41 00 00 8B ...D$.[^_..ZA... 110 : 40 64 3B 05 F4 6F 42 00 74 05 E8 49 4C 00 00 83 @d;..oB.t..IL... 120 : 78 28 01 7E 10 6A 04 FF 74 24 08 50 E8 2F 4A 00 x(.~.j..t$.P./J. 130 : 00 83 C4 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 ...... at H.L$....H 140 : 83 E0 04 C3 E8 20 41 00 00 8B 40 64 3B 05 F4 6F ..... A... at d;..o 150 : 42 00 74 05 E8 0F 4C 00 00 83 78 28 01 7E 13 68 B.t...L...x(.~.h 160 : 80 00 00 00 FF 74 24 08 50 E8 F2 49 00 00 83 C4 .....t$.P..I.... 170 : 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 25 80 00 ... at H.L$....H%.. 180 : 00 00 C3 E8 E1 40 00 00 8B 40 64 3B 05 F4 6F 42 ..... at ...@d;..oB 190 : 00 74 05 E8 D0 4B 00 00 83 78 28 01 7E 10 6A 08 .t...K...x(.~.j. 1a0 : FF 74 24 08 50 E8 B6 49 00 00 83 C4 0C C3 8B 40 .t$.P..I.......@ 1b0 : 48 8B 4C 24 04 0F B6 04 48 83 E0 08 C3 6A 08 FF H.L$....H....j.. 1c0 : 74 24 08 E8 AC 62 00 00 59 59 C3 83 3D 74 84 42 t$...b..YY..=t.B 1d0 : 00 01 75 05 E8 64 64 00 00 FF 74 24 04 E8 E4 62 ..u..dd...t$...b 1e0 : 00 00 68 FF 00 00 00 FF 15 20 68 42 00 59 59 C3 ..h...... hB.YY. 1f0 : 83 3D 74 84 42 00 01 75 05 E8 3F 64 00 00 FF 74 .=t.B..u..?d...t 200 : 24 04 E8 BF 62 00 00 68 FF 00 00 00 E8 0C F6 FF $...b..h........ 210 : FF 59 59 C3 6A 60 68 A0 1B 42 00 E8 65 DC FF FF .YY.j`h..B..e... 220 : BF 94 00 00 00 8B C7 E8 79 E2 FF FF 89 65 E8 8B ........y....e.. 230 : F4 89 3E 56 FF 15 88 F2 41 00 8B 4E 10 89 0D 0C ..>V....A..N.... 240 : 84 42 00 8B 46 04 A3 18 84 42 00 8B 56 08 89 15 .B..F....B..V... 250 : 1C 84 42 00 8B 76 0C 81 E6 FF 7F 00 00 89 35 10 ..B..v.......5. 260 : 84 42 00 83 F9 02 74 0C 81 CE 00 80 00 00 89 35 .B....t........5 270 : 10 84 42 00 C1 E0 08 03 C2 A3 14 84 42 00 33 F6 ..B.........B.3. 280 : 56 8B 3D F8 F0 41 00 FF D7 66 81 38 4D 5A 75 1F V.=..A...f.8MZu. 290 : 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 .H<...9PE..u...A 2a0 : 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 .=....t.=....t.. 2b0 : 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 u..'.......v.3.9 2c0 : B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 ........yt.v.3.9 2d0 : B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01 E8 D2 06 .........E.j.... 2e0 : 00 00 59 85 C0 75 08 6A 1C E8 02 FF FF FF 59 E8 ..Y..u.j......Y. 2f0 : 2D 41 00 00 85 C0 75 08 6A 10 E8 F1 FE FF FF 59 -A....u.j......Y 300 : E8 D4 4A 00 00 89 75 FC E8 21 69 00 00 85 C0 7D ..J...u..!i....} 310 : 08 6A 1B E8 B3 FE FF FF 59 FF 15 10 F1 41 00 A3 .j......Y....A.. 320 : A8 9C 42 00 E8 E3 67 00 00 A3 6C 84 42 00 E8 37 ..B...g...l.B..7 330 : 67 00 00 85 C0 7D 08 6A 08 E8 8D FE FF FF 59 E8 g....}.j......Y. 340 : F3 64 00 00 85 C0 7D 08 6A 09 E8 7C FE FF FF 59 .d....}.j..|...Y 350 : 6A 01 E8 20 F5 FF FF 59 89 45 D8 3B C6 74 07 50 j.. ...Y.E.;.t.P 360 : E8 66 FE FF FF 59 89 75 BC 8D 45 90 50 FF 15 D4 .f...Y.u..E.P... 370 : F1 41 00 E8 62 64 00 00 89 45 E0 F6 45 BC 01 74 .A..bd...E..E..t 380 : 06 0F B7 45 C0 EB 03 6A 0A 58 50 FF 75 E0 56 56 ...E...j.XP.u.VV 390 : FF D7 50 E8 BB 8D FF FF 8B F8 89 7D D4 39 75 E4 ..P........}.9u. 3a0 : 75 06 57 E8 FC F5 FF FF E8 19 F6 FF FF EB 2B 8B u.W...........+. 3b0 : 45 EC 8B 08 8B 09 89 4D DC 50 51 E8 B6 62 00 00 E......M.PQ..b.. 3c0 : 59 59 C3 8B 65 E8 8B 7D DC 83 7D E4 00 75 06 57 YY..e..}..}..u.W 3d0 : E8 E0 F5 FF FF E8 FB F5 FF FF 83 4D FC FF 8B C7 ...........M.... 3e0 : 8D 65 84 E8 D8 DA FF FF C3 CC CC CC CC CC CC CC .e.............. 3f0 : CC CC CC CC CC 55 8B EC 57 56 8B 75 0C 8B 4D 10 .....U..WV.u..M. 400 : 8B 7D 08 8B C1 8B D1 03 C6 3B FE 76 08 3B F8 0F .}.......;.v.;.. 410 : 82 7C 01 00 00 F7 C7 03 00 00 00 75 14 C1 E9 02 .|.........u.... 420 : 83 E2 03 83 F9 08 72 29 F3 A5 FF 24 95 7C 37 41 ......r)...$.|7A 430 : 00 8B C7 BA 03 00 00 00 83 E9 04 72 0C 83 E0 03 ...........r.... 440 : 03 C8 FF 24 85 90 36 41 00 FF 24 8D 8C 37 41 00 ...$..6A..$..7A. 450 : 90 FF 24 8D 10 37 41 00 90 A0 36 41 00 CC 36 41 ..$..7A...6A..6A 460 : 00 F0 36 41 00 23 D1 8A 06 88 07 8A 46 01 88 47 ..6A.#......F..G 470 : 01 8A 46 02 C1 E9 02 88 47 02 83 C6 03 83 C7 03 ..F.....G....... 480 : 83 F9 08 72 CC F3 A5 FF 24 95 7C 37 41 00 8D 49 ...r....$.|7A..I 490 : 00 23 D1 8A 06 88 07 8A 46 01 C1 E9 02 88 47 01 .#......F.....G. 4a0 : 83 C6 02 83 C7 02 83 F9 08 72 A6 F3 A5 FF 24 95 .........r....$. 4b0 : 7C 37 41 00 90 23 D1 8A 06 88 07 83 C6 01 C1 E9 |7A..#.......... 4c0 : 02 83 C7 01 83 F9 08 72 88 F3 A5 FF 24 95 7C 37 .......r....$.|7 4d0 : 41 00 8D 49 00 73 37 41 00 60 37 41 00 58 37 41 A..I.s7A.`7A.X7A 4e0 : 00 50 37 41 00 48 37 41 00 40 37 41 00 38 37 41 .P7A.H7A. at 7A.87A 4f0 : 00 30 37 41 00 8B 44 8E E4 89 44 8F E4 8B 44 8E .07A..D...D...D. 500 : E8 89 44 8F E8 8B 44 8E EC 89 44 8F EC 8B 44 8E ..D...D...D...D. 510 : F0 89 44 8F F0 8B 44 8E F4 89 44 8F F4 8B 44 8E ..D...D...D...D. 520 : F8 89 44 8F F8 8B 44 8E FC 89 44 8F FC 8D 04 8D ..D...D...D..... 530 : 00 00 00 00 03 F0 03 F8 FF 24 95 7C 37 41 00 8B .........$.|7A.. 540 : FF 8C 37 41 00 94 37 41 00 A0 37 41 00 B4 37 41 ..7A..7A..7A..7A 550 : 00 8B 45 08 5E 5F C9 C3 90 8A 06 88 07 8B 45 08 ..E.^_........E. 560 : 5E 5F C9 C3 ^_.. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. From pepperjack at afferentsecurity.com Thu Dec 11 09:54:45 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 11 Dec 2008 08:54:45 -0600 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: References: <49402295.4060504@jonkmans.com> Message-ID: <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> Quoting David Glosser : > Would a group of dns lookup rules for 0days like this be of interest? > Keep it active for a few days? > Goog idea! I took the domain list on the shadowserver site and made some DNS rules. in case the list posts badly, the rules are also available for download at http://www.autoshun.org/ie7-0day.rules . alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu01.cn"; content:"|05|baidu|06|bbtu01|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097001; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu02.cn"; content:"|05|baidu|06|bbtu02|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097002; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu03.cn"; content:"|05|baidu|06|bbtu03|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097003; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu04.cn"; content:"|05|baidu|06|bbtu04|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097004; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu05.cn"; content:"|05|baidu|06|bbtu05|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097005; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu06.cn"; content:"|05|baidu|06|bbtu06|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097006; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.bbtu07.cn"; content:"|05|baidu|06|bbtu07|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097007; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin1.cn"; content:"|0f|baidu-baiduxin1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097008; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin3.cn"; content:"|0f|baidu-baiduxin3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097009; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin4.cn"; content:"|0f|baidu-baiduxin4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097010; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin5.cn"; content:"|0f|baidu-baiduxin5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097011; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin6.cn"; content:"|0f|baidu-baiduxin6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097012; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin7.cn"; content:"|0f|baidu-baiduxin7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097013; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin8.cn"; content:"|0f|baidu-baiduxin8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097014; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduxin9.cn"; content:"|0f|baidu-baiduxin9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097015; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi1.cn"; content:"|0e|baidu-baiduzi1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097016; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi2.cn"; content:"|0e|baidu-baiduzi2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097017; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi3.cn"; content:"|0e|baidu-baiduzi3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097018; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi4.cn"; content:"|0e|baidu-baiduzi4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097019; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi5.cn"; content:"|0e|baidu-baiduzi5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097020; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi6.cn"; content:"|0e|baidu-baiduzi6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097021; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi7.cn"; content:"|0e|baidu-baiduzi7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097022; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-baiduzi8.cn"; content:"|0e|baidu-baiduzi8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097023; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du1.cn"; content:"|09|baidu-du1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097024; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du2.cn"; content:"|09|baidu-du2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097025; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du3.cn"; content:"|09|baidu-du3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097026; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du4.cn"; content:"|09|baidu-du4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097027; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du5.cn"; content:"|09|baidu-du5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097028; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du6.cn"; content:"|09|baidu-du6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097029; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du7.cn"; content:"|09|baidu-du7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097030; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du8.cn"; content:"|09|baidu-du8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097031; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu-du9.cn"; content:"|09|baidu-du9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097032; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm1.cn"; content:"|08|sllwrnm1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097033; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm2.cn"; content:"|08|sllwrnm2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097034; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm4.cn"; content:"|08|sllwrnm4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097035; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm5.cn"; content:"|08|sllwrnm5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097036; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm6.cn"; content:"|08|sllwrnm6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097037; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm7.cn"; content:"|08|sllwrnm7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097038; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm8.cn"; content:"|08|sllwrnm8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097039; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm9.cn"; content:"|08|sllwrnm9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097040; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwrnm10.cn"; content:"|09|sllwrnm10|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097041; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd1.cn"; content:"|07|sllwbd1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097042; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd2.cn"; content:"|07|sllwbd2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097043; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd3.cn"; content:"|07|sllwbd3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097044; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd4.cn"; content:"|07|sllwbd4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097045; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd5.cn"; content:"|07|sllwbd5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097046; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd6.cn"; content:"|07|sllwbd6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097047; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd7.cn"; content:"|07|sllwbd7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097048; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd8.cn"; content:"|07|sllwbd8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097049; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd9.cn"; content:"|07|sllwbd9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097050; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup sllwbd10.cn"; content:"|08|sllwbd10|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097051; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm5.cn"; content:"|07|zlwrnm5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097052; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm7.cn"; content:"|07|zlwrnm7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097053; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm8.cn"; content:"|07|zlwrnm8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097054; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm9.cn"; content:"|07|zlwrnm9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097055; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm10.cn"; content:"|08|zlwrnm10|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097056; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm11.cn"; content:"|08|zlwrnm11|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097057; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm12.cn"; content:"|08|zlwrnm12|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097058; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm13.cn"; content:"|08|zlwrnm13|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097059; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm14.cn"; content:"|08|zlwrnm14|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097060; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm15.cn"; content:"|08|zlwrnm15|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097061; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm17.cn"; content:"|08|zlwrnm17|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097062; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm18.cn"; content:"|08|zlwrnm18|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097063; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm19.cn"; content:"|08|zlwrnm19|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097064; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup zlwrnm20.cn"; content:"|08|zlwrnm20|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097065; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup 360avva.akvvv.cn"; content:"|07|360avva|05|akvvv|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097066; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup vip.4s3w.cn"; content:"|03|vip|04|4s3w|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097067; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y7.cn"; content:"|05|cc4y7|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097068; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup hhhh8886.cn"; content:"|08|hhhh8886|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097069; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup qqqqttrr.cn"; content:"|08|qqqqttrr|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097070; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup rrrrrrryyy.cn"; content:"|0a|rrrrrrryyy|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097071; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup wwwwyyyyy.cn"; content:"|09|wwwwyyyyy|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097072; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup fyesn.cn"; content:"|05|fyesn|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097073; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.baibai1.cn"; content:"|05|baidu|07|baibai1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097074; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.xinlang1.cn"; content:"|05|baidu|08|xinlang1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097075; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y6.cn"; content:"|05|cc4y6|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097076; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y8.cn"; content:"|05|cc4y8|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097077; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y1.cn"; content:"|05|cc4y1|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097078; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y2.cn"; content:"|05|cc4y2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097079; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y3.cn"; content:"|05|cc4y3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097080; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y4.cn"; content:"|05|cc4y4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097081; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y5.cn"; content:"|05|cc4y5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097082; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup cc4y9.cn"; content:"|05|cc4y9|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097083; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.baibai2.cn"; content:"|05|baidu|07|baibai2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097084; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.baibai3.cn"; content:"|05|baidu|07|baibai3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097085; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.baibai4.cn"; content:"|05|baidu|07|baibai4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097086; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.baibai5.cn"; content:"|05|baidu|07|baibai5|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097087; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.xinlang2.cn"; content:"|05|baidu|08|xinlang2|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097088; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.xinlang3.cn"; content:"|05|baidu|08|xinlang3|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097089; rev:1;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE Inside host may be infected with IE7 worm Dec2008 based on DNS lookup baidu.xinlang4.cn"; content:"|05|baidu|08|xinlang4|02|cn"; nocase; classtype:trojan-activity; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210; sid:1097090; rev:1;) jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Thu Dec 11 09:58:08 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 11 Dec 2008 08:58:08 -0600 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> Message-ID: <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> Sorry typo on the url for download: http://www.autoshun.org/downloads/ie7-0day.rules jp ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jonkman at jonkmans.com Thu Dec 11 10:42:03 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 11 Dec 2008 10:42:03 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> Message-ID: <494134CB.3030609@jonkmans.com> Thanks Jack. It's not a bad way to go. I generally don't do these as the domains come and go so quickly in many cases. But these are so far proving tough to get taken down and the risk is significant. So I pose the question to everyone: Would you like to see these pulled into the ET ruleset for a few days, or is it fine to just pull them from Jack's site if you choose to use them? Matt Jack Pepper wrote: > Sorry typo on the url for download: > > http://www.autoshun.org/downloads/ie7-0day.rules > > jp > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 11 10:44:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 11 Dec 2008 10:44:40 -0500 Subject: [Emerging-Sigs] Possible FP on 2008576 In-Reply-To: References: Message-ID: <49413568.8090706@jonkmans.com> Yes, that's a true positive. The java updates trigger this frequently as they're an executable. We've seen this now and then for some time. How we could kill the alert is more difficult. We can't really exclude java updates. Best recommendation would be suppress statements for the java update IPs as you see them. Any other ideas? Matt Weir, Jason wrote: > I got an alert this morning on 2008576 > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN > TinyPE Binary - Possibly Hostile"; flow:from_server,established; > content:"MZ"; content:"PE|00 00|"; within:20; > reference:url,www.phreedom.org/solar/code/tinype/; > reference:url,bits.packetninjas.org/eblog/?p=316; > classtype:trojan-activity; sid:2008576; rev:2;) > >>From my FW logs that server was accessing a java update > > x.x.x.x Accessed URL > 208.111.128.7:/s/ESD5/JSCDL/jre/6u11-b90/jre-6u11-windows-i586-p-iftw.ex > e?e=1229002062013&h=cd6fb6efca85944cf77a90e72484b858/&filename=jre-6u11- > windows-i586-p-iftw.exe > > Is this a FP or does the java update contain TinyPE Binary data, > tripping the rule? > > I put the payload below > > -Jason > > > length = 1380 > > 000 : EF 8B 07 BA FF FE FE 7E 03 D0 83 F0 FF 33 C2 83 .......~.....3.. > 010 : C7 04 A9 00 01 01 81 74 E8 8B 47 FC 84 C0 74 21 .......t..G...t! > 020 : 84 E4 74 18 A9 00 00 FF 00 74 0C A9 00 00 00 FF ..t......t...... > 030 : 75 CF 83 EF 01 EB 0D 83 EF 02 EB 08 83 EF 03 EB u............... > 040 : 03 83 EF 04 8B 74 24 14 F7 C6 03 00 00 00 75 09 .....t$.......u. > 050 : 8B D9 C1 E9 02 75 5C EB 22 8A 16 83 C6 01 84 D2 .....u\."....... > 060 : 74 3D 88 17 83 C7 01 83 E9 01 74 29 F7 C6 03 00 t=........t).... > 070 : 00 00 75 E5 8B D9 C1 E9 02 75 38 8B CB 83 E1 03 ..u......u8..... > 080 : 74 13 8A 16 83 C6 01 88 17 83 C7 01 84 D2 74 07 t.............t. > 090 : 83 E9 01 75 ED 88 0F 5B 5E 8B 44 24 08 5F C3 88 ...u...[^.D$._.. > 0a0 : 17 8B 44 24 10 5B 5E 5F C3 89 17 83 C7 04 83 E9 ..D$.[^_........ > 0b0 : 01 74 C8 BA FF FE FE 7E 8B 06 03 D0 83 F0 FF 33 .t.....~.......3 > 0c0 : C2 8B 16 83 C6 04 A9 00 01 01 81 74 DC 84 D2 74 ...........t...t > 0d0 : CE 84 F6 74 2A F7 C2 00 00 FF 00 74 12 F7 C2 00 ...t*......t.... > 0e0 : 00 00 FF 75 C4 89 17 8B 44 24 10 5B 5E 5F C3 66 ...u....D$.[^_.f > 0f0 : 89 17 33 D2 8B 44 24 10 88 57 02 5B 5E 5F C3 66 ..3..D$..W.[^_.f > 100 : 89 17 8B 44 24 10 5B 5E 5F C3 E8 5A 41 00 00 8B ...D$.[^_..ZA... > 110 : 40 64 3B 05 F4 6F 42 00 74 05 E8 49 4C 00 00 83 @d;..oB.t..IL... > 120 : 78 28 01 7E 10 6A 04 FF 74 24 08 50 E8 2F 4A 00 x(.~.j..t$.P./J. > 130 : 00 83 C4 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 ...... at H.L$....H > 140 : 83 E0 04 C3 E8 20 41 00 00 8B 40 64 3B 05 F4 6F ..... A... at d;..o > 150 : 42 00 74 05 E8 0F 4C 00 00 83 78 28 01 7E 13 68 B.t...L...x(.~.h > 160 : 80 00 00 00 FF 74 24 08 50 E8 F2 49 00 00 83 C4 .....t$.P..I.... > 170 : 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 25 80 00 ... at H.L$....H%.. > 180 : 00 00 C3 E8 E1 40 00 00 8B 40 64 3B 05 F4 6F 42 ..... at ...@d;..oB > 190 : 00 74 05 E8 D0 4B 00 00 83 78 28 01 7E 10 6A 08 .t...K...x(.~.j. > 1a0 : FF 74 24 08 50 E8 B6 49 00 00 83 C4 0C C3 8B 40 .t$.P..I.......@ > 1b0 : 48 8B 4C 24 04 0F B6 04 48 83 E0 08 C3 6A 08 FF H.L$....H....j.. > 1c0 : 74 24 08 E8 AC 62 00 00 59 59 C3 83 3D 74 84 42 t$...b..YY..=t.B > 1d0 : 00 01 75 05 E8 64 64 00 00 FF 74 24 04 E8 E4 62 ..u..dd...t$...b > 1e0 : 00 00 68 FF 00 00 00 FF 15 20 68 42 00 59 59 C3 ..h...... hB.YY. > 1f0 : 83 3D 74 84 42 00 01 75 05 E8 3F 64 00 00 FF 74 .=t.B..u..?d...t > 200 : 24 04 E8 BF 62 00 00 68 FF 00 00 00 E8 0C F6 FF $...b..h........ > 210 : FF 59 59 C3 6A 60 68 A0 1B 42 00 E8 65 DC FF FF .YY.j`h..B..e... > 220 : BF 94 00 00 00 8B C7 E8 79 E2 FF FF 89 65 E8 8B ........y....e.. > 230 : F4 89 3E 56 FF 15 88 F2 41 00 8B 4E 10 89 0D 0C ..>V....A..N.... > 240 : 84 42 00 8B 46 04 A3 18 84 42 00 8B 56 08 89 15 .B..F....B..V... > 250 : 1C 84 42 00 8B 76 0C 81 E6 FF 7F 00 00 89 35 10 ..B..v.......5. > 260 : 84 42 00 83 F9 02 74 0C 81 CE 00 80 00 00 89 35 .B....t........5 > 270 : 10 84 42 00 C1 E0 08 03 C2 A3 14 84 42 00 33 F6 ..B.........B.3. > 280 : 56 8B 3D F8 F0 41 00 FF D7 66 81 38 4D 5A 75 1F V.=..A...f.8MZu. > 290 : 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 .H<...9PE..u...A > 2a0 : 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 .=....t.=....t.. > 2b0 : 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 u..'.......v.3.9 > 2c0 : B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 ........yt.v.3.9 > 2d0 : B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01 E8 D2 06 .........E.j.... > 2e0 : 00 00 59 85 C0 75 08 6A 1C E8 02 FF FF FF 59 E8 ..Y..u.j......Y. > 2f0 : 2D 41 00 00 85 C0 75 08 6A 10 E8 F1 FE FF FF 59 -A....u.j......Y > 300 : E8 D4 4A 00 00 89 75 FC E8 21 69 00 00 85 C0 7D ..J...u..!i....} > 310 : 08 6A 1B E8 B3 FE FF FF 59 FF 15 10 F1 41 00 A3 .j......Y....A.. > 320 : A8 9C 42 00 E8 E3 67 00 00 A3 6C 84 42 00 E8 37 ..B...g...l.B..7 > 330 : 67 00 00 85 C0 7D 08 6A 08 E8 8D FE FF FF 59 E8 g....}.j......Y. > 340 : F3 64 00 00 85 C0 7D 08 6A 09 E8 7C FE FF FF 59 .d....}.j..|...Y > 350 : 6A 01 E8 20 F5 FF FF 59 89 45 D8 3B C6 74 07 50 j.. ...Y.E.;.t.P > 360 : E8 66 FE FF FF 59 89 75 BC 8D 45 90 50 FF 15 D4 .f...Y.u..E.P... > 370 : F1 41 00 E8 62 64 00 00 89 45 E0 F6 45 BC 01 74 .A..bd...E..E..t > 380 : 06 0F B7 45 C0 EB 03 6A 0A 58 50 FF 75 E0 56 56 ...E...j.XP.u.VV > 390 : FF D7 50 E8 BB 8D FF FF 8B F8 89 7D D4 39 75 E4 ..P........}.9u. > 3a0 : 75 06 57 E8 FC F5 FF FF E8 19 F6 FF FF EB 2B 8B u.W...........+. > 3b0 : 45 EC 8B 08 8B 09 89 4D DC 50 51 E8 B6 62 00 00 E......M.PQ..b.. > 3c0 : 59 59 C3 8B 65 E8 8B 7D DC 83 7D E4 00 75 06 57 YY..e..}..}..u.W > 3d0 : E8 E0 F5 FF FF E8 FB F5 FF FF 83 4D FC FF 8B C7 ...........M.... > 3e0 : 8D 65 84 E8 D8 DA FF FF C3 CC CC CC CC CC CC CC .e.............. > 3f0 : CC CC CC CC CC 55 8B EC 57 56 8B 75 0C 8B 4D 10 .....U..WV.u..M. > 400 : 8B 7D 08 8B C1 8B D1 03 C6 3B FE 76 08 3B F8 0F .}.......;.v.;.. > 410 : 82 7C 01 00 00 F7 C7 03 00 00 00 75 14 C1 E9 02 .|.........u.... > 420 : 83 E2 03 83 F9 08 72 29 F3 A5 FF 24 95 7C 37 41 ......r)...$.|7A > 430 : 00 8B C7 BA 03 00 00 00 83 E9 04 72 0C 83 E0 03 ...........r.... > 440 : 03 C8 FF 24 85 90 36 41 00 FF 24 8D 8C 37 41 00 ...$..6A..$..7A. > 450 : 90 FF 24 8D 10 37 41 00 90 A0 36 41 00 CC 36 41 ..$..7A...6A..6A > 460 : 00 F0 36 41 00 23 D1 8A 06 88 07 8A 46 01 88 47 ..6A.#......F..G > 470 : 01 8A 46 02 C1 E9 02 88 47 02 83 C6 03 83 C7 03 ..F.....G....... > 480 : 83 F9 08 72 CC F3 A5 FF 24 95 7C 37 41 00 8D 49 ...r....$.|7A..I > 490 : 00 23 D1 8A 06 88 07 8A 46 01 C1 E9 02 88 47 01 .#......F.....G. > 4a0 : 83 C6 02 83 C7 02 83 F9 08 72 A6 F3 A5 FF 24 95 .........r....$. > 4b0 : 7C 37 41 00 90 23 D1 8A 06 88 07 83 C6 01 C1 E9 |7A..#.......... > 4c0 : 02 83 C7 01 83 F9 08 72 88 F3 A5 FF 24 95 7C 37 .......r....$.|7 > 4d0 : 41 00 8D 49 00 73 37 41 00 60 37 41 00 58 37 41 A..I.s7A.`7A.X7A > 4e0 : 00 50 37 41 00 48 37 41 00 40 37 41 00 38 37 41 .P7A.H7A. at 7A.87A > 4f0 : 00 30 37 41 00 8B 44 8E E4 89 44 8F E4 8B 44 8E .07A..D...D...D. > 500 : E8 89 44 8F E8 8B 44 8E EC 89 44 8F EC 8B 44 8E ..D...D...D...D. > 510 : F0 89 44 8F F0 8B 44 8E F4 89 44 8F F4 8B 44 8E ..D...D...D...D. > 520 : F8 89 44 8F F8 8B 44 8E FC 89 44 8F FC 8D 04 8D ..D...D...D..... > 530 : 00 00 00 00 03 F0 03 F8 FF 24 95 7C 37 41 00 8B .........$.|7A.. > 540 : FF 8C 37 41 00 94 37 41 00 A0 37 41 00 B4 37 41 ..7A..7A..7A..7A > 550 : 00 8B 45 08 5E 5F C9 C3 90 8A 06 88 07 8B 45 08 ..E.^_........E. > 560 : 5E 5F C9 C3 ^_.. > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From staneyre at bol.com.br Thu Dec 11 11:50:13 2008 From: staneyre at bol.com.br (Sandro Reis) Date: Thu, 11 Dec 2008 14:50:13 -0200 Subject: [Emerging-Sigs] Rules for Gpass Message-ID: <494144C5.9000007@bol.com.br> Hi, following rule for detection of Gpass, used for anonymous access. #By Sandro Reis alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 30 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009005; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 31 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009006; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 32 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009007; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 33 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009008; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 34 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009009; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 35 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009010; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 36 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009011; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 37 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009012; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 38 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009013; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 36 39 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009014; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 37 30 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009015; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use Gpass To Anonymous Access "; content:"|03 65 37 31 05 6c 65 74 33 63 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; sid:2009016; rev:1;) From emerging at emergingthreats.net Thu Dec 11 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 11 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081211210009.A8F4F45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Dec 11 16:00:09 2008 [***] [+++] Added rules: [+++] 2008878 - ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion (emerging-web_sql_injection.rules) 2008879 - ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008880 - ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008881 - ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008882 - ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008883 - ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection (emerging-web_sql_injection.rules) 2008884 - ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection (emerging-web_sql_injection.rules) 2008885 - ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection (emerging-web_sql_injection.rules) 2008886 - ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object (emerging-web.rules) 2008887 - ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid (emerging-web.rules) [///] Modified active rules: [///] 2008814 - ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method (emerging-web.rules) 2008870 - ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation (emerging-web.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (16): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || url,milw0rm.com/exploits/7142 || bugtraq,32333 2008878 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008879 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008880 || ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008881 || ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008882 || ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008883 || ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008884 || ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008885 || ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008886 || ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008887 || ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid || url,milw0rm.com/exploits/7196 || bugtraq,32155 2500006 || ET COMPROMISED Known Compromised or Hostile Host Traffic (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500007 || ET COMPROMISED Known Compromised or Hostile Host Traffic (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510006 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510007 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (16): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || url,milw0rm.com/exploits/7142 || bugtraq,32333 2008878 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008879 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008880 || ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008881 || ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008882 || ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008883 || ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008884 || ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008885 || ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008886 || ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008887 || ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid || url,milw0rm.com/exploits/7196 || bugtraq,32155 2500006 || ET COMPROMISED Known Compromised or Hostile Host Traffic (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500007 || ET COMPROMISED Known Compromised or Hostile Host Traffic (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510006 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510007 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || milw0rm.com/exploits/7142 || bugtraq,32333 -> Removed from emerging-sid-msg.map.txt (2): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || milw0rm.com/exploits/7142 || bugtraq,32333 From jonkman at jonkmans.com Thu Dec 11 19:31:24 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 11 Dec 2008 19:31:24 -0500 Subject: [Emerging-Sigs] Rules for Gpass In-Reply-To: <494144C5.9000007@bol.com.br> References: <494144C5.9000007@bol.com.br> Message-ID: <4941B0DC.7010607@jonkmans.com> Thanks Sandro. Are we catching the dns requests for gpass? Will convert some of this to ascii for easier readability. Matt Sandro Reis wrote: > Hi, following rule for detection of Gpass, used for anonymous access. > > #By Sandro Reis > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 30 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009005; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 31 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009006; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 32 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009007; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 33 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009008; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 34 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009009; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 35 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009010; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 36 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009011; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 37 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009012; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 38 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009013; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 36 39 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009014; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 37 30 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009015; rev:1;) > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible Use > Gpass To Anonymous Access "; content:"|03 65 37 31 05 6c 65 74 33 63 03 > 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track > by_src,count 3, seconds 30; sid:2009016; rev:1;) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Thu Dec 11 19:38:44 2008 From: david.glosser at gmail.com (David Glosser) Date: Thu, 11 Dec 2008 19:38:44 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <494134CB.3030609@jonkmans.com> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> <494134CB.3030609@jonkmans.com> Message-ID: I vote for one centralized place.... Maybe have the domains "auto-expire" after a week or so? By then either the domain will be down or the AV detection should have caught up... On Thu, Dec 11, 2008 at 10:42 AM, Matt Jonkman wrote: > Thanks Jack. It's not a bad way to go. I generally don't do these as the > domains come and go so quickly in many cases. But these are so far > proving tough to get taken down and the risk is significant. > > So I pose the question to everyone: Would you like to see these pulled > into the ET ruleset for a few days, or is it fine to just pull them from > Jack's site if you choose to use them? > > Matt > > Jack Pepper wrote: >> Sorry typo on the url for download: >> >> http://www.autoshun.org/downloads/ie7-0day.rules >> >> jp >> >> ---------------------------------------------------------------- >> @fferent Security Labs: Isolate/Insulate/Innovate >> http://www.afferentsecurity.com >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From gclai at draytek.com Thu Dec 11 21:23:21 2008 From: gclai at draytek.com (Jackie Lai) Date: Fri, 12 Dec 2008 10:23:21 +0800 Subject: [Emerging-Sigs] IE Sigs References: <49402295.4060504@jonkmans.com> Message-ID: <8377CD2FFB44400199149D4E3C527395@user848be4f441> Hi folks, it should be = content:"|09|wwwwyyyyy|02|cn"; and another sig to block "sllwrnm5 .cn" will be content:"|08|sllwrnm5|02|cn"; ======================== Jackie Lai, CISSP mailto: gclai [at] draytek [dot] com ======================== ----- Original Message ----- ±H¥óªÌ: "David Glosser" ¦¬¥óªÌ: "Matt Jonkman" °Æ¥»: "Emerging Threats Signatures" ¶Ç°e¤é´Á: 2008¦~12¤ë11¤é ¤W¤È 07:08 ¥D¦®: Re: [Emerging-Sigs] IE Sigs > Would a group of dns lookup rules for 0days like this be of interest? > Keep it active for a few days? > > Something like this (borrowing ffrom and probably messing up from the > autoshun list: > > alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 > (msg:"SPYWARE-DNS DNS lookup wwwwyyyyy"; > content:"|0e|wwwwyyyyy|03|cn"; nocase; classtype:trojan-activity; > reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17236; > sid:xxxx; rev:1;) > > as well as sllwrnm5 .cn? > > > Or even have a generic rule with the actual IP address assuming they > aren't changing? > > On Wed, Dec 10, 2008 at 3:12 PM, Matt Jonkman > wrote: >> There is one more temporary signature for the IE o-day up: >> >> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day >> >> We're watching for new variations, but these will help some for the >> short term. >> >> Matt >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > This message has been scanned for viruses and > dangerous content by Draytek E-mail System, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by Draytek E-mail System, and is believed to be clean. From jonkman at jonkmans.com Thu Dec 11 21:58:11 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 11 Dec 2008 21:58:11 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <8377CD2FFB44400199149D4E3C527395@user848be4f441> References: <49402295.4060504@jonkmans.com> <8377CD2FFB44400199149D4E3C527395@user848be4f441> Message-ID: <4941D343.8000000@jonkmans.com> Good point Jackie. Those fields are the length of the next portion of the name. Jackie Lai wrote: > Hi folks, > it should be = content:"|09|wwwwyyyyy|02|cn"; > and another sig to block "sllwrnm5 .cn" will be > content:"|08|sllwrnm5|02|cn"; > > ======================== > Jackie Lai, CISSP > mailto: gclai [at] draytek [dot] com > ======================== > > ----- Original Message ----- ±H¥óªÌ: "David Glosser" > > ¦¬¥óªÌ: "Matt Jonkman" > °Æ¥»: "Emerging Threats Signatures" > ¶Ç°e¤é´Á: 2008¦~12¤ë11¤é ¤W¤È 07:08 > ¥D¦®: Re: [Emerging-Sigs] IE Sigs > > >> Would a group of dns lookup rules for 0days like this be of interest? >> Keep it active for a few days? >> >> Something like this (borrowing ffrom and probably messing up from the >> autoshun list: >> >> alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 >> (msg:"SPYWARE-DNS DNS lookup wwwwyyyyy"; >> content:"|0e|wwwwyyyyy|03|cn"; nocase; classtype:trojan-activity; >> reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17236; >> sid:xxxx; rev:1;) >> >> as well as sllwrnm5 .cn? >> >> >> Or even have a generic rule with the actual IP address assuming they >> aren't changing? >> >> On Wed, Dec 10, 2008 at 3:12 PM, Matt Jonkman >> wrote: >>> There is one more temporary signature for the IE o-day up: >>> >>> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day >>> >>> >>> We're watching for new variations, but these will help some for the >>> short term. >>> >>> Matt >>> >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> This message has been scanned for viruses and >> dangerous content by Draytek E-mail System, and is >> believed to be clean. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From cunningpike at gmail.com Fri Dec 12 02:16:08 2008 From: cunningpike at gmail.com (CunningPike) Date: Thu, 11 Dec 2008 23:16:08 -0800 Subject: [Emerging-Sigs] What Every Snort Install Should Be Doing In-Reply-To: <493E8D83.60502@jonkmans.com> References: <493E8D83.60502@jonkmans.com> Message-ID: <1229066168.6331.15.camel@cunningpike-powerbook> Here are some local rules we run: # No-one should be using any DNS resolver other than ours alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound Non-DNS Server DNS Traffic"; content:"| 01|";offset:2;depth:1;threshold:type limit,track by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;) # Email address scrapers should leave now alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SNORTSAM: LOCAL Excessive HTTP GET Requests - Possible email address scanner"; flow: to_server, established; uricontent:"/article.asp?"; nocase; threshold: type threshold, track by_src, count 60, seconds 120; classtype: misc-activity; sid: 20000004; rev:1;) We also use oinkmaster to prefix the msg for all our snortsam rules with 'SNORTSAM:', so when the alerts show up in sguil (or BASE, or whatever) we know that snortsam has acted on the alert # Identify blocking sids from sid-block.map by prepending message modifysid "(.*msg:\s*\")(.*)" | "${1}SNORTSAM: ${2}" CP On Tue, 2008-12-09 at 10:23 -0500, Matt Jonkman wrote: > A very good idea came around this morning. We have a lot of rules and > ideas that we can't put into the ruleset because they're just too > general, or too dependent on the local environment. All good stuff but > they just can't be made into a one size fits all signature. > > So I've put up a page that'll explain some of the things I do, and that > I recommend all other sites do. Off the top of my head here are the > initial topics: > > * If You are using an Automated Blocking Tool > o Unused Ports > o Multiple Inbound SMTP > o Traffic to Unused IP Ranges > * All Sites (Blocking or Not) > o Systems That Should Never Surf the Web > > Lets brainstorm some more. What are you doing locally, what do you > recommend, what do you wish you could do that you can't, etc. > > Appreciate the input. I think this page will be a great help to new and > old snort users alike. > > Matt > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081211/96370b99/attachment-0001.bin From cunningpike at gmail.com Fri Dec 12 02:23:03 2008 From: cunningpike at gmail.com (CunningPike) Date: Thu, 11 Dec 2008 23:23:03 -0800 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <494134CB.3030609@jonkmans.com> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> <494134CB.3030609@jonkmans.com> Message-ID: <1229066583.6331.19.camel@cunningpike-powerbook> Wouldn't use of the DNS-BH zonefile catch these pre-infection anyway? CP On Thu, 2008-12-11 at 10:42 -0500, Matt Jonkman wrote: > Thanks Jack. It's not a bad way to go. I generally don't do these as the > domains come and go so quickly in many cases. But these are so far > proving tough to get taken down and the risk is significant. > > So I pose the question to everyone: Would you like to see these pulled > into the ET ruleset for a few days, or is it fine to just pull them from > Jack's site if you choose to use them? > > Matt > > Jack Pepper wrote: > > Sorry typo on the url for download: > > > > http://www.autoshun.org/downloads/ie7-0day.rules > > > > jp > > > > ---------------------------------------------------------------- > > @fferent Security Labs: Isolate/Insulate/Innovate > > http://www.afferentsecurity.com > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081211/19e3f4f4/attachment.bin From david.glosser at gmail.com Fri Dec 12 06:21:49 2008 From: david.glosser at gmail.com (David Glosser) Date: Fri, 12 Dec 2008 06:21:49 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <1229066583.6331.19.camel@cunningpike-powerbook> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> <494134CB.3030609@jonkmans.com> <1229066583.6331.19.camel@cunningpike-powerbook> Message-ID: should, assuming you use both. But the snort rules can allow for wildcards if there are a bunch of machine-generated domains... On Fri, Dec 12, 2008 at 2:23 AM, CunningPike wrote: > Wouldn't use of the DNS-BH zonefile catch these pre-infection anyway? > > CP > > On Thu, 2008-12-11 at 10:42 -0500, Matt Jonkman wrote: >> Thanks Jack. It's not a bad way to go. I generally don't do these as the >> domains come and go so quickly in many cases. But these are so far >> proving tough to get taken down and the risk is significant. >> >> So I pose the question to everyone: Would you like to see these pulled >> into the ET ruleset for a few days, or is it fine to just pull them from >> Jack's site if you choose to use them? >> >> Matt >> >> Jack Pepper wrote: >> > Sorry typo on the url for download: >> > >> > http://www.autoshun.org/downloads/ie7-0day.rules >> > >> > jp >> > >> > ---------------------------------------------------------------- >> > @fferent Security Labs: Isolate/Insulate/Innovate >> > http://www.afferentsecurity.com >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From jonkman at jonkmans.com Fri Dec 12 08:18:16 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Dec 2008 08:18:16 -0500 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> <494134CB.3030609@jonkmans.com> <1229066583.6331.19.camel@cunningpike-powerbook> Message-ID: <49426498.20100@jonkmans.com> On some we can wildcard, ya. But the field length has to be defined statically in the rule. So we shouldn't rely on that for certain. I'd much more recommend using David's DNSBH as it'll get the entire root domain if listed. Matt David Glosser wrote: > should, assuming you use both. But the snort rules can allow for > wildcards if there are a bunch of machine-generated domains... > > On Fri, Dec 12, 2008 at 2:23 AM, CunningPike wrote: >> Wouldn't use of the DNS-BH zonefile catch these pre-infection anyway? >> >> CP >> >> On Thu, 2008-12-11 at 10:42 -0500, Matt Jonkman wrote: >>> Thanks Jack. It's not a bad way to go. I generally don't do these as the >>> domains come and go so quickly in many cases. But these are so far >>> proving tough to get taken down and the risk is significant. >>> >>> So I pose the question to everyone: Would you like to see these pulled >>> into the ET ruleset for a few days, or is it fine to just pull them from >>> Jack's site if you choose to use them? >>> >>> Matt >>> >>> Jack Pepper wrote: >>>> Sorry typo on the url for download: >>>> >>>> http://www.autoshun.org/downloads/ie7-0day.rules >>>> >>>> jp >>>> >>>> ---------------------------------------------------------------- >>>> @fferent Security Labs: Isolate/Insulate/Innovate >>>> http://www.afferentsecurity.com >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Dec 12 10:32:47 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 12 Dec 2008 10:32:47 -0500 Subject: [Emerging-Sigs] What Every Snort Install Should Be Doing In-Reply-To: <1229066168.6331.15.camel@cunningpike-powerbook> References: <493E8D83.60502@jonkmans.com> <1229066168.6331.15.camel@cunningpike-powerbook> Message-ID: <4942841F.6060901@jonkmans.com> Great ideas! I'll write them up and add to the page. Great ideas coming out... Matt CunningPike wrote: > Here are some local rules we run: > > # No-one should be using any DNS resolver other than ours > alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound > Non-DNS Server DNS Traffic"; content:"| > 01|";offset:2;depth:1;threshold:type limit,track by_src,count 1,seconds > 60;classtype:misc-activity;sid:20000001;rev:1;) > > # Email address scrapers should leave now > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: > "SNORTSAM: LOCAL Excessive HTTP GET Requests - Possible email address > scanner"; flow: to_server, established; uricontent:"/article.asp?"; > nocase; threshold: type threshold, track by_src, count 60, seconds 120; > classtype: misc-activity; sid: 20000004; rev:1;) > > We also use oinkmaster to prefix the msg for all our snortsam rules with > 'SNORTSAM:', so when the alerts show up in sguil (or BASE, or whatever) > we know that snortsam has acted on the alert > > # Identify blocking sids from sid-block.map by prepending message > modifysid "(.*msg:\s*\")(.*)" | > "${1}SNORTSAM: ${2}" > > CP > > On Tue, 2008-12-09 at 10:23 -0500, Matt Jonkman wrote: >> A very good idea came around this morning. We have a lot of rules and >> ideas that we can't put into the ruleset because they're just too >> general, or too dependent on the local environment. All good stuff but >> they just can't be made into a one size fits all signature. >> >> So I've put up a page that'll explain some of the things I do, and that >> I recommend all other sites do. Off the top of my head here are the >> initial topics: >> >> * If You are using an Automated Blocking Tool >> o Unused Ports >> o Multiple Inbound SMTP >> o Traffic to Unused IP Ranges >> * All Sites (Blocking or Not) >> o Systems That Should Never Surf the Web >> >> Lets brainstorm some more. What are you doing locally, what do you >> recommend, what do you wish you could do that you can't, etc. >> >> Appreciate the input. I think this page will be a great help to new and >> old snort users alike. >> >> Matt >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Dec 12 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 12 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081212210009.8D96D45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Dec 12 16:00:09 2008 [***] [+++] Added rules: [+++] 208890 - ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL (emerging-virus.rules) 2008888 - ET TROJAN Gh0st Remote Access Trojan Client Connect (emerging-virus.rules) 2008889 - ET TROJAN Gh0st Remote Access Trojan Server Response (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 208890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008888 || ET TROJAN Gh0st Remote Access Trojan Client Connect 2008889 || ET TROJAN Gh0st Remote Access Trojan Server Response || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211 2500008 || ET COMPROMISED Known Compromised or Hostile Host Traffic (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500009 || ET COMPROMISED Known Compromised or Hostile Host Traffic (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510008 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510009 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (7): 208890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008888 || ET TROJAN Gh0st Remote Access Trojan Client Connect 2008889 || ET TROJAN Gh0st Remote Access Trojan Server Response || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211 2500008 || ET COMPROMISED Known Compromised or Hostile Host Traffic (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500009 || ET COMPROMISED Known Compromised or Hostile Host Traffic (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510008 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510009 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (2): #by steven adair of shadowserver.org #by steven Adair of shadowserver.org From emerging at emergingthreats.net Sat Dec 13 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 13 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081213210009.067264502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 13 16:00:08 2008 [***] [+++] Added rules: [+++] 2008890 - ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL (emerging-virus.rules) 2008891 - ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin (emerging-virus.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 208890 - ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 -> Added to emerging-rbn.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 -> Added to emerging-sid-msg.map (18): 2008890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2406164 || ET RBN Known Russian Business Network Monitored Domains (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406165 || ET RBN Known Russian Business Network Monitored Domains (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406166 || ET RBN Known Russian Business Network Monitored Domains (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406167 || ET RBN Known Russian Business Network Monitored Domains (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406168 || ET RBN Known Russian Business Network Monitored Domains (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406169 || ET RBN Known Russian Business Network Monitored Domains (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407164 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407165 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407166 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407167 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407168 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407169 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500010 || ET COMPROMISED Known Compromised or Hostile Host Traffic (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500011 || ET COMPROMISED Known Compromised or Hostile Host Traffic (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510010 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510011 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (18): 2008890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2406164 || ET RBN Known Russian Business Network Monitored Domains (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406165 || ET RBN Known Russian Business Network Monitored Domains (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406166 || ET RBN Known Russian Business Network Monitored Domains (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406167 || ET RBN Known Russian Business Network Monitored Domains (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406168 || ET RBN Known Russian Business Network Monitored Domains (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406169 || ET RBN Known Russian Business Network Monitored Domains (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407164 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407165 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407166 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407167 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407168 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407169 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500010 || ET COMPROMISED Known Compromised or Hostile Host Traffic (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500011 || ET COMPROMISED Known Compromised or Hostile Host Traffic (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510010 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510011 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 90 # Updated 2008-12-09 12:23:54 -> Removed from emerging-rbn.rules (2): # VERSION 90 # Updated 2008-12-09 12:23:54 -> Removed from emerging-sid-msg.map (1): 208890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL -> Removed from emerging-sid-msg.map.txt (1): 208890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL From emerging at emergingthreats.net Sat Dec 13 18:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 13 Dec 2008 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081213230009.66D794502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 13 18:00:09 2008 [***] [+++] Added rules: [+++] 2007903 - ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2007905 - ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2008849 - ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008850 - ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008851 - ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008852 - ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008853 - ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008854 - ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008855 - ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008856 - ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008857 - ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008858 - ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008859 - ET TROJAN Downloader Win32.Small.agoy Checkin (emerging-virus.rules) 2008860 - ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) (emerging-policy.rules) 2008861 - ET POLICY External Telnet Login To Cisco Device (emerging-policy.rules) 2008862 - ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) (emerging-policy.rules) 2008863 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) (emerging-virus.rules) 2008864 - ET TROJAN Koobface Trojan HTTP Post Checkin (emerging-virus.rules) 2008865 - ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection (emerging-web_sql_injection.rules) 2008866 - ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008867 - ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008869 - ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow (emerging-web.rules) 2008870 - ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation (emerging-web.rules) 2008871 - ET WEB_SPECIFIC phpFan init.php Remote File Inclusion (emerging-web_sql_injection.rules) 2008872 - ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection (emerging-web_sql_injection.rules) 2008873 - ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection (emerging-web_sql_injection.rules) 2008874 - ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection (emerging-web_sql_injection.rules) 2008875 - ET WEB_SPECIFIC Vlog System note parameter SQL Injection (emerging-web_sql_injection.rules) 2008876 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (emerging.rules) 2008877 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) (emerging.rules) 2008878 - ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion (emerging-web_sql_injection.rules) 2008879 - ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008880 - ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008881 - ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008882 - ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008883 - ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection (emerging-web_sql_injection.rules) 2008884 - ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection (emerging-web_sql_injection.rules) 2008885 - ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection (emerging-web_sql_injection.rules) 2008886 - ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object (emerging-web.rules) 2008887 - ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid (emerging-web.rules) 2008888 - ET TROJAN Gh0st Remote Access Trojan Client Connect (emerging-virus.rules) 2008889 - ET TROJAN Gh0st Remote Access Trojan Server Response (emerging-virus.rules) 2008890 - ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL (emerging-virus.rules) 2008891 - ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin (emerging-virus.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2001239 - ET Cisco Device in Config Mode (emerging-policy.rules) 2001240 - ET Cisco Device New Config Built (emerging-policy.rules) 2008814 - ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method (emerging-web.rules) 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1387 # Generated 2008-12-13 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1387 # Generated 2008-12-13 00:03:02 EDT -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 -> Added to emerging-rbn.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 -> Added to emerging-sid-msg.map (123): 2007903 || ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008849 || ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008850 || ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008851 || ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008852 || ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008853 || ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008854 || ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008855 || ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008856 || ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008857 || ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008858 || ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008859 || ET TROJAN Downloader Win32.Small.agoy Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F || url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39 2008860 || ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008861 || ET POLICY External Telnet Login To Cisco Device || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008862 || ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) || url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP 2008863 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) || url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html 2008864 || ET TROJAN Koobface Trojan HTTP Post Checkin 2008865 || ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection || url,milw0rm.com/exploits/7098 || url,frsirt.com/english/advisories/2008/3118 2008866 || ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection || url,milw0rm.com/exploits/7128 || bugtraq,32311 2008867 || ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection || bugtraq,32300 2008869 || ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow || url,milw0rm.com/exploits/7126 || bugtraq,32313 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || url,milw0rm.com/exploits/7142 || bugtraq,32333 2008871 || ET WEB_SPECIFIC phpFan init.php Remote File Inclusion || url,milw0rm.com/exploits/7143 || bugtraq,32335 2008872 || ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection || url,milw0rm.com/exploits/7148 || bugtraq,32340 2008873 || ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection || url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt || url,secunia.com/advisories/32741/ 2008874 || ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection || url,milw0rm.com/exploits/7131 || url,secunia.com/advisories/32717/ 2008875 || ET WEB_SPECIFIC Vlog System note parameter SQL Injection || url,www.milw0rm.com/exploits/7186 || url,secunia.com/advisories/32784/ 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008878 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008879 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008880 || ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008881 || ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008882 || ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008883 || ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008884 || ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008885 || ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008886 || ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008887 || ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008888 || ET TROJAN Gh0st Remote Access Trojan Client Connect 2008889 || ET TROJAN Gh0st Remote Access Trojan Server Response || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211 2008890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2406131 || ET RBN Known Russian Business Network Monitored Domains (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406132 || ET RBN Known Russian Business Network Monitored Domains (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406133 || ET RBN Known Russian Business Network Monitored Domains (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406134 || ET RBN Known Russian Business Network Monitored Domains (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406135 || ET RBN Known Russian Business Network Monitored Domains (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406136 || ET RBN Known Russian Business Network Monitored Domains (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406137 || ET RBN Known Russian Business Network Monitored Domains (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406138 || ET RBN Known Russian Business Network Monitored Domains (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406139 || ET RBN Known Russian Business Network Monitored Domains (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406140 || ET RBN Known Russian Business Network Monitored Domains (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406141 || ET RBN Known Russian Business Network Monitored Domains (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406142 || ET RBN Known Russian Business Network Monitored Domains (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406143 || ET RBN Known Russian Business Network Monitored Domains (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406144 || ET RBN Known Russian Business Network Monitored Domains (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406145 || ET RBN Known Russian Business Network Monitored Domains (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406146 || ET RBN Known Russian Business Network Monitored Domains (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406147 || ET RBN Known Russian Business Network Monitored Domains (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406148 || ET RBN Known Russian Business Network Monitored Domains (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406149 || ET RBN Known Russian Business Network Monitored Domains (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406150 || ET RBN Known Russian Business Network Monitored Domains (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406151 || ET RBN Known Russian Business Network Monitored Domains (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406152 || ET RBN Known Russian Business Network Monitored Domains (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406153 || ET RBN Known Russian Business Network Monitored Domains (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406154 || ET RBN Known Russian Business Network Monitored Domains (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406155 || ET RBN Known Russian Business Network Monitored Domains (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406156 || ET RBN Known Russian Business Network Monitored Domains (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406157 || ET RBN Known Russian Business Network Monitored Domains (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406158 || ET RBN Known Russian Business Network Monitored Domains (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406159 || ET RBN Known Russian Business Network Monitored Domains (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406160 || ET RBN Known Russian Business Network Monitored Domains (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406161 || ET RBN Known Russian Business Network Monitored Domains (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406162 || ET RBN Known Russian Business Network Monitored Domains (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406163 || ET RBN Known Russian Business Network Monitored Domains (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406164 || ET RBN Known Russian Business Network Monitored Domains (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406165 || ET RBN Known Russian Business Network Monitored Domains (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406166 || ET RBN Known Russian Business Network Monitored Domains (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406167 || ET RBN Known Russian Business Network Monitored Domains (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406168 || ET RBN Known Russian Business Network Monitored Domains (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406169 || ET RBN Known Russian Business Network Monitored Domains (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407131 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407132 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407133 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407134 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407135 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407136 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407137 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407138 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407139 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407140 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407141 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407142 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407143 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407144 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407145 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407146 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407147 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407148 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407149 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407150 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407151 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407152 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407153 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407154 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407155 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407156 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407157 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407158 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407159 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407160 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407161 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407162 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407163 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407164 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407165 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407166 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407167 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407168 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407169 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (123): 2007903 || ET WEB_ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET WEB_ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2008849 || ET WEB_SPECIFIC evision cms add3rdparty.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008850 || ET WEB_SPECIFIC evision cms addpolling.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008851 || ET WEB_SPECIFIC evision cms addcontact.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008852 || ET WEB_SPECIFIC evision cms addbrandnews.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008853 || ET WEB_SPECIFIC evision cms addnewsletter.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008854 || ET WEB_SPECIFIC evision cms addgame.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008855 || ET WEB_SPECIFIC evision cms addtour.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008856 || ET WEB_SPECIFIC evision cms addarticles.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008857 || ET WEB_SPECIFIC evision cms addproduct.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008858 || ET WEB_SPECIFIC evision cms addplain.php module parameter Local File Inclusion || url,milw0rm.com/exploits/7031 || bugtraq,32180 2008859 || ET TROJAN Downloader Win32.Small.agoy Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F || url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39 2008860 || ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008861 || ET POLICY External Telnet Login To Cisco Device || url,articles.techrepublic.com.com/5100-10878_11-5875046.html 2008862 || ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) || url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP 2008863 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) || url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html 2008864 || ET TROJAN Koobface Trojan HTTP Post Checkin 2008865 || ET WEB_SPECIFIC PozScripts Business Directory Script cid parameter SQL Injection || url,milw0rm.com/exploits/7098 || url,frsirt.com/english/advisories/2008/3118 2008866 || ET WEB_SPECIFIC ClipShare Pro channel_detail.php chid Parameter SQL Injection || url,milw0rm.com/exploits/7128 || bugtraq,32311 2008867 || ET WEB_SPECIFIC SlimCMS edit.php pageid Parameter SQL Injection || bugtraq,32300 2008869 || ET WEB_ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow || url,milw0rm.com/exploits/7126 || bugtraq,32313 2008870 || ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || url,milw0rm.com/exploits/7142 || bugtraq,32333 2008871 || ET WEB_SPECIFIC phpFan init.php Remote File Inclusion || url,milw0rm.com/exploits/7143 || bugtraq,32335 2008872 || ET WEB_SPECIFIC Ultrastats serverid parameter SQL Injection || url,milw0rm.com/exploits/7148 || bugtraq,32340 2008873 || ET WEB_SPECIFIC PHPStore Wholesales id Parameter SQL Injection || url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt || url,secunia.com/advisories/32741/ 2008874 || ET WEB_SPECIFIC PHPStore Yahoo Answers id parameter SQL Injection || url,milw0rm.com/exploits/7131 || url,secunia.com/advisories/32717/ 2008875 || ET WEB_SPECIFIC Vlog System note parameter SQL Injection || url,www.milw0rm.com/exploits/7186 || url,secunia.com/advisories/32784/ 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008878 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008879 || ET WEB_SPECIFIC Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion || url,milw0rm.com/exploits/7155 || url,secunia.com/advisories/32745/ 2008880 || ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008881 || ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008882 || ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion || url,milw0rm.com/exploits/7159 || bugtraq,32360 2008883 || ET WEB_SPECIFIC Easyedit CMS page.php intpageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008884 || ET WEB_SPECIFIC Easyedit CMS subcategory.php intSubCategoryID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008885 || ET WEB_SPECIFIC Easyedit CMS news.php intPageID parameter sql injection || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,secunia.com/advisories/32822/ 2008886 || ET WEB_CLIENT Microsoft XML Core Services DTD Cross Domain Information Disclosure object || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008887 || ET WEB_ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid || url,milw0rm.com/exploits/7196 || bugtraq,32155 2008888 || ET TROJAN Gh0st Remote Access Trojan Client Connect 2008889 || ET TROJAN Gh0st Remote Access Trojan Server Response || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211 2008890 || ET TROJAN Downloader.Exchanger (CbEvtSvc.exe) Variant Checkin - non-SSL 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2406131 || ET RBN Known Russian Business Network Monitored Domains (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406132 || ET RBN Known Russian Business Network Monitored Domains (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406133 || ET RBN Known Russian Business Network Monitored Domains (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406134 || ET RBN Known Russian Business Network Monitored Domains (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406135 || ET RBN Known Russian Business Network Monitored Domains (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406136 || ET RBN Known Russian Business Network Monitored Domains (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406137 || ET RBN Known Russian Business Network Monitored Domains (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406138 || ET RBN Known Russian Business Network Monitored Domains (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406139 || ET RBN Known Russian Business Network Monitored Domains (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406140 || ET RBN Known Russian Business Network Monitored Domains (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406141 || ET RBN Known Russian Business Network Monitored Domains (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406142 || ET RBN Known Russian Business Network Monitored Domains (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406143 || ET RBN Known Russian Business Network Monitored Domains (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406144 || ET RBN Known Russian Business Network Monitored Domains (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406145 || ET RBN Known Russian Business Network Monitored Domains (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406146 || ET RBN Known Russian Business Network Monitored Domains (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406147 || ET RBN Known Russian Business Network Monitored Domains (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406148 || ET RBN Known Russian Business Network Monitored Domains (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406149 || ET RBN Known Russian Business Network Monitored Domains (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406150 || ET RBN Known Russian Business Network Monitored Domains (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406151 || ET RBN Known Russian Business Network Monitored Domains (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406152 || ET RBN Known Russian Business Network Monitored Domains (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406153 || ET RBN Known Russian Business Network Monitored Domains (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406154 || ET RBN Known Russian Business Network Monitored Domains (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406155 || ET RBN Known Russian Business Network Monitored Domains (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406156 || ET RBN Known Russian Business Network Monitored Domains (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406157 || ET RBN Known Russian Business Network Monitored Domains (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406158 || ET RBN Known Russian Business Network Monitored Domains (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406159 || ET RBN Known Russian Business Network Monitored Domains (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406160 || ET RBN Known Russian Business Network Monitored Domains (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406161 || ET RBN Known Russian Business Network Monitored Domains (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406162 || ET RBN Known Russian Business Network Monitored Domains (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406163 || ET RBN Known Russian Business Network Monitored Domains (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406164 || ET RBN Known Russian Business Network Monitored Domains (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406165 || ET RBN Known Russian Business Network Monitored Domains (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406166 || ET RBN Known Russian Business Network Monitored Domains (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406167 || ET RBN Known Russian Business Network Monitored Domains (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406168 || ET RBN Known Russian Business Network Monitored Domains (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406169 || ET RBN Known Russian Business Network Monitored Domains (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407131 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407132 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407133 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407134 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407135 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407136 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407137 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407138 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407139 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407140 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407141 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407142 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407143 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407144 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407145 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407146 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407147 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407148 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407149 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407150 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407151 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407152 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407153 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407154 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407155 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407156 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407157 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407158 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407159 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407160 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407161 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407162 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407163 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407164 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407165 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407166 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407167 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407168 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407169 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (4): #by robert grabowsky #by steven adair of shadowserver.org #by steven Adair of shadowserver.org #by robert grabowsky -> Added to emerging-web.rules (1): #by Akash Mahajan at stillsecure -> Added to emerging.rules (2): #by Joshua Gimer #by matt jonkman, re sllwrnm2.cn/a1/ss.htm [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1380 # Generated 2008-12-06 00:03:01 EDT -> Removed from emerging-drop.rules (2): # VERSION 1380 # Generated 2008-12-06 00:03:01 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Removed from emerging-rbn.rules (2): # VERSION 86 # Updated 2008-12-05 21:54:44 -> Removed from emerging-sid-msg.map (149): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500025 || ET COMPROMISED Known Compromised or Hostile Host Traffic (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500026 || ET COMPROMISED Known Compromised or Hostile Host Traffic (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500027 || ET COMPROMISED Known Compromised or Hostile Host Traffic (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500028 || ET COMPROMISED Known Compromised or Hostile Host Traffic (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500029 || ET COMPROMISED Known Compromised or Hostile Host Traffic (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500030 || ET COMPROMISED Known Compromised or Hostile Host Traffic (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500031 || ET COMPROMISED Known Compromised or Hostile Host Traffic (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500032 || ET COMPROMISED Known Compromised or Hostile Host Traffic (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500033 || ET COMPROMISED Known Compromised or Hostile Host Traffic (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500034 || ET COMPROMISED Known Compromised or Hostile Host Traffic (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500035 || ET COMPROMISED Known Compromised or Hostile Host Traffic (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500036 || ET COMPROMISED Known Compromised or Hostile Host Traffic (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510025 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510026 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510027 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510028 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510029 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510030 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510031 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510032 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510033 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510034 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510035 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510036 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (149): 2008814 || ET WEB_ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,/milw0rm.com/exploits/6963 || url,secunia.com/Advisories/32513/ 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500025 || ET COMPROMISED Known Compromised or Hostile Host Traffic (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500026 || ET COMPROMISED Known Compromised or Hostile Host Traffic (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500027 || ET COMPROMISED Known Compromised or Hostile Host Traffic (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500028 || ET COMPROMISED Known Compromised or Hostile Host Traffic (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500029 || ET COMPROMISED Known Compromised or Hostile Host Traffic (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500030 || ET COMPROMISED Known Compromised or Hostile Host Traffic (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500031 || ET COMPROMISED Known Compromised or Hostile Host Traffic (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500032 || ET COMPROMISED Known Compromised or Hostile Host Traffic (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500033 || ET COMPROMISED Known Compromised or Hostile Host Traffic (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500034 || ET COMPROMISED Known Compromised or Hostile Host Traffic (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500035 || ET COMPROMISED Known Compromised or Hostile Host Traffic (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500036 || ET COMPROMISED Known Compromised or Hostile Host Traffic (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500084 || ET COMPROMISED Known Compromised or Hostile Host Traffic (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510025 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510026 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510027 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510028 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510029 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510030 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510031 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510032 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510033 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510034 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510035 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510036 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510084 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sun Dec 14 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 14 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081214210009.4B19245026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Dec 14 16:00:09 2008 [***] [+++] Added rules: [+++] 2008892 - ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) (emerging-malware.rules) 2008893 - ET TROJAN Perfect Keylogger Install Email Report (emerging-virus.rules) 2008894 - ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (10): 2008891 || ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin 2008892 || ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) 2008893 || ET TROJAN Perfect Keylogger Install Email Report 2008894 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (10): 2008891 || ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin 2008892 || ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) 2008893 || ET TROJAN Perfect Keylogger Install Email Report 2008894 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) -> Removed from emerging-sid-msg.map.txt (1): 2008891 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) From cunningpike at gmail.com Mon Dec 15 00:58:12 2008 From: cunningpike at gmail.com (CunningPike) Date: Sun, 14 Dec 2008 21:58:12 -0800 Subject: [Emerging-Sigs] IE Sigs In-Reply-To: <49426498.20100@jonkmans.com> References: <49402295.4060504@jonkmans.com> <20081211085445.i376yfwj4s0ko8s8@mail.afferentsecurity.com> <20081211085808.wjlktvgeoc4cgcg8@mail.afferentsecurity.com> <494134CB.3030609@jonkmans.com> <1229066583.6331.19.camel@cunningpike-powerbook> <49426498.20100@jonkmans.com> Message-ID: <1229320692.6211.12.camel@cunningpike-powerbook> And I second that emotion. If I was going to a desert island and could take only 2 Internet security tools with me, DNS-BH would be #1, snortsam would be #2. CP On Fri, 2008-12-12 at 08:18 -0500, Matt Jonkman wrote: > On some we can wildcard, ya. But the field length has to be defined > statically in the rule. So we shouldn't rely on that for certain. > > I'd much more recommend using David's DNSBH as it'll get the entire root > domain if listed. > > Matt > > David Glosser wrote: > > should, assuming you use both. But the snort rules can allow for > > wildcards if there are a bunch of machine-generated domains... > > > > On Fri, Dec 12, 2008 at 2:23 AM, CunningPike wrote: > >> Wouldn't use of the DNS-BH zonefile catch these pre-infection anyway? > >> > >> CP > >> > >> On Thu, 2008-12-11 at 10:42 -0500, Matt Jonkman wrote: > >>> Thanks Jack. It's not a bad way to go. I generally don't do these as the > >>> domains come and go so quickly in many cases. But these are so far > >>> proving tough to get taken down and the risk is significant. > >>> > >>> So I pose the question to everyone: Would you like to see these pulled > >>> into the ET ruleset for a few days, or is it fine to just pull them from > >>> Jack's site if you choose to use them? > >>> > >>> Matt > >>> > >>> Jack Pepper wrote: > >>>> Sorry typo on the url for download: > >>>> > >>>> http://www.autoshun.org/downloads/ie7-0day.rules > >>>> > >>>> jp > >>>> > >>>> ---------------------------------------------------------------- > >>>> @fferent Security Labs: Isolate/Insulate/Innovate > >>>> http://www.afferentsecurity.com > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> > >> > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081214/aefdb9f8/attachment-0001.bin From signatures at stillsecure.com Mon Dec 15 04:31:14 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 15 Dec 2008 02:31:14 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-15-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2919@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; distance:0; content:"extractPagesToFile"; nocase; classtype:web-application-attack; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; sid:1000006; rev:1;) 2. Bandwebsite lyrics.php id parameter Sql Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Bandwebsite lyrics.php id parameter Sql Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lyrics.php?"; nocase; uricontent:"section=full"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7215 ; reference:bugtraq,32454; sid:2009932; rev:1;) 3. MODx CMS snippet.reflect.php reflect_base Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/snippet.reflect.php?"; nocase; uricontent:"reflect_base="; nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7204 ; reference:url,secunia.com/advisories/32824/; sid:2009927; rev:1;) 4. MODx CMS snippet.reflect.php reflect_base Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/snippet.reflect.php?"; nocase; uricontent:"reflect_base="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7204 ; reference:url,secunia.com/advisories/32824/; sid:2009928; rev:1;) 5. Pie RSS module lib parameter remote file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/action/rss.php?"; nocase; uricontent:"lib="; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; sid:2008174; rev:1;) 6. ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/export_batch.inc.php?"; nocase; uricontent:"DIR="; nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; sid:508258; rev:1;) 7. ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/run_auto_suspend.cron.php?"; nocase; uricontent:"DIR="; nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; sid:508257; rev:1;) 8. ModernBill send_email_cache.php DIR Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ModernBill send_email_cache.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/send_email_cache.php?"; nocase; uricontent:"DIR="; nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; sid:508256; rev:1;) 9. ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/2checkout_return.inc.php?"; nocase; uricontent:"DIR="; nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; sid:508255; rev:1;) 10. ModernBill nettools.popup.php DIR Parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ModernBill nettools.popup.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/nettools.popup.php?"; nocase; uricontent:"DIR="; nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; sid:508254; rev:1;) Looking forward for your comments Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081215/87e4ab9f/attachment-0001.html From jonkman at jonkmans.com Mon Dec 15 08:59:04 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 15 Dec 2008 08:59:04 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-15-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2919@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2919@webmail.latis.com> Message-ID: <494662A8.7020906@jonkmans.com> Added, good sigs, Thanks as always!! Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File > Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Visagesoft > eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; > flow:to_client,established; content:"clsid"; nocase; > content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; distance:0; > content:"extractPagesToFile"; nocase; classtype:web-application-attack; > reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; > sid:1000006; rev:1;) > > > > 2. *Bandwebsite lyrics.php id parameter Sql Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"Bandwebsite lyrics.php id parameter Sql Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/lyrics.php?"; nocase; uricontent:"section=full"; nocase; > uricontent:"id="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7215 > ; reference:bugtraq,32454; > sid:2009932; rev:1;) > > > > 3. *MODx CMS snippet.reflect.php reflect_base Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MODx CMS > snippet.reflect.php reflect_base Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/snippet.reflect.php?"; nocase; uricontent:"reflect_base="; > nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7204 > ; > reference:url,secunia.com/advisories/32824/; sid:2009927; rev:1;) > > > > 4. *MODx CMS snippet.reflect.php reflect_base Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MODx CMS > snippet.reflect.php reflect_base Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/snippet.reflect.php?"; nocase; uricontent:"reflect_base="; > nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7204 > ; > reference:url,secunia.com/advisories/32824/; sid:2009928; rev:1;) > > > > 5. *Pie RSS module lib parameter remote file inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pie RSS > module lib parameter remote file inclusion"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"/lib/action/rss.php?"; nocase; > uricontent:"lib="; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; reference:bugtraq,32465; > reference:url,milw0rm.com/exploits/7225; sid:2008174; rev:1;) > > > > 6. *ModernBill export_batch.inc.php DIR Parameter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"ModernBill export_batch.inc.php DIR Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/export_batch.inc.php?"; nocase; uricontent:"DIR="; nocase; > pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32529/; > reference:url,milw0rm.com/exploits/6916; sid:508258; rev:1;) > > > > 7. *ModernBill run_auto_suspend.cron.php DIR Parameter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"ModernBill run_auto_suspend.cron.php DIR Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/run_auto_suspend.cron.php?"; nocase; uricontent:"DIR="; > nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32529/; > reference:url,milw0rm.com/exploits/6916; sid:508257; rev:1;) > > > > 8. *ModernBill send_email_cache.php DIR Parameter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"ModernBill send_email_cache.php DIR Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/send_email_cache.php?"; nocase; uricontent:"DIR="; nocase; > pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32529/; > reference:url,milw0rm.com/exploits/6916; sid:508256; rev:1;) > > > > 9. *ModernBill 2checkout_return.inc.php DIR Parameter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"ModernBill 2checkout_return.inc.php DIR Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/2checkout_return.inc.php?"; nocase; uricontent:"DIR="; > nocase; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32529/; > reference:url,milw0rm.com/exploits/6916; sid:508255; rev:1;) > > > > 10. *ModernBill nettools.popup.php DIR Parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"ModernBill nettools.popup.php DIR Parameter Remote File > Inclusion"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/nettools.popup.php?"; nocase; uricontent:"DIR="; nocase; > pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32529/; > reference:url,milw0rm.com/exploits/6916; sid:508254; rev:1;) > > > > Looking forward for your comments > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Dec 15 15:53:53 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 15 Dec 2008 15:53:53 -0500 Subject: [Emerging-Sigs] MSSQL Experts.... Message-ID: <4946C3E1.10200@jonkmans.com> http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt Seems we could have a simple sig for anyone requesting to execute that stored procedure. I haven't got the knowledge of (nor desire to set up) an mssql box to test on. Anyone able to try it and send in a pcap, or outline what that should look like? Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Dec 15 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 15 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081215210008.C787745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Dec 15 16:00:08 2008 [***] [+++] Added rules: [+++] 2008895 - ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite (emerging-web.rules) 2008896 - ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection (emerging-web_sql_injection.rules) 2008897 - ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion (emerging-web_sql_injection.rules) 2008898 - ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion (emerging-web_sql_injection.rules) 2008899 - ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion (emerging-web_sql_injection.rules) 2008900 - ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008901 - ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008902 - ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008903 - ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008904 - ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 92 # Updated 2008-12-14 22:44:48 -> Added to emerging-rbn.rules (2): # VERSION 92 # Updated 2008-12-14 22:44:48 -> Added to emerging-sid-msg.map (16): 2008895 || ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/7358 || bugtraq,32664 2008896 || ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection || bugtraq,32454 || url,www.milw0rm.com/exploits/7215 2008897 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008898 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008899 || ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion || url,milw0rm.com/exploits/7225 || bugtraq,32465 2008900 || ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008901 || ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008902 || ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008903 || ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008904 || ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (16): 2008895 || ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/7358 || bugtraq,32664 2008896 || ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection || bugtraq,32454 || url,www.milw0rm.com/exploits/7215 2008897 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008898 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008899 || ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion || url,milw0rm.com/exploits/7225 || bugtraq,32465 2008900 || ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008901 || ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008902 || ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008903 || ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008904 || ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 -> Removed from emerging-rbn.rules (2): # VERSION 91 # Updated 2008-12-12 23:18:40 From joel.esler at sourcefire.com Mon Dec 15 17:16:15 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Mon, 15 Dec 2008 17:16:15 -0500 Subject: [Emerging-Sigs] MSSQL Experts.... In-Reply-To: <4946C3E1.10200@jonkmans.com> References: <4946C3E1.10200@jonkmans.com> Message-ID: On Dec 15, 2008, at 3:53 PM, Matt Jonkman allegedly wrote: > http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt > > Seems we could have a simple sig for anyone requesting to execute that > stored procedure. I haven't got the knowledge of (nor desire to set > up) > an mssql box to test on. Anyone able to try it and send in a pcap, or > outline what that should look like Already done: (From rule release notes:) Microsoft SQL Server Buffer Overflow (CVE-2008-5416): A vulnerability in Microsoft SQL Server may allow a remote attacker to execute code on a vulnerable system. This issue may be exploited via the sp_replwritetovarbin stored procedure. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 15127 through 15144. -- Joel Esler iChat: eslerjoel [m] From jonkman at jonkmans.com Mon Dec 15 17:23:28 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 15 Dec 2008 17:23:28 -0500 Subject: [Emerging-Sigs] MSSQL Experts.... In-Reply-To: References: <4946C3E1.10200@jonkmans.com> Message-ID: <4946D8E0.20808@jonkmans.com> I'm sure they're good rules too, but most of us won't see them for a while. Have to fend for ourselves. :) (which is why we exist I suppose :) ) Matt Joel Esler wrote: > On Dec 15, 2008, at 3:53 PM, Matt Jonkman allegedly wrote: > >> http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt >> >> Seems we could have a simple sig for anyone requesting to execute that >> stored procedure. I haven't got the knowledge of (nor desire to set >> up) >> an mssql box to test on. Anyone able to try it and send in a pcap, or >> outline what that should look like > > > Already done: > > (From rule release notes:) > Microsoft SQL Server Buffer Overflow (CVE-2008-5416): > A vulnerability in Microsoft SQL Server may allow a remote attacker to > execute code on a vulnerable system. This issue may be exploited via > the sp_replwritetovarbin stored procedure. > > Rules to detect attacks targeting these vulnerabilities are included > in this release and are identified with GID 1, SIDs 15127 through 15144. > > > -- > Joel Esler > iChat: eslerjoel > [m] > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Dec 15 21:59:33 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 15 Dec 2008 21:59:33 -0500 Subject: [Emerging-Sigs] MSSQL Experts.... In-Reply-To: <4946D8E0.20808@jonkmans.com> References: <4946C3E1.10200@jonkmans.com> <4946D8E0.20808@jonkmans.com> Message-ID: <49471995.2070703@jonkmans.com> Several sigs and pcaps came in, combining them all and posting this: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; sid:2008909; rev:1;) and alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; sid:2008910; rev:1;) More as we get it. Thanks to those that have submitted! Matt Matt Jonkman wrote: > I'm sure they're good rules too, but most of us won't see them for a > while. Have to fend for ourselves. :) > > (which is why we exist I suppose :) ) > > Matt > > Joel Esler wrote: >> On Dec 15, 2008, at 3:53 PM, Matt Jonkman allegedly wrote: >> >>> http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt >>> >>> Seems we could have a simple sig for anyone requesting to execute that >>> stored procedure. I haven't got the knowledge of (nor desire to set >>> up) >>> an mssql box to test on. Anyone able to try it and send in a pcap, or >>> outline what that should look like >> >> Already done: >> >> (From rule release notes:) >> Microsoft SQL Server Buffer Overflow (CVE-2008-5416): >> A vulnerability in Microsoft SQL Server may allow a remote attacker to >> execute code on a vulnerable system. This issue may be exploited via >> the sp_replwritetovarbin stored procedure. >> >> Rules to detect attacks targeting these vulnerabilities are included >> in this release and are identified with GID 1, SIDs 15127 through 15144. >> >> >> -- >> Joel Esler >> iChat: eslerjoel >> [m] >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Dec 16 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 16 Dec 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081216210008.B05DF4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Dec 16 16:00:08 2008 [***] [+++] Added rules: [+++] 2008905 - ET TROJAN Trojan.Delf-5496 Checkin Error (emerging-virus.rules) 2008906 - ET TROJAN Trojan.Delf-5496 Egg Request (emerging-virus.rules) 2008907 - ET TROJAN Trojan.Delf-5496 File Manager Access Report (emerging-virus.rules) 2008908 - ET TROJAN Trojan.Delf-5496 New Infection Report (emerging-virus.rules) 2008909 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 (emerging.rules) 2008910 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 (emerging.rules) 2008911 - ET TROJAN Spyguarder.com Fake AV Install Report (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (13): 2008905 || ET TROJAN Trojan.Delf-5496 Checkin Error 2008906 || ET TROJAN Trojan.Delf-5496 Egg Request 2008907 || ET TROJAN Trojan.Delf-5496 File Manager Access Report 2008908 || ET TROJAN Trojan.Delf-5496 New Infection Report 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008911 || ET TROJAN Spyguarder.com Fake AV Install Report 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (13): 2008905 || ET TROJAN Trojan.Delf-5496 Checkin Error 2008906 || ET TROJAN Trojan.Delf-5496 Egg Request 2008907 || ET TROJAN Trojan.Delf-5496 File Manager Access Report 2008908 || ET TROJAN Trojan.Delf-5496 New Infection Report 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008911 || ET TROJAN Spyguarder.com Fake AV Install Report 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (3): #victor julien # Ikarus: Trojan.Delf-5496, # re 462ee0f70fae7e7f29e546069e43484e From jonkman at jonkmans.com Wed Dec 17 11:20:29 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 17 Dec 2008 11:20:29 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> Message-ID: <494926CD.8080205@jonkmans.com> Jamie Riden wrote: >> I'm wondering if anyone has done some work with snort rules to >> detection/monitoring on traffic from some specific sources, especially from >> the TOR network(its exit node)? > > Various people compile lists of Tor exit nodes, so my approach would > be to download the CSV files from the first link and then use perl or > similar to generate and load a bunch of snort rules. > > http://torstatus.kgprog.com/tor_exit_query.php > > This is an example of Bleeding Edge Threats doing something similar > with the Spamhaus DROP list ( http://www.spamhaus.org/drop/ ) > > http://www.bleedingthreats.net/rules/bleeding-drop.rules Hi Jamie. Just a reminder, bleedingthreats is dead. Very dead. Nothing is being updated anymore. Hit emergingthreats.net for updates and new rules. (Bleeding has been dead for over a year now, the ruleset moved to emergingthreats.net and has been maintained and updated) But for running a tor ruleset, we could do that. Would be interesting. I'll look into some of the sources for IPs and see whats good. Anyone have a few favorite lists that are reliable? Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Dec 17 11:48:17 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 17 Dec 2008 11:48:17 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494926CD.8080205@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> Message-ID: <49492D51.8040303@jonkmans.com> How does this look to all: http://www.emergingthreats.net/rules/emerging-tor.rules http://www.emergingthreats.net/rules/emerging-tor-BLOCK.rules http://doc.emergingthreats.net/bin/view/Main/TorRules Interested to see how often these are used to hit my own networks. Matt Matt Jonkman wrote: > Jamie Riden wrote: >>> I'm wondering if anyone has done some work with snort rules to >>> detection/monitoring on traffic from some specific sources, especially from >>> the TOR network(its exit node)? > >> Various people compile lists of Tor exit nodes, so my approach would >> be to download the CSV files from the first link and then use perl or >> similar to generate and load a bunch of snort rules. >> >> http://torstatus.kgprog.com/tor_exit_query.php >> >> This is an example of Bleeding Edge Threats doing something similar >> with the Spamhaus DROP list ( http://www.spamhaus.org/drop/ ) >> >> http://www.bleedingthreats.net/rules/bleeding-drop.rules > > Hi Jamie. Just a reminder, bleedingthreats is dead. Very dead. Nothing > is being updated anymore. Hit emergingthreats.net for updates and new > rules. (Bleeding has been dead for over a year now, the ruleset moved to > emergingthreats.net and has been maintained and updated) > > But for running a tor ruleset, we could do that. Would be interesting. > I'll look into some of the sources for IPs and see whats good. Anyone > have a few favorite lists that are reliable? > > Matt > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From nate+emerging at richmond-family.org Wed Dec 17 12:06:46 2008 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Wed, 17 Dec 2008 12:06:46 -0500 (EST) Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <20081217165128.712ABA4052@medusa.richmond-family.org> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> Message-ID: <20081217170646.5D58EA4052@medusa.richmond-family.org> Matt Jonkman wrote: > How does this look to all: > > http://www.emergingthreats.net/rules/emerging-tor.rules > http://www.emergingthreats.net/rules/emerging-tor-BLOCK.rules > > http://doc.emergingthreats.net/bin/view/Main/TorRules > > Interested to see how often these are used to hit my own networks. > > Matt I don't know if it's needed, but David Bianco had a blog post with a Perl script to find active Tor servers. http://blog.vorant.com/2008/06/tor-server-lists-revisited.html Nate > > Matt Jonkman wrote: >> Jamie Riden wrote: >>>> I'm wondering if anyone has done some work with snort rules to >>>> detection/monitoring on traffic from some specific sources, >>>> especially from >>>> the TOR network(its exit node)? >> >>> Various people compile lists of Tor exit nodes, so my approach >>> would >>> be to download the CSV files from the first link and then use >>> perl or >>> similar to generate and load a bunch of snort rules. >>> >>> http://torstatus.kgprog.com/tor_exit_query.php >>> >>> This is an example of Bleeding Edge Threats doing something >>> similar >>> with the Spamhaus DROP list ( http://www.spamhaus.org/drop/ ) >>> >>> http://www.bleedingthreats.net/rules/bleeding-drop.rules >> >> Hi Jamie. Just a reminder, bleedingthreats is dead. Very dead. >> Nothing >> is being updated anymore. Hit emergingthreats.net for updates and >> new >> rules. (Bleeding has been dead for over a year now, the ruleset >> moved to >> emergingthreats.net and has been maintained and updated) >> >> But for running a tor ruleset, we could do that. Would be >> interesting. >> I'll look into some of the sources for IPs and see whats good. >> Anyone >> have a few favorite lists that are reliable? >> >> Matt >> >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, > Nevada. > The future of the web can't happen without you. Join us at MIX09 to > help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Snort-sigs mailing list > Snort-sigs at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-sigs > > From jonkman at jonkmans.com Wed Dec 17 12:21:03 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 17 Dec 2008 12:21:03 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <20081217170646.5D58EA4052@medusa.richmond-family.org> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> Message-ID: <494934FF.1050101@jonkmans.com> That is interesting. I'll add that as a source for the list. Should make it more accurate. Matt Nathaniel Richmond wrote: > Matt Jonkman wrote: >> How does this look to all: >> >> http://www.emergingthreats.net/rules/emerging-tor.rules >> http://www.emergingthreats.net/rules/emerging-tor-BLOCK.rules >> >> http://doc.emergingthreats.net/bin/view/Main/TorRules >> >> Interested to see how often these are used to hit my own networks. >> >> Matt > > I don't know if it's needed, but David Bianco had a blog post with a > Perl script to find active Tor servers. > > http://blog.vorant.com/2008/06/tor-server-lists-revisited.html > > Nate > >> Matt Jonkman wrote: >>> Jamie Riden wrote: >>>>> I'm wondering if anyone has done some work with snort rules to >>>>> detection/monitoring on traffic from some specific sources, >>>>> especially from >>>>> the TOR network(its exit node)? >>>> Various people compile lists of Tor exit nodes, so my approach >>>> would >>>> be to download the CSV files from the first link and then use >>>> perl or >>>> similar to generate and load a bunch of snort rules. >>>> >>>> http://torstatus.kgprog.com/tor_exit_query.php >>>> >>>> This is an example of Bleeding Edge Threats doing something >>>> similar >>>> with the Spamhaus DROP list ( http://www.spamhaus.org/drop/ ) >>>> >>>> http://www.bleedingthreats.net/rules/bleeding-drop.rules >>> Hi Jamie. Just a reminder, bleedingthreats is dead. Very dead. >>> Nothing >>> is being updated anymore. Hit emergingthreats.net for updates and >>> new >>> rules. (Bleeding has been dead for over a year now, the ruleset >>> moved to >>> emergingthreats.net and has been maintained and updated) >>> >>> But for running a tor ruleset, we could do that. Would be >>> interesting. >>> I'll look into some of the sources for IPs and see whats good. >>> Anyone >>> have a few favorite lists that are reliable? >>> >>> Matt >>> >>> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> >> ------------------------------------------------------------------------------ >> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, >> Nevada. >> The future of the web can't happen without you. Join us at MIX09 to >> help >> pave the way to the Next Web now. Learn more and register at >> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ >> _______________________________________________ >> Snort-sigs mailing list >> Snort-sigs at lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/snort-sigs >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jjohnson at jdmc.org Wed Dec 17 13:50:48 2008 From: jjohnson at jdmc.org (John Johnson) Date: Wed, 17 Dec 2008 12:50:48 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <20081217170646.5D58EA4052@medusa.richmond-family.org> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> Message-ID: <49494A08.7040304@jdmc.org> Nathaniel Richmond wrote: > I don't know if it's needed, but David Bianco had a blog post with a > Perl script to find active Tor servers. > > http://blog.vorant.com/2008/06/tor-server-lists-revisited.html > > thats good stuff, Nate. I've been wanting something like that for a bit. Thank you. From emerging at emergingthreats.net Wed Dec 17 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 17 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081217210009.62F694502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Dec 17 16:00:09 2008 [***] [///] Modified active rules: [///] 2002848 - ET EXPLOIT SIP UDP Softphone INVITE overflow (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-dos.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-exploit.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-game.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-inappropriate.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-malware.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-p2p.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-policy.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-scan.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-sid-msg.map (346): 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2520000 || ET TOR Known Tor Exit Node (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520001 || ET TOR Known Tor Exit Node (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520002 || ET TOR Known Tor Exit Node (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520003 || ET TOR Known Tor Exit Node (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520004 || ET TOR Known Tor Exit Node (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520005 || ET TOR Known Tor Exit Node (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520006 || ET TOR Known Tor Exit Node (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520007 || ET TOR Known Tor Exit Node (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520008 || ET TOR Known Tor Exit Node (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520009 || ET TOR Known Tor Exit Node (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520010 || ET TOR Known Tor Exit Node (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520011 || ET TOR Known Tor Exit Node (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520012 || ET TOR Known Tor Exit Node (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520013 || ET TOR Known Tor Exit Node (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520014 || ET TOR Known Tor Exit Node (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520015 || ET TOR Known Tor Exit Node (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520016 || ET TOR Known Tor Exit Node (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520017 || ET TOR Known Tor Exit Node (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520018 || ET TOR Known Tor Exit Node (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520019 || ET TOR Known Tor Exit Node (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520020 || ET TOR Known Tor Exit Node (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520021 || ET TOR Known Tor Exit Node (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520022 || ET TOR Known Tor Exit Node (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520023 || ET TOR Known Tor Exit Node (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520024 || ET TOR Known Tor Exit Node (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520025 || ET TOR Known Tor Exit Node (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520026 || ET TOR Known Tor Exit Node (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520027 || ET TOR Known Tor Exit Node (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520028 || ET TOR Known Tor Exit Node (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520029 || ET TOR Known Tor Exit Node (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520030 || ET TOR Known Tor Exit Node (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520031 || ET TOR Known Tor Exit Node (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520032 || ET TOR Known Tor Exit Node (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520033 || ET TOR Known Tor Exit Node (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520034 || ET TOR Known Tor Exit Node (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520035 || ET TOR Known Tor Exit Node (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520036 || ET TOR Known Tor Exit Node (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520037 || ET TOR Known Tor Exit Node (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520038 || ET TOR Known Tor Exit Node (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520039 || ET TOR Known Tor Exit Node (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520040 || ET TOR Known Tor Exit Node (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520041 || ET TOR Known Tor Exit Node (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520042 || ET TOR Known Tor Exit Node (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520043 || ET TOR Known Tor Exit Node (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520044 || ET TOR Known Tor Exit Node (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520045 || ET TOR Known Tor Exit Node (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520046 || ET TOR Known Tor Exit Node (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520047 || ET TOR Known Tor Exit Node (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520048 || ET TOR Known Tor Exit Node (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520049 || ET TOR Known Tor Exit Node (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520050 || ET TOR Known Tor Exit Node (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520051 || ET TOR Known Tor Exit Node (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520052 || ET TOR Known Tor Exit Node (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520053 || ET TOR Known Tor Exit Node (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520054 || ET TOR Known Tor Exit Node (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520055 || ET TOR Known Tor Exit Node (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520056 || ET TOR Known Tor Exit Node (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520057 || ET TOR Known Tor Exit Node (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520058 || ET TOR Known Tor Exit Node (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520059 || ET TOR Known Tor Exit Node (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520060 || ET TOR Known Tor Exit Node (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520061 || ET TOR Known Tor Exit Node (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520062 || ET TOR Known Tor Exit Node (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520063 || ET TOR Known Tor Exit Node (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520064 || ET TOR Known Tor Exit Node (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520065 || ET TOR Known Tor Exit Node (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520066 || ET TOR Known Tor Exit Node (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520067 || ET TOR Known Tor Exit Node (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520068 || ET TOR Known Tor Exit Node (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520069 || ET TOR Known Tor Exit Node (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520070 || ET TOR Known Tor Exit Node (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520071 || ET TOR Known Tor Exit Node (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520072 || ET TOR Known Tor Exit Node (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520073 || ET TOR Known Tor Exit Node (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520074 || ET TOR Known Tor Exit Node (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520075 || ET TOR Known Tor Exit Node (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520076 || ET TOR Known Tor Exit Node (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520077 || ET TOR Known Tor Exit Node (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520078 || ET TOR Known Tor Exit Node (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520079 || ET TOR Known Tor Exit Node (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520080 || ET TOR Known Tor Exit Node (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520081 || ET TOR Known Tor Exit Node (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520082 || ET TOR Known Tor Exit Node (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520083 || ET TOR Known Tor Exit Node (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520084 || ET TOR Known Tor Exit Node (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520085 || ET TOR Known Tor Exit Node (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520086 || ET TOR Known Tor Exit Node (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520087 || ET TOR Known Tor Exit Node (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520088 || ET TOR Known Tor Exit Node (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520089 || ET TOR Known Tor Exit Node (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520090 || ET TOR Known Tor Exit Node (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520091 || ET TOR Known Tor Exit Node (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520092 || ET TOR Known Tor Exit Node (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520093 || ET TOR Known Tor Exit Node (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520094 || ET TOR Known Tor Exit Node (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520095 || ET TOR Known Tor Exit Node (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520096 || ET TOR Known Tor Exit Node (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520097 || ET TOR Known Tor Exit Node (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520098 || ET TOR Known Tor Exit Node (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520099 || ET TOR Known Tor Exit Node (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520100 || ET TOR Known Tor Exit Node (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520101 || ET TOR Known Tor Exit Node (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520102 || ET TOR Known Tor Exit Node (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520103 || ET TOR Known Tor Exit Node (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520104 || ET TOR Known Tor Exit Node (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520105 || ET TOR Known Tor Exit Node (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520106 || ET TOR Known Tor Exit Node (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520107 || ET TOR Known Tor Exit Node (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520108 || ET TOR Known Tor Exit Node (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520109 || ET TOR Known Tor Exit Node (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520110 || ET TOR Known Tor Exit Node (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520111 || ET TOR Known Tor Exit Node (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520112 || ET TOR Known Tor Exit Node (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520113 || ET TOR Known Tor Exit Node (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520114 || ET TOR Known Tor Exit Node (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520115 || ET TOR Known Tor Exit Node (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520116 || ET TOR Known Tor Exit Node (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520117 || ET TOR Known Tor Exit Node (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520118 || ET TOR Known Tor Exit Node (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520119 || ET TOR Known Tor Exit Node (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520120 || ET TOR Known Tor Exit Node (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520121 || ET TOR Known Tor Exit Node (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520122 || ET TOR Known Tor Exit Node (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520123 || ET TOR Known Tor Exit Node (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520124 || ET TOR Known Tor Exit Node (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520125 || ET TOR Known Tor Exit Node (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520126 || ET TOR Known Tor Exit Node (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520127 || ET TOR Known Tor Exit Node (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520128 || ET TOR Known Tor Exit Node (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520129 || ET TOR Known Tor Exit Node (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520130 || ET TOR Known Tor Exit Node (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520131 || ET TOR Known Tor Exit Node (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520132 || ET TOR Known Tor Exit Node (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520133 || ET TOR Known Tor Exit Node (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520134 || ET TOR Known Tor Exit Node (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520135 || ET TOR Known Tor Exit Node (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520136 || ET TOR Known Tor Exit Node (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520137 || ET TOR Known Tor Exit Node (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520138 || ET TOR Known Tor Exit Node (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520139 || ET TOR Known Tor Exit Node (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520140 || ET TOR Known Tor Exit Node (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520141 || ET TOR Known Tor Exit Node (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520142 || ET TOR Known Tor Exit Node (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520143 || ET TOR Known Tor Exit Node (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520144 || ET TOR Known Tor Exit Node (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520145 || ET TOR Known Tor Exit Node (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520146 || ET TOR Known Tor Exit Node (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520147 || ET TOR Known Tor Exit Node (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520148 || ET TOR Known Tor Exit Node (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520149 || ET TOR Known Tor Exit Node (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520150 || ET TOR Known Tor Exit Node (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520151 || ET TOR Known Tor Exit Node (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520152 || ET TOR Known Tor Exit Node (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520153 || ET TOR Known Tor Exit Node (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520154 || ET TOR Known Tor Exit Node (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520155 || ET TOR Known Tor Exit Node (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520156 || ET TOR Known Tor Exit Node (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520157 || ET TOR Known Tor Exit Node (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520158 || ET TOR Known Tor Exit Node (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520159 || ET TOR Known Tor Exit Node (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520160 || ET TOR Known Tor Exit Node (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520161 || ET TOR Known Tor Exit Node (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520162 || ET TOR Known Tor Exit Node (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520163 || ET TOR Known Tor Exit Node (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520164 || ET TOR Known Tor Exit Node (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520165 || ET TOR Known Tor Exit Node (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520166 || ET TOR Known Tor Exit Node (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520167 || ET TOR Known Tor Exit Node (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520168 || ET TOR Known Tor Exit Node (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520169 || ET TOR Known Tor Exit Node (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520170 || ET TOR Known Tor Exit Node (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525000 || ET TOR Known Tor Exit Node - BLOCKING (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525001 || ET TOR Known Tor Exit Node - BLOCKING (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525002 || ET TOR Known Tor Exit Node - BLOCKING (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525003 || ET TOR Known Tor Exit Node - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525004 || ET TOR Known Tor Exit Node - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525005 || ET TOR Known Tor Exit Node - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525006 || ET TOR Known Tor Exit Node - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525007 || ET TOR Known Tor Exit Node - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525008 || ET TOR Known Tor Exit Node - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525009 || ET TOR Known Tor Exit Node - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525010 || ET TOR Known Tor Exit Node - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525011 || ET TOR Known Tor Exit Node - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525012 || ET TOR Known Tor Exit Node - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525013 || ET TOR Known Tor Exit Node - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525014 || ET TOR Known Tor Exit Node - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525015 || ET TOR Known Tor Exit Node - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525016 || ET TOR Known Tor Exit Node - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525017 || ET TOR Known Tor Exit Node - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525018 || ET TOR Known Tor Exit Node - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525019 || ET TOR Known Tor Exit Node - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525020 || ET TOR Known Tor Exit Node - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525021 || ET TOR Known Tor Exit Node - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525022 || ET TOR Known Tor Exit Node - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525023 || ET TOR Known Tor Exit Node - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525024 || ET TOR Known Tor Exit Node - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525025 || ET TOR Known Tor Exit Node - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525026 || ET TOR Known Tor Exit Node - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525027 || ET TOR Known Tor Exit Node - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525028 || ET TOR Known Tor Exit Node - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525029 || ET TOR Known Tor Exit Node - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525030 || ET TOR Known Tor Exit Node - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525031 || ET TOR Known Tor Exit Node - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525032 || ET TOR Known Tor Exit Node - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525033 || ET TOR Known Tor Exit Node - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525034 || ET TOR Known Tor Exit Node - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525035 || ET TOR Known Tor Exit Node - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525036 || ET TOR Known Tor Exit Node - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525037 || ET TOR Known Tor Exit Node - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525038 || ET TOR Known Tor Exit Node - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525039 || ET TOR Known Tor Exit Node - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525040 || ET TOR Known Tor Exit Node - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525041 || ET TOR Known Tor Exit Node - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525042 || ET TOR Known Tor Exit Node - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525043 || ET TOR Known Tor Exit Node - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525044 || ET TOR Known Tor Exit Node - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525045 || ET TOR Known Tor Exit Node - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525046 || ET TOR Known Tor Exit Node - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525047 || ET TOR Known Tor Exit Node - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525048 || ET TOR Known Tor Exit Node - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525049 || ET TOR Known Tor Exit Node - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525050 || ET TOR Known Tor Exit Node - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525051 || ET TOR Known Tor Exit Node - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525052 || ET TOR Known Tor Exit Node - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525053 || ET TOR Known Tor Exit Node - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525054 || ET TOR Known Tor Exit Node - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525055 || ET TOR Known Tor Exit Node - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525056 || ET TOR Known Tor Exit Node - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525057 || ET TOR Known Tor Exit Node - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525058 || ET TOR Known Tor Exit Node - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525059 || ET TOR Known Tor Exit Node - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525060 || ET TOR Known Tor Exit Node - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525061 || ET TOR Known Tor Exit Node - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525062 || ET TOR Known Tor Exit Node - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525063 || ET TOR Known Tor Exit Node - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525064 || ET TOR Known Tor Exit Node - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525065 || ET TOR Known Tor Exit Node - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525066 || ET TOR Known Tor Exit Node - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525067 || ET TOR Known Tor Exit Node - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525068 || ET TOR Known Tor Exit Node - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525069 || ET TOR Known Tor Exit Node - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525070 || ET TOR Known Tor Exit Node - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525071 || ET TOR Known Tor Exit Node - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525072 || ET TOR Known Tor Exit Node - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525073 || ET TOR Known Tor Exit Node - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525074 || ET TOR Known Tor Exit Node - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525075 || ET TOR Known Tor Exit Node - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525076 || ET TOR Known Tor Exit Node - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525077 || ET TOR Known Tor Exit Node - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525078 || ET TOR Known Tor Exit Node - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525079 || ET TOR Known Tor Exit Node - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525080 || ET TOR Known Tor Exit Node - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525081 || ET TOR Known Tor Exit Node - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525082 || ET TOR Known Tor Exit Node - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525083 || ET TOR Known Tor Exit Node - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525084 || ET TOR Known Tor Exit Node - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525085 || ET TOR Known Tor Exit Node - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525086 || ET TOR Known Tor Exit Node - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525087 || ET TOR Known Tor Exit Node - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525088 || ET TOR Known Tor Exit Node - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525089 || ET TOR Known Tor Exit Node - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525090 || ET TOR Known Tor Exit Node - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525091 || ET TOR Known Tor Exit Node - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525092 || ET TOR Known Tor Exit Node - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525093 || ET TOR Known Tor Exit Node - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525094 || ET TOR Known Tor Exit Node - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525095 || ET TOR Known Tor Exit Node - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525096 || ET TOR Known Tor Exit Node - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525097 || ET TOR Known Tor Exit Node - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525098 || ET TOR Known Tor Exit Node - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525099 || ET TOR Known Tor Exit Node - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525100 || ET TOR Known Tor Exit Node - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525101 || ET TOR Known Tor Exit Node - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525102 || ET TOR Known Tor Exit Node - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525103 || ET TOR Known Tor Exit Node - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525104 || ET TOR Known Tor Exit Node - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525105 || ET TOR Known Tor Exit Node - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525106 || ET TOR Known Tor Exit Node - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525107 || ET TOR Known Tor Exit Node - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525108 || ET TOR Known Tor Exit Node - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525109 || ET TOR Known Tor Exit Node - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525110 || ET TOR Known Tor Exit Node - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525111 || ET TOR Known Tor Exit Node - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525112 || ET TOR Known Tor Exit Node - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525113 || ET TOR Known Tor Exit Node - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525114 || ET TOR Known Tor Exit Node - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525115 || ET TOR Known Tor Exit Node - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525116 || ET TOR Known Tor Exit Node - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525117 || ET TOR Known Tor Exit Node - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525118 || ET TOR Known Tor Exit Node - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525119 || ET TOR Known Tor Exit Node - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525120 || ET TOR Known Tor Exit Node - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525121 || ET TOR Known Tor Exit Node - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525122 || ET TOR Known Tor Exit Node - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525123 || ET TOR Known Tor Exit Node - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525124 || ET TOR Known Tor Exit Node - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525125 || ET TOR Known Tor Exit Node - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525126 || ET TOR Known Tor Exit Node - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525127 || ET TOR Known Tor Exit Node - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525128 || ET TOR Known Tor Exit Node - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525129 || ET TOR Known Tor Exit Node - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525130 || ET TOR Known Tor Exit Node - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525131 || ET TOR Known Tor Exit Node - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525132 || ET TOR Known Tor Exit Node - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525133 || ET TOR Known Tor Exit Node - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525134 || ET TOR Known Tor Exit Node - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525135 || ET TOR Known Tor Exit Node - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525136 || ET TOR Known Tor Exit Node - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525137 || ET TOR Known Tor Exit Node - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525138 || ET TOR Known Tor Exit Node - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525139 || ET TOR Known Tor Exit Node - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525140 || ET TOR Known Tor Exit Node - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525141 || ET TOR Known Tor Exit Node - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525142 || ET TOR Known Tor Exit Node - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525143 || ET TOR Known Tor Exit Node - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525144 || ET TOR Known Tor Exit Node - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525145 || ET TOR Known Tor Exit Node - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525146 || ET TOR Known Tor Exit Node - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525147 || ET TOR Known Tor Exit Node - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525148 || ET TOR Known Tor Exit Node - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525149 || ET TOR Known Tor Exit Node - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525150 || ET TOR Known Tor Exit Node - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525151 || ET TOR Known Tor Exit Node - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525152 || ET TOR Known Tor Exit Node - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525153 || ET TOR Known Tor Exit Node - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525154 || ET TOR Known Tor Exit Node - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525155 || ET TOR Known Tor Exit Node - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525156 || ET TOR Known Tor Exit Node - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525157 || ET TOR Known Tor Exit Node - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525158 || ET TOR Known Tor Exit Node - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525159 || ET TOR Known Tor Exit Node - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525160 || ET TOR Known Tor Exit Node - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525161 || ET TOR Known Tor Exit Node - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525162 || ET TOR Known Tor Exit Node - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525163 || ET TOR Known Tor Exit Node - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525164 || ET TOR Known Tor Exit Node - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525165 || ET TOR Known Tor Exit Node - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525166 || ET TOR Known Tor Exit Node - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525167 || ET TOR Known Tor Exit Node - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525168 || ET TOR Known Tor Exit Node - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525169 || ET TOR Known Tor Exit Node - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525170 || ET TOR Known Tor Exit Node - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules -> Added to emerging-sid-msg.map.txt (346): 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2520000 || ET TOR Known Tor Exit Node (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520001 || ET TOR Known Tor Exit Node (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520002 || ET TOR Known Tor Exit Node (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520003 || ET TOR Known Tor Exit Node (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520004 || ET TOR Known Tor Exit Node (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520005 || ET TOR Known Tor Exit Node (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520006 || ET TOR Known Tor Exit Node (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520007 || ET TOR Known Tor Exit Node (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520008 || ET TOR Known Tor Exit Node (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520009 || ET TOR Known Tor Exit Node (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520010 || ET TOR Known Tor Exit Node (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520011 || ET TOR Known Tor Exit Node (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520012 || ET TOR Known Tor Exit Node (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520013 || ET TOR Known Tor Exit Node (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520014 || ET TOR Known Tor Exit Node (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520015 || ET TOR Known Tor Exit Node (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520016 || ET TOR Known Tor Exit Node (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520017 || ET TOR Known Tor Exit Node (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520018 || ET TOR Known Tor Exit Node (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520019 || ET TOR Known Tor Exit Node (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520020 || ET TOR Known Tor Exit Node (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520021 || ET TOR Known Tor Exit Node (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520022 || ET TOR Known Tor Exit Node (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520023 || ET TOR Known Tor Exit Node (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520024 || ET TOR Known Tor Exit Node (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520025 || ET TOR Known Tor Exit Node (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520026 || ET TOR Known Tor Exit Node (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520027 || ET TOR Known Tor Exit Node (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520028 || ET TOR Known Tor Exit Node (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520029 || ET TOR Known Tor Exit Node (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520030 || ET TOR Known Tor Exit Node (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520031 || ET TOR Known Tor Exit Node (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520032 || ET TOR Known Tor Exit Node (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520033 || ET TOR Known Tor Exit Node (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520034 || ET TOR Known Tor Exit Node (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520035 || ET TOR Known Tor Exit Node (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520036 || ET TOR Known Tor Exit Node (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520037 || ET TOR Known Tor Exit Node (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520038 || ET TOR Known Tor Exit Node (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520039 || ET TOR Known Tor Exit Node (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520040 || ET TOR Known Tor Exit Node (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520041 || ET TOR Known Tor Exit Node (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520042 || ET TOR Known Tor Exit Node (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520043 || ET TOR Known Tor Exit Node (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520044 || ET TOR Known Tor Exit Node (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520045 || ET TOR Known Tor Exit Node (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520046 || ET TOR Known Tor Exit Node (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520047 || ET TOR Known Tor Exit Node (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520048 || ET TOR Known Tor Exit Node (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520049 || ET TOR Known Tor Exit Node (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520050 || ET TOR Known Tor Exit Node (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520051 || ET TOR Known Tor Exit Node (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520052 || ET TOR Known Tor Exit Node (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520053 || ET TOR Known Tor Exit Node (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520054 || ET TOR Known Tor Exit Node (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520055 || ET TOR Known Tor Exit Node (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520056 || ET TOR Known Tor Exit Node (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520057 || ET TOR Known Tor Exit Node (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520058 || ET TOR Known Tor Exit Node (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520059 || ET TOR Known Tor Exit Node (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520060 || ET TOR Known Tor Exit Node (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520061 || ET TOR Known Tor Exit Node (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520062 || ET TOR Known Tor Exit Node (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520063 || ET TOR Known Tor Exit Node (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520064 || ET TOR Known Tor Exit Node (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520065 || ET TOR Known Tor Exit Node (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520066 || ET TOR Known Tor Exit Node (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520067 || ET TOR Known Tor Exit Node (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520068 || ET TOR Known Tor Exit Node (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520069 || ET TOR Known Tor Exit Node (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520070 || ET TOR Known Tor Exit Node (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520071 || ET TOR Known Tor Exit Node (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520072 || ET TOR Known Tor Exit Node (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520073 || ET TOR Known Tor Exit Node (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520074 || ET TOR Known Tor Exit Node (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520075 || ET TOR Known Tor Exit Node (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520076 || ET TOR Known Tor Exit Node (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520077 || ET TOR Known Tor Exit Node (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520078 || ET TOR Known Tor Exit Node (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520079 || ET TOR Known Tor Exit Node (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520080 || ET TOR Known Tor Exit Node (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520081 || ET TOR Known Tor Exit Node (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520082 || ET TOR Known Tor Exit Node (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520083 || ET TOR Known Tor Exit Node (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520084 || ET TOR Known Tor Exit Node (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520085 || ET TOR Known Tor Exit Node (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520086 || ET TOR Known Tor Exit Node (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520087 || ET TOR Known Tor Exit Node (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520088 || ET TOR Known Tor Exit Node (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520089 || ET TOR Known Tor Exit Node (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520090 || ET TOR Known Tor Exit Node (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520091 || ET TOR Known Tor Exit Node (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520092 || ET TOR Known Tor Exit Node (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520093 || ET TOR Known Tor Exit Node (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520094 || ET TOR Known Tor Exit Node (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520095 || ET TOR Known Tor Exit Node (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520096 || ET TOR Known Tor Exit Node (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520097 || ET TOR Known Tor Exit Node (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520098 || ET TOR Known Tor Exit Node (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520099 || ET TOR Known Tor Exit Node (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520100 || ET TOR Known Tor Exit Node (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520101 || ET TOR Known Tor Exit Node (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520102 || ET TOR Known Tor Exit Node (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520103 || ET TOR Known Tor Exit Node (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520104 || ET TOR Known Tor Exit Node (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520105 || ET TOR Known Tor Exit Node (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520106 || ET TOR Known Tor Exit Node (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520107 || ET TOR Known Tor Exit Node (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520108 || ET TOR Known Tor Exit Node (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520109 || ET TOR Known Tor Exit Node (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520110 || ET TOR Known Tor Exit Node (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520111 || ET TOR Known Tor Exit Node (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520112 || ET TOR Known Tor Exit Node (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520113 || ET TOR Known Tor Exit Node (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520114 || ET TOR Known Tor Exit Node (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520115 || ET TOR Known Tor Exit Node (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520116 || ET TOR Known Tor Exit Node (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520117 || ET TOR Known Tor Exit Node (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520118 || ET TOR Known Tor Exit Node (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520119 || ET TOR Known Tor Exit Node (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520120 || ET TOR Known Tor Exit Node (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520121 || ET TOR Known Tor Exit Node (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520122 || ET TOR Known Tor Exit Node (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520123 || ET TOR Known Tor Exit Node (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520124 || ET TOR Known Tor Exit Node (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520125 || ET TOR Known Tor Exit Node (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520126 || ET TOR Known Tor Exit Node (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520127 || ET TOR Known Tor Exit Node (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520128 || ET TOR Known Tor Exit Node (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520129 || ET TOR Known Tor Exit Node (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520130 || ET TOR Known Tor Exit Node (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520131 || ET TOR Known Tor Exit Node (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520132 || ET TOR Known Tor Exit Node (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520133 || ET TOR Known Tor Exit Node (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520134 || ET TOR Known Tor Exit Node (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520135 || ET TOR Known Tor Exit Node (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520136 || ET TOR Known Tor Exit Node (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520137 || ET TOR Known Tor Exit Node (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520138 || ET TOR Known Tor Exit Node (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520139 || ET TOR Known Tor Exit Node (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520140 || ET TOR Known Tor Exit Node (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520141 || ET TOR Known Tor Exit Node (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520142 || ET TOR Known Tor Exit Node (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520143 || ET TOR Known Tor Exit Node (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520144 || ET TOR Known Tor Exit Node (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520145 || ET TOR Known Tor Exit Node (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520146 || ET TOR Known Tor Exit Node (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520147 || ET TOR Known Tor Exit Node (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520148 || ET TOR Known Tor Exit Node (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520149 || ET TOR Known Tor Exit Node (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520150 || ET TOR Known Tor Exit Node (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520151 || ET TOR Known Tor Exit Node (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520152 || ET TOR Known Tor Exit Node (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520153 || ET TOR Known Tor Exit Node (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520154 || ET TOR Known Tor Exit Node (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520155 || ET TOR Known Tor Exit Node (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520156 || ET TOR Known Tor Exit Node (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520157 || ET TOR Known Tor Exit Node (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520158 || ET TOR Known Tor Exit Node (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520159 || ET TOR Known Tor Exit Node (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520160 || ET TOR Known Tor Exit Node (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520161 || ET TOR Known Tor Exit Node (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520162 || ET TOR Known Tor Exit Node (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520163 || ET TOR Known Tor Exit Node (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520164 || ET TOR Known Tor Exit Node (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520165 || ET TOR Known Tor Exit Node (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520166 || ET TOR Known Tor Exit Node (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520167 || ET TOR Known Tor Exit Node (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520168 || ET TOR Known Tor Exit Node (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520169 || ET TOR Known Tor Exit Node (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520170 || ET TOR Known Tor Exit Node (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525000 || ET TOR Known Tor Exit Node - BLOCKING (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525001 || ET TOR Known Tor Exit Node - BLOCKING (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525002 || ET TOR Known Tor Exit Node - BLOCKING (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525003 || ET TOR Known Tor Exit Node - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525004 || ET TOR Known Tor Exit Node - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525005 || ET TOR Known Tor Exit Node - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525006 || ET TOR Known Tor Exit Node - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525007 || ET TOR Known Tor Exit Node - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525008 || ET TOR Known Tor Exit Node - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525009 || ET TOR Known Tor Exit Node - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525010 || ET TOR Known Tor Exit Node - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525011 || ET TOR Known Tor Exit Node - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525012 || ET TOR Known Tor Exit Node - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525013 || ET TOR Known Tor Exit Node - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525014 || ET TOR Known Tor Exit Node - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525015 || ET TOR Known Tor Exit Node - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525016 || ET TOR Known Tor Exit Node - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525017 || ET TOR Known Tor Exit Node - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525018 || ET TOR Known Tor Exit Node - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525019 || ET TOR Known Tor Exit Node - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525020 || ET TOR Known Tor Exit Node - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525021 || ET TOR Known Tor Exit Node - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525022 || ET TOR Known Tor Exit Node - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525023 || ET TOR Known Tor Exit Node - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525024 || ET TOR Known Tor Exit Node - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525025 || ET TOR Known Tor Exit Node - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525026 || ET TOR Known Tor Exit Node - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525027 || ET TOR Known Tor Exit Node - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525028 || ET TOR Known Tor Exit Node - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525029 || ET TOR Known Tor Exit Node - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525030 || ET TOR Known Tor Exit Node - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525031 || ET TOR Known Tor Exit Node - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525032 || ET TOR Known Tor Exit Node - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525033 || ET TOR Known Tor Exit Node - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525034 || ET TOR Known Tor Exit Node - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525035 || ET TOR Known Tor Exit Node - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525036 || ET TOR Known Tor Exit Node - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525037 || ET TOR Known Tor Exit Node - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525038 || ET TOR Known Tor Exit Node - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525039 || ET TOR Known Tor Exit Node - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525040 || ET TOR Known Tor Exit Node - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525041 || ET TOR Known Tor Exit Node - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525042 || ET TOR Known Tor Exit Node - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525043 || ET TOR Known Tor Exit Node - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525044 || ET TOR Known Tor Exit Node - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525045 || ET TOR Known Tor Exit Node - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525046 || ET TOR Known Tor Exit Node - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525047 || ET TOR Known Tor Exit Node - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525048 || ET TOR Known Tor Exit Node - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525049 || ET TOR Known Tor Exit Node - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525050 || ET TOR Known Tor Exit Node - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525051 || ET TOR Known Tor Exit Node - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525052 || ET TOR Known Tor Exit Node - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525053 || ET TOR Known Tor Exit Node - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525054 || ET TOR Known Tor Exit Node - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525055 || ET TOR Known Tor Exit Node - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525056 || ET TOR Known Tor Exit Node - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525057 || ET TOR Known Tor Exit Node - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525058 || ET TOR Known Tor Exit Node - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525059 || ET TOR Known Tor Exit Node - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525060 || ET TOR Known Tor Exit Node - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525061 || ET TOR Known Tor Exit Node - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525062 || ET TOR Known Tor Exit Node - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525063 || ET TOR Known Tor Exit Node - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525064 || ET TOR Known Tor Exit Node - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525065 || ET TOR Known Tor Exit Node - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525066 || ET TOR Known Tor Exit Node - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525067 || ET TOR Known Tor Exit Node - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525068 || ET TOR Known Tor Exit Node - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525069 || ET TOR Known Tor Exit Node - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525070 || ET TOR Known Tor Exit Node - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525071 || ET TOR Known Tor Exit Node - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525072 || ET TOR Known Tor Exit Node - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525073 || ET TOR Known Tor Exit Node - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525074 || ET TOR Known Tor Exit Node - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525075 || ET TOR Known Tor Exit Node - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525076 || ET TOR Known Tor Exit Node - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525077 || ET TOR Known Tor Exit Node - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525078 || ET TOR Known Tor Exit Node - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525079 || ET TOR Known Tor Exit Node - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525080 || ET TOR Known Tor Exit Node - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525081 || ET TOR Known Tor Exit Node - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525082 || ET TOR Known Tor Exit Node - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525083 || ET TOR Known Tor Exit Node - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525084 || ET TOR Known Tor Exit Node - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525085 || ET TOR Known Tor Exit Node - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525086 || ET TOR Known Tor Exit Node - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525087 || ET TOR Known Tor Exit Node - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525088 || ET TOR Known Tor Exit Node - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525089 || ET TOR Known Tor Exit Node - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525090 || ET TOR Known Tor Exit Node - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525091 || ET TOR Known Tor Exit Node - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525092 || ET TOR Known Tor Exit Node - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525093 || ET TOR Known Tor Exit Node - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525094 || ET TOR Known Tor Exit Node - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525095 || ET TOR Known Tor Exit Node - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525096 || ET TOR Known Tor Exit Node - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525097 || ET TOR Known Tor Exit Node - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525098 || ET TOR Known Tor Exit Node - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525099 || ET TOR Known Tor Exit Node - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525100 || ET TOR Known Tor Exit Node - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525101 || ET TOR Known Tor Exit Node - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525102 || ET TOR Known Tor Exit Node - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525103 || ET TOR Known Tor Exit Node - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525104 || ET TOR Known Tor Exit Node - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525105 || ET TOR Known Tor Exit Node - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525106 || ET TOR Known Tor Exit Node - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525107 || ET TOR Known Tor Exit Node - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525108 || ET TOR Known Tor Exit Node - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525109 || ET TOR Known Tor Exit Node - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525110 || ET TOR Known Tor Exit Node - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525111 || ET TOR Known Tor Exit Node - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525112 || ET TOR Known Tor Exit Node - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525113 || ET TOR Known Tor Exit Node - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525114 || ET TOR Known Tor Exit Node - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525115 || ET TOR Known Tor Exit Node - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525116 || ET TOR Known Tor Exit Node - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525117 || ET TOR Known Tor Exit Node - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525118 || ET TOR Known Tor Exit Node - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525119 || ET TOR Known Tor Exit Node - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525120 || ET TOR Known Tor Exit Node - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525121 || ET TOR Known Tor Exit Node - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525122 || ET TOR Known Tor Exit Node - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525123 || ET TOR Known Tor Exit Node - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525124 || ET TOR Known Tor Exit Node - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525125 || ET TOR Known Tor Exit Node - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525126 || ET TOR Known Tor Exit Node - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525127 || ET TOR Known Tor Exit Node - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525128 || ET TOR Known Tor Exit Node - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525129 || ET TOR Known Tor Exit Node - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525130 || ET TOR Known Tor Exit Node - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525131 || ET TOR Known Tor Exit Node - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525132 || ET TOR Known Tor Exit Node - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525133 || ET TOR Known Tor Exit Node - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525134 || ET TOR Known Tor Exit Node - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525135 || ET TOR Known Tor Exit Node - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525136 || ET TOR Known Tor Exit Node - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525137 || ET TOR Known Tor Exit Node - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525138 || ET TOR Known Tor Exit Node - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525139 || ET TOR Known Tor Exit Node - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525140 || ET TOR Known Tor Exit Node - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525141 || ET TOR Known Tor Exit Node - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525142 || ET TOR Known Tor Exit Node - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525143 || ET TOR Known Tor Exit Node - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525144 || ET TOR Known Tor Exit Node - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525145 || ET TOR Known Tor Exit Node - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525146 || ET TOR Known Tor Exit Node - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525147 || ET TOR Known Tor Exit Node - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525148 || ET TOR Known Tor Exit Node - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525149 || ET TOR Known Tor Exit Node - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525150 || ET TOR Known Tor Exit Node - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525151 || ET TOR Known Tor Exit Node - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525152 || ET TOR Known Tor Exit Node - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525153 || ET TOR Known Tor Exit Node - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525154 || ET TOR Known Tor Exit Node - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525155 || ET TOR Known Tor Exit Node - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525156 || ET TOR Known Tor Exit Node - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525157 || ET TOR Known Tor Exit Node - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525158 || ET TOR Known Tor Exit Node - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525159 || ET TOR Known Tor Exit Node - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525160 || ET TOR Known Tor Exit Node - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525161 || ET TOR Known Tor Exit Node - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525162 || ET TOR Known Tor Exit Node - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525163 || ET TOR Known Tor Exit Node - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525164 || ET TOR Known Tor Exit Node - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525165 || ET TOR Known Tor Exit Node - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525166 || ET TOR Known Tor Exit Node - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525167 || ET TOR Known Tor Exit Node - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525168 || ET TOR Known Tor Exit Node - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525169 || ET TOR Known Tor Exit Node - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525170 || ET TOR Known Tor Exit Node - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules -> Added to emerging-virus.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-voip.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-web.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-web_sql_injection.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging.conf (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging.rules (1): # Copyright (c) 2003-2009, Emerging Threats [---] Removed non-rule lines: [---] -> Removed from emerging-attack_response.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-dos.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-exploit.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-game.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-inappropriate.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-malware.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-p2p.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-policy.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-scan.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-sid-msg.map (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-virus.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-voip.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-web.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging-web_sql_injection.rules (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging.conf (1): # Copyright (c) 2003-2008, Emerging Threats -> Removed from emerging.rules (1): # Copyright (c) 2003-2008, Emerging Threats [+] Added files (consider updating your snort.conf to include them if needed): [+] -> emerging-tor-BLOCK.rules -> emerging-tor.rules From frank at knobbe.us Wed Dec 17 18:07:16 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 17 Dec 2008 17:07:16 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <20081217170646.5D58EA4052@medusa.richmond-family.org> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> Message-ID: <1229555236.22227.25.camel@localhost> On Wed, 2008-12-17 at 12:06 -0500, Nathaniel Richmond wrote: > I don't know if it's needed, but David Bianco had a blog post with a > Perl script to find active Tor servers. > > http://blog.vorant.com/2008/06/tor-server-lists-revisited.html Has anyone measure how frequently IP's change that are fingered as exit nodes? It seems like a lot of dynamic IP's are involved. I'm not sure how useful that is for signatures. Plus yet another huge IP rules list may impact performance. I think it would make more sense to run the rules that identify TOR traffic by content. That said, I'd be interested to hear from folks who run both on how accurate the TOR content sigs are. Please let us know if you come across TOR hits that fire only on the IP sigs and not the content. Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081217/0a53a415/attachment.bin From dxp2532 at gmail.com Thu Dec 18 11:08:16 2008 From: dxp2532 at gmail.com (dxp) Date: Thu, 18 Dec 2008 11:08:16 -0500 Subject: [Emerging-Sigs] Possible FP on 2008576 In-Reply-To: References: Message-ID: <1229616496.20053.24.camel@kinta> I have not checked the actual data as returned from that URL but from the payload attached below it appears to be a False Positive. It does contain "MZ" and "PE\0\0" strings close to each other however the offset to "PE" magic which resides 0x3C bytes from "MZ" magic does not hold the correct value. Perhaps this is some modified executable within another container. That payload will not execute though. 280 : 56 8B 3D F8 F0 41 00 FF D7 66 81 38 4D 5A 75 1F V.=..A...f.8MZu. 290 : 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 .H<...9PE..u...A 2a0 : 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 .=....t.=....t.. 2b0 : 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 u..'.......v.3.9 2c0 : B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 ........yt.v.3.9 - -=[ dxp ]=- 0xA3F3C6E3 On Thu, 2008-12-11 at 09:27 -0500, Weir, Jason wrote: > I got an alert this morning on 2008576 > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN > TinyPE Binary - Possibly Hostile"; flow:from_server,established; > content:"MZ"; content:"PE|00 00|"; within:20; > reference:url,www.phreedom.org/solar/code/tinype/; > reference:url,bits.packetninjas.org/eblog/?p=316; > classtype:trojan-activity; sid:2008576; rev:2;) > > >From my FW logs that server was accessing a java update > > x.x.x.x Accessed URL > 208.111.128.7:/s/ESD5/JSCDL/jre/6u11-b90/jre-6u11-windows-i586-p-iftw.ex > e?e=1229002062013&h=cd6fb6efca85944cf77a90e72484b858/&filename=jre-6u11- > windows-i586-p-iftw.exe > > Is this a FP or does the java update contain TinyPE Binary data, > tripping the rule? > > I put the payload below > > -Jason > > > length = 1380 > > 000 : EF 8B 07 BA FF FE FE 7E 03 D0 83 F0 FF 33 C2 83 .......~.....3.. > 010 : C7 04 A9 00 01 01 81 74 E8 8B 47 FC 84 C0 74 21 .......t..G...t! > 020 : 84 E4 74 18 A9 00 00 FF 00 74 0C A9 00 00 00 FF ..t......t...... > 030 : 75 CF 83 EF 01 EB 0D 83 EF 02 EB 08 83 EF 03 EB u............... > 040 : 03 83 EF 04 8B 74 24 14 F7 C6 03 00 00 00 75 09 .....t$.......u. > 050 : 8B D9 C1 E9 02 75 5C EB 22 8A 16 83 C6 01 84 D2 .....u\."....... > 060 : 74 3D 88 17 83 C7 01 83 E9 01 74 29 F7 C6 03 00 t=........t).... > 070 : 00 00 75 E5 8B D9 C1 E9 02 75 38 8B CB 83 E1 03 ..u......u8..... > 080 : 74 13 8A 16 83 C6 01 88 17 83 C7 01 84 D2 74 07 t.............t. > 090 : 83 E9 01 75 ED 88 0F 5B 5E 8B 44 24 08 5F C3 88 ...u...[^.D$._.. > 0a0 : 17 8B 44 24 10 5B 5E 5F C3 89 17 83 C7 04 83 E9 ..D$.[^_........ > 0b0 : 01 74 C8 BA FF FE FE 7E 8B 06 03 D0 83 F0 FF 33 .t.....~.......3 > 0c0 : C2 8B 16 83 C6 04 A9 00 01 01 81 74 DC 84 D2 74 ...........t...t > 0d0 : CE 84 F6 74 2A F7 C2 00 00 FF 00 74 12 F7 C2 00 ...t*......t.... > 0e0 : 00 00 FF 75 C4 89 17 8B 44 24 10 5B 5E 5F C3 66 ...u....D$.[^_.f > 0f0 : 89 17 33 D2 8B 44 24 10 88 57 02 5B 5E 5F C3 66 ..3..D$..W.[^_.f > 100 : 89 17 8B 44 24 10 5B 5E 5F C3 E8 5A 41 00 00 8B ...D$.[^_..ZA... > 110 : 40 64 3B 05 F4 6F 42 00 74 05 E8 49 4C 00 00 83 @d;..oB.t..IL... > 120 : 78 28 01 7E 10 6A 04 FF 74 24 08 50 E8 2F 4A 00 x(.~.j..t$.P./J. > 130 : 00 83 C4 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 ...... at H.L$....H > 140 : 83 E0 04 C3 E8 20 41 00 00 8B 40 64 3B 05 F4 6F ..... A... at d;..o > 150 : 42 00 74 05 E8 0F 4C 00 00 83 78 28 01 7E 13 68 B.t...L...x(.~.h > 160 : 80 00 00 00 FF 74 24 08 50 E8 F2 49 00 00 83 C4 .....t$.P..I.... > 170 : 0C C3 8B 40 48 8B 4C 24 04 0F B6 04 48 25 80 00 ... at H.L$....H%.. > 180 : 00 00 C3 E8 E1 40 00 00 8B 40 64 3B 05 F4 6F 42 ..... at ...@d;..oB > 190 : 00 74 05 E8 D0 4B 00 00 83 78 28 01 7E 10 6A 08 .t...K...x(.~.j. > 1a0 : FF 74 24 08 50 E8 B6 49 00 00 83 C4 0C C3 8B 40 .t$.P..I.......@ > 1b0 : 48 8B 4C 24 04 0F B6 04 48 83 E0 08 C3 6A 08 FF H.L$....H....j.. > 1c0 : 74 24 08 E8 AC 62 00 00 59 59 C3 83 3D 74 84 42 t$...b..YY..=t.B > 1d0 : 00 01 75 05 E8 64 64 00 00 FF 74 24 04 E8 E4 62 ..u..dd...t$...b > 1e0 : 00 00 68 FF 00 00 00 FF 15 20 68 42 00 59 59 C3 ..h...... hB.YY. > 1f0 : 83 3D 74 84 42 00 01 75 05 E8 3F 64 00 00 FF 74 .=t.B..u..?d...t > 200 : 24 04 E8 BF 62 00 00 68 FF 00 00 00 E8 0C F6 FF $...b..h........ > 210 : FF 59 59 C3 6A 60 68 A0 1B 42 00 E8 65 DC FF FF .YY.j`h..B..e... > 220 : BF 94 00 00 00 8B C7 E8 79 E2 FF FF 89 65 E8 8B ........y....e.. > 230 : F4 89 3E 56 FF 15 88 F2 41 00 8B 4E 10 89 0D 0C ..>V....A..N.... > 240 : 84 42 00 8B 46 04 A3 18 84 42 00 8B 56 08 89 15 .B..F....B..V... > 250 : 1C 84 42 00 8B 76 0C 81 E6 FF 7F 00 00 89 35 10 ..B..v.......5. > 260 : 84 42 00 83 F9 02 74 0C 81 CE 00 80 00 00 89 35 .B....t........5 > 270 : 10 84 42 00 C1 E0 08 03 C2 A3 14 84 42 00 33 F6 ..B.........B.3. > 280 : 56 8B 3D F8 F0 41 00 FF D7 66 81 38 4D 5A 75 1F V.=..A...f.8MZu. > 290 : 8B 48 3C 03 C8 81 39 50 45 00 00 75 12 0F B7 41 .H<...9PE..u...A > 2a0 : 18 3D 0B 01 00 00 74 1F 3D 0B 02 00 00 74 05 89 .=....t.=....t.. > 2b0 : 75 E4 EB 27 83 B9 84 00 00 00 0E 76 F2 33 C0 39 u..'.......v.3.9 > 2c0 : B1 F8 00 00 00 EB 0E 83 79 74 0E 76 E2 33 C0 39 ........yt.v.3.9 > 2d0 : B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01 E8 D2 06 .........E.j.... > 2e0 : 00 00 59 85 C0 75 08 6A 1C E8 02 FF FF FF 59 E8 ..Y..u.j......Y. > 2f0 : 2D 41 00 00 85 C0 75 08 6A 10 E8 F1 FE FF FF 59 -A....u.j......Y > 300 : E8 D4 4A 00 00 89 75 FC E8 21 69 00 00 85 C0 7D ..J...u..!i....} > 310 : 08 6A 1B E8 B3 FE FF FF 59 FF 15 10 F1 41 00 A3 .j......Y....A.. > 320 : A8 9C 42 00 E8 E3 67 00 00 A3 6C 84 42 00 E8 37 ..B...g...l.B..7 > 330 : 67 00 00 85 C0 7D 08 6A 08 E8 8D FE FF FF 59 E8 g....}.j......Y. > 340 : F3 64 00 00 85 C0 7D 08 6A 09 E8 7C FE FF FF 59 .d....}.j..|...Y > 350 : 6A 01 E8 20 F5 FF FF 59 89 45 D8 3B C6 74 07 50 j.. ...Y.E.;.t.P > 360 : E8 66 FE FF FF 59 89 75 BC 8D 45 90 50 FF 15 D4 .f...Y.u..E.P... > 370 : F1 41 00 E8 62 64 00 00 89 45 E0 F6 45 BC 01 74 .A..bd...E..E..t > 380 : 06 0F B7 45 C0 EB 03 6A 0A 58 50 FF 75 E0 56 56 ...E...j.XP.u.VV > 390 : FF D7 50 E8 BB 8D FF FF 8B F8 89 7D D4 39 75 E4 ..P........}.9u. > 3a0 : 75 06 57 E8 FC F5 FF FF E8 19 F6 FF FF EB 2B 8B u.W...........+. > 3b0 : 45 EC 8B 08 8B 09 89 4D DC 50 51 E8 B6 62 00 00 E......M.PQ..b.. > 3c0 : 59 59 C3 8B 65 E8 8B 7D DC 83 7D E4 00 75 06 57 YY..e..}..}..u.W > 3d0 : E8 E0 F5 FF FF E8 FB F5 FF FF 83 4D FC FF 8B C7 ...........M.... > 3e0 : 8D 65 84 E8 D8 DA FF FF C3 CC CC CC CC CC CC CC .e.............. > 3f0 : CC CC CC CC CC 55 8B EC 57 56 8B 75 0C 8B 4D 10 .....U..WV.u..M. > 400 : 8B 7D 08 8B C1 8B D1 03 C6 3B FE 76 08 3B F8 0F .}.......;.v.;.. > 410 : 82 7C 01 00 00 F7 C7 03 00 00 00 75 14 C1 E9 02 .|.........u.... > 420 : 83 E2 03 83 F9 08 72 29 F3 A5 FF 24 95 7C 37 41 ......r)...$.|7A > 430 : 00 8B C7 BA 03 00 00 00 83 E9 04 72 0C 83 E0 03 ...........r.... > 440 : 03 C8 FF 24 85 90 36 41 00 FF 24 8D 8C 37 41 00 ...$..6A..$..7A. > 450 : 90 FF 24 8D 10 37 41 00 90 A0 36 41 00 CC 36 41 ..$..7A...6A..6A > 460 : 00 F0 36 41 00 23 D1 8A 06 88 07 8A 46 01 88 47 ..6A.#......F..G > 470 : 01 8A 46 02 C1 E9 02 88 47 02 83 C6 03 83 C7 03 ..F.....G....... > 480 : 83 F9 08 72 CC F3 A5 FF 24 95 7C 37 41 00 8D 49 ...r....$.|7A..I > 490 : 00 23 D1 8A 06 88 07 8A 46 01 C1 E9 02 88 47 01 .#......F.....G. > 4a0 : 83 C6 02 83 C7 02 83 F9 08 72 A6 F3 A5 FF 24 95 .........r....$. > 4b0 : 7C 37 41 00 90 23 D1 8A 06 88 07 83 C6 01 C1 E9 |7A..#.......... > 4c0 : 02 83 C7 01 83 F9 08 72 88 F3 A5 FF 24 95 7C 37 .......r....$.|7 > 4d0 : 41 00 8D 49 00 73 37 41 00 60 37 41 00 58 37 41 A..I.s7A.`7A.X7A > 4e0 : 00 50 37 41 00 48 37 41 00 40 37 41 00 38 37 41 .P7A.H7A. at 7A.87A > 4f0 : 00 30 37 41 00 8B 44 8E E4 89 44 8F E4 8B 44 8E .07A..D...D...D. > 500 : E8 89 44 8F E8 8B 44 8E EC 89 44 8F EC 8B 44 8E ..D...D...D...D. > 510 : F0 89 44 8F F0 8B 44 8E F4 89 44 8F F4 8B 44 8E ..D...D...D...D. > 520 : F8 89 44 8F F8 8B 44 8E FC 89 44 8F FC 8D 04 8D ..D...D...D..... > 530 : 00 00 00 00 03 F0 03 F8 FF 24 95 7C 37 41 00 8B .........$.|7A.. > 540 : FF 8C 37 41 00 94 37 41 00 A0 37 41 00 B4 37 41 ..7A..7A..7A..7A > 550 : 00 8B 45 08 5E 5F C9 C3 90 8A 06 88 07 8B 45 08 ..E.^_........E. > 560 : 5E 5F C9 C3 ^_.. > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/de16aa67/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/de16aa67/attachment.bin From jonkman at jonkmans.com Thu Dec 18 13:17:33 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 13:17:33 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229555236.22227.25.camel@localhost> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> Message-ID: <494A93BD.80206@jonkmans.com> Frank Knobbe wrote: > Has anyone measure how frequently IP's change that are fingered as exit > nodes? It seems like a lot of dynamic IP's are involved. I'm not sure > how useful that is for signatures. Plus yet another huge IP rules list > may impact performance. I think it would make more sense to run the > rules that identify TOR traffic by content. I think you're misunderstanding the intent here. The idea is to find out if there is inbound traffic to you that has been anonymized via Tor. That's important in some places. Online banking for example. Someone making lots of logins via Tor is surely up to no good. There'd be no other indication of the Tor-ized source here. Exit nodes appear to remain relatively stable, low percentage of change. Many are permanent. Running those rules for 24 hours now I'm fascinated to see how much tor traffic there is coming to me, and even moreso to see that the vast majority (98%+) are automated sql injection attempts. Morfeus scanner stuff, etc. The rules are proving to be of use to me. Matt > > That said, I'd be interested to hear from folks who run both on how > accurate the TOR content sigs are. Please let us know if you come across > TOR hits that fire only on the IP sigs and not the content. > Again, there won't be. Not the same traffic. Matt > Cheers, > Frank > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Thu Dec 18 14:16:31 2008 From: eslerj at gmail.com (Joel Esler) Date: Thu, 18 Dec 2008 14:16:31 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494A93BD.80206@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> Message-ID: <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> On Dec 18, 2008, at 1:17 PM, Matt Jonkman allegedly wrote: > > Frank Knobbe wrote: >> Has anyone measure how frequently IP's change that are fingered as >> exit >> nodes? It seems like a lot of dynamic IP's are involved. I'm not sure >> how useful that is for signatures. Plus yet another huge IP rules >> list >> may impact performance. I think it would make more sense to run the >> rules that identify TOR traffic by content. > > I think you're misunderstanding the intent here. The idea is to find > out > if there is inbound traffic to you that has been anonymized via Tor. > That's important in some places. Online banking for example. Someone > making lots of logins via Tor is surely up to no good. Somehow Snort-sigs got stripped out of here at some point... Some people don't read both, and since the message as sent to both, I don't know why it was stripped. There is value in both. Anyway... I disagree. Couple points: 1) From an IDS perspective when the IDS sees a Tor exit node, assuming the signatures work, that's exactly what the IDS will see, a Tor exit node. A Bank is going to see encrypted traffic when it hits their networks, a-la logins and such. There is no way of knowing what user is attempting to log in, as it will be encrypted in the onion network, and it will be encrypted when it exits and hits the bank's login devices. You won't know if the user is "surely up to no good". You won't know the difference between a illegitimate user of TOR (is there such a thing?), or a paranoid banking customer. I see no value-- using your point specifically, this type of thing would be more appropriate to handle at the login/server level to watch for brute forcing. 2) The only way to track that type of activity (brute force logins), external to logs on the system, is with some kind of rate based system. Snort is not a rate based system, no matter how much some people try to make it one. Try to go to any large bank and write a threshold rule for port 443. Good Luck! In our Sourcefire product line, RNA is the rate tool. It's one of it's purposes. I'm not saying there isn't any value in the TOR rules. But if we step back for a minute, what does it give you? Really? Someone banging on my door. Now I know they are coming from TOR, so I have absolutely no way of seeing who they really are, on the other hand, can you trust any alert that crosses your system to actually be valuable to see who they REALLY are? The answer is no. You can't trust any source IP. You can't even trust your own these days. But the VALUE? I can see someone banging on my door (using your examples) using sql injection and the like. This happens all day, everyday. It's like port scanning, it's going to happen. You know it's happening, so what? Are you properly defending against someone "banging away?" What is the placement of your Snort sensor? Outside the firewall, so you can use up resources and time, and see someone banging? At what value? Inside the firewall? Okay, now we are focused on only what's getting in and out from the outside/inside. Now I have value. I'd be more interested in some TOR rules that alerted me to the presence of people using TOR on *my* network. Not coming *to* my network using TOR. I just don't see the value. ...and IMO, IP sigs have 0 value. Too easy to change, and you'll NEVER get them all, as Frank was alluding to. -- Joel Esler ? http://www.joelesler.net [m] From jonkman at jonkmans.com Thu Dec 18 14:41:17 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 14:41:17 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> Message-ID: <494AA75D.9030902@jonkmans.com> Joel Esler wrote: > I disagree. Couple points: > > 1) From an IDS perspective when the IDS sees a Tor exit node, > assuming the signatures work, that's exactly what the IDS will see, a > Tor exit node. A Bank is going to see encrypted traffic when it hits > their networks, a-la logins and such. There is no way of knowing what > user is attempting to log in, as it will be encrypted in the onion > network, and it will be encrypted when it exits and hits the bank's > login devices. You won't know if the user is "surely up to no good". > You won't know the difference between a illegitimate user of TOR (is > there such a thing?), or a paranoid banking customer. I see no value-- > using your point specifically, this type of thing would be more > appropriate to handle at the login/server level to watch for brute > forcing. Taking one example and calling the entire concept less useful isn't the best way to go at this. There are a lot of places where just the fact that someone has chosen to anonymize their source makes them extremely suspicious. A few more off the top of my head: Your Company HTTP based Intranet VPN Online Wiki's taking updated content Places that GEOIP the source for copyright issues (online tv streaming, crypto software downloads, etc) Any HR system, why would an employee tor themselves when looking at benefits? Etc, etc. There are many places this is useful to know. I'm sure others here have more examples. Back to the bank example, there is the possibility to track this. Many banks have a cleartext login page for example, or they have ssl proxies/accelerators so there is the opportunity to catch logins from tor nodes. I agree with you that this isn't useful for everyone, but "not everyone" != no one. > > 2) The only way to track that type of activity (brute force logins), > external to logs on the system, is with some kind of rate based > system. Snort is not a rate based system, no matter how much some > people try to make it one. Try to go to any large bank and write a > threshold rule for port 443. Good Luck! In our Sourcefire product > line, RNA is the rate tool. It's one of it's purposes. > Agreed, snort sucks at that. We will build something that is better at rate and reputation based stuff in the new OISF stuff being built (http://ww.openinfosecfoundation.org) > I'm not saying there isn't any value in the TOR rules. But if we step > back for a minute, what does it give you? Really? > > Someone banging on my door. > Now I know they are coming from TOR, so I have absolutely no way of > seeing who they really are, on the other hand, can you trust any alert > that crosses your system to actually be valuable to see who they > REALLY are? The answer is no. You can't trust any source IP. You > can't even trust your own these days. The interesting thing is that they chose to use Tor. Not what the IP is, but what they're doing. Choosing to use Tor is done for a reason. People don't just do it for fun. You have serious latency and are blocked at a lot of places. So choosing to use it when someone talks to me tells me something important. They REALLY don't want me to know who they are, so there is a reasonable chance they are going to do something I may not like. > > But the VALUE? I can see someone banging on my door (using your > examples) using sql injection and the like. This happens all day, > everyday. It's like port scanning, it's going to happen. You know > it's happening, so what? Are you properly defending against someone > "banging away?" What is the placement of your Snort sensor? Outside > the firewall, so you can use up resources and time, and see someone > banging? At what value? Inside the firewall? Okay, now we are > focused on only what's getting in and out from the outside/inside. > Now I have value. Inside or out, this gives me another factor to tell the hostility of the someone I'm talking to. I am not among the camp that says if I don't *think* I'm vulnerable to an attack then I should just let it happen. We see thousands of sql injections and the like every day and block the first hits. When we don't block the first hits we get 100 more from the same IP probing for each app they're looking to find. If we block on the first (in the very reliable sigs) then they don't get to keep looking (and maybe find something I'm not aware of) I am a member of the Church of Block 'em All. (services every friday at 5pm. email me for a list of parishes :)) If you attack me, whether I'm vulnerable or not, I know your intent. I don't want to have any further communication with you. In many nets (not all) this is a stance you can take. There's no sense in letting a bad guy keep beating on the front door until they find the spot where it is vulnerable (that maybe you're not aware of). If they show hostility block em. Make sure of the hostility, but block em all the same. There's a whole new thread for discussion though, but we believe in snort_inline and snortsam in the Church of Block 'em All. :) > > I'd be more interested in some TOR rules that alerted me to the > presence of people using TOR on *my* network. Not coming *to* my > network using TOR. I just don't see the value. We do have those sigs. The tor updates and sign ins are very easy to grab. The sigs are very reliable that we have. > > ...and IMO, IP sigs have 0 value. Too easy to change, and you'll > NEVER get them all, as Frank was alluding to. 0 value is a very absolute statement. I think we do have all or nearly all of the tor nodes as they have to be registered and the lists update live. But either way, lets pessimistically say we had 80% of them: since we don't have 100% we should ignore that 80% we can detect? That doesn't make sense. The RBN sigs, compromised hosts, Spamhaus DROP, and all the other IP lists we run are hugely effective, and among the most downloaded. Matt > > -- > Joel Esler > ? http://www.joelesler.net > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Thu Dec 18 14:44:32 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 18 Dec 2008 13:44:32 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494A93BD.80206@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> Message-ID: <1229629472.63619.11.camel@localhost> On Thu, 2008-12-18 at 13:17 -0500, Matt Jonkman wrote: > I think you're misunderstanding the intent here. The idea is to find out > if there is inbound traffic to you that has been anonymized via Tor. > That's important in some places. Online banking for example. Someone > making lots of logins via Tor is surely up to no good. > > There'd be no other indication of the Tor-ized source here. > > Exit nodes appear to remain relatively stable, low percentage of change. > Many are permanent. > > Running those rules for 24 hours now I'm fascinated to see how much tor > traffic there is coming to me, and even moreso to see that the vast > majority (98%+) are automated sql injection attempts. Morfeus scanner > stuff, etc. The rules are proving to be of use to me. But you're seeing that stuff anyway, with SQL/Morfeus sigs. For a while I thought TOR was evil... until I used it myself :) I think it's a tool that provides (some) anonymity. I would be a bad security consultant if I'd proclaim that privacy tools are bad. Sure, they make our life harder to detect malicious activity, but I wouldn't recommend against them or paint them as evil. As far as banks is concerned, lock the account on multiple failed logins -- period. No need to make it complicated by blocking the IPs, especially if you have multiple web sites, possibly in multiple data centers. (Per server sensing of distributed/TOR'es attacks). When protecting accounts, be account-focused, not attack-focused. And, if you really want to deny TOR traffic outright, block it on your firewall. :) I think the rules are interesting from a research perspective (how much evil is coming through TOR), but I can't see any production use value in them. (I'm saying this because there are probably a lot of people running all rules without actually thinking about them. As such, these discussions about value/purpose/result of rules are great, to get people thinking about intent and if/how they deploy certain rules...) Anyway, yeah, I misunderstood the purpose of the rules. I thought it was some outbound monitor instead of detecting incoming sessions. With that, feel free to monitor incoming TOR traffic... I'm just not sure how useful it is :) Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/92916f02/attachment.bin From frank at knobbe.us Thu Dec 18 14:48:15 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 18 Dec 2008 13:48:15 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AA75D.9030902@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> Message-ID: <1229629695.63619.16.camel@localhost> On Thu, 2008-12-18 at 14:41 -0500, Matt Jonkman wrote: > Your Company HTTP based Intranet VPN > Online Wiki's taking updated content > Places that GEOIP the source for copyright issues (online tv streaming, > crypto software downloads, etc) > Any HR system, why would an employee tor themselves when looking at > benefits? > > Etc, etc. There are many places this is useful to know. I'm sure others > here have more examples. Okay, then apply the same logic to Web|Socks-proxy rules there. No one should be accessing GEOIP restricted places through a proxy. Same for your VPN. etc > I am a member of the Church of Block 'em All. (services every friday at > 5pm. email me for a list of parishes :)) Heh... then again, why not blocking TOR exit nodes outright on the firewall? Saves you so much alert fluff in the IDS ;) Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/52c743fc/attachment.bin From jonkman at jonkmans.com Thu Dec 18 14:50:14 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 14:50:14 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229629472.63619.11.camel@localhost> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <1229629472.63619.11.camel@localhost> Message-ID: <494AA976.80501@jonkmans.com> Frank Knobbe wrote: >> Running those rules for 24 hours now I'm fascinated to see how much tor >> traffic there is coming to me, and even moreso to see that the vast >> majority (98%+) are automated sql injection attempts. Morfeus scanner >> stuff, etc. The rules are proving to be of use to me. > > But you're seeing that stuff anyway, with SQL/Morfeus sigs. The obvious ones, ya. Nothing will catch 100% of sql injections, rfi's, etc. Getting more info about intent is important. > > For a while I thought TOR was evil... until I used it myself :) I think > it's a tool that provides (some) anonymity. I would be a bad security > consultant if I'd proclaim that privacy tools are bad. Sure, they make > our life harder to detect malicious activity, but I wouldn't recommend > against them or paint them as evil. > I don't intend to paint tor as bad. I use it quite a lot too. Mostly when I pen test. :) I don't personally have much need for it when I'm not trying to hide, and I hide when I'm doing bad things. Not everyone does though. But definitely, Tor is a great thing. It lets a lot of people evade censorship among other things. It's a good tool. > As far as banks is concerned, lock the account on multiple failed logins > -- period. No need to make it complicated by blocking the IPs, > especially if you have multiple web sites, possibly in multiple data > centers. (Per server sensing of distributed/TOR'es attacks). When > protecting accounts, be account-focused, not attack-focused. Agreed there. unless you're looking at horizontal login attempts. 2 tries on 500 accounts. But you're right, there are better ways to detect this, just an example. > > And, if you really want to deny TOR traffic outright, block it on your > firewall. :) > How would you identify this then? Those tor based sql injections hitting me, how would I block that on the firewall? Use the list of tor exit nodes? I don't want to block it all,. Some is legit. But I want to be able to make that correlation myself. > > I think the rules are interesting from a research perspective (how much > evil is coming through TOR), but I can't see any production use value in > them. > I think there are some production nets that these are very useful. Many they'd just be noise they can't act upon. All depends where you are, ya. > (I'm saying this because there are probably a lot of people running all > rules without actually thinking about them. As such, these discussions > about value/purpose/result of rules are great, to get people thinking > about intent and if/how they deploy certain rules...) Agreed!! Matt > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Thu Dec 18 14:55:46 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 18 Dec 2008 13:55:46 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AA976.80501@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <1229629472.63619.11.camel@localhost> <494AA976.80501@jonkmans.com> Message-ID: <1229630146.63619.19.camel@localhost> On Thu, 2008-12-18 at 14:50 -0500, Matt Jonkman wrote: > > But you're seeing that stuff anyway, with SQL/Morfeus sigs. > > The obvious ones, ya. Nothing will catch 100% of sql injections, rfi's, > etc. Getting more info about intent is important. So are you reviewing all other TOR rules and making new sigs then? > > And, if you really want to deny TOR traffic outright, block it on your > > firewall. :) > How would you identify this then? Run the previously mentioned Perl script, amke list of TOR exit nodes, load that list into your firewall BLOCK section? ;) Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/7536152f/attachment.bin From jonkman at jonkmans.com Thu Dec 18 14:58:07 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 14:58:07 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229629695.63619.16.camel@localhost> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> Message-ID: <494AAB4F.2010503@jonkmans.com> Frank Knobbe wrote: > > Okay, then apply the same logic to Web|Socks-proxy rules there. No one > should be accessing GEOIP restricted places through a proxy. Same for > your VPN. etc Absolutely, although the inbound traffic TO you wouldn't trip those sigs. But the idea is valid, ya. Use all the things we know to help make a decision. BTW this is a huge feature of the new stuff we're building at OISF. Being able to use several factors to make a decision. Spamassassin is the best analogy to what we will do there. Be able to add scores to hits. So for example if someone comes at me from a tor exit node they get a half a point, if they start probing for url's that dont exist (404's) they get another few tenths of a point. The more suspicious things they do the more points they get until they cross a threshold and get blocked. So properly configured we could detect someone probing for pages to attack before they got to the sql injection. That example may be a bit weak (trying to stay on the sql injection theme). It's more applicable to port sweeping, application probing, banner grabbing, etc. > >> I am a member of the Church of Block 'em All. (services every friday at >> 5pm. email me for a list of parishes :)) > > Heh... then again, why not blocking TOR exit nodes outright on the > firewall? Saves you so much alert fluff in the IDS ;) > Because I'm not yet sure that everything coming at me from tor is bad. And I doubt that I'll be able to say everything from there is bad. But it tells me something about what's coming at me and helps me make a block decision. More information is usually better IMHO. Matt > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 18 15:02:07 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 15:02:07 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229630146.63619.19.camel@localhost> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <1229629472.63619.11.camel@localhost> <494AA976.80501@jonkmans.com> <1229630146.63619.19.camel@localhost> Message-ID: <494AAC3F.4040401@jonkmans.com> Frank Knobbe wrote: > So are you reviewing all other TOR rules and making new sigs then? Could, but I don't see why. The ones we have are accurate, but they look for the client-node and node-node traffic. As far as I know they're still accurate. But that's not what we're seeing here. Do we need to look at them again? > >>> And, if you really want to deny TOR traffic outright, block it on your >>> firewall. :) > >> How would you identify this then? > > Run the previously mentioned Perl script, amke list of TOR exit nodes, > load that list into your firewall BLOCK section? ;) > See other email. Don't want to block them all, I want to know what they do for now. Matt > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Thu Dec 18 15:00:53 2008 From: eslerj at gmail.com (Joel Esler) Date: Thu, 18 Dec 2008 15:00:53 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AA75D.9030902@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> Message-ID: On Dec 18, 2008, at 2:41 PM, Matt Jonkman allegedly wrote: >> Taking one example and calling the entire concept less useful isn't >> the > best way to go at this. At what? We are having a discussion. > There are a lot of places where just the fact that someone has > chosen to > anonymize their source makes them extremely suspicious. A few more off > the top of my head: > > Your Company HTTP based Intranet VPN Your Intranet is available to the internet? Kinda defeats the definition of "intra" > Online Wiki's taking updated content That's why they should block, not alert. > Places that GEOIP the source for copyright issues (online tv > streaming, > crypto software downloads, etc) Crapshoot. You have no idea where you are going to exit TOR. > Any HR system, why would an employee tor themselves when looking at > benefits? Why is your HR system available to the internet? IMO an employee should VPN in, then HR. > Etc, etc. There are many places this is useful to know. I'm sure > others > here have more examples. > > Back to the bank example, there is the possibility to track this. Many > banks have a cleartext login page for example, Which bank is this? That's just gross negligence. > or they have ssl > proxies/accelerators so there is the opportunity to catch logins from > tor nodes. So what value add does it give you? You know where they are coming from. So what? > I agree with you that this isn't useful for everyone, but "not > everyone" > != no one. As Frank said in the other thread. Useful? For research. Production use? No. >> I'm not saying there isn't any value in the TOR rules. But if we >> step >> back for a minute, what does it give you? Really? >> >> Someone banging on my door. >> Now I know they are coming from TOR, so I have absolutely no way of >> seeing who they really are, on the other hand, can you trust any >> alert >> that crosses your system to actually be valuable to see who they >> REALLY are? The answer is no. You can't trust any source IP. You >> can't even trust your own these days. > > The interesting thing is that they chose to use Tor. Not what the IP > is, > but what they're doing. Choosing to use Tor is done for a reason. > People > don't just do it for fun. You have serious latency and are blocked > at a > lot of places. So choosing to use it when someone talks to me tells me > something important. They REALLY don't want me to know who they are, > so > there is a reasonable chance they are going to do something I may > not like. It still doesn't give me anything but what exit node they came out of. It doesn't provide me anything. What am I going to do with the information? What's my next actionable step purely on this information alone? > >> >> I'd be more interested in some TOR rules that alerted me to the >> presence of people using TOR on *my* network. Not coming *to* my >> network using TOR. I just don't see the value. > > We do have those sigs. The tor updates and sign ins are very easy to > grab. The sigs are very reliable that we have. Then use those. >> ...and IMO, IP sigs have 0 value. Too easy to change, and you'll >> NEVER get them all, as Frank was alluding to. > > 0 value is a very absolute statement. I think we do have all or nearly > all of the tor nodes as they have to be registered and the lists > update > live. But either way, lets pessimistically say we had 80% of them: > since > we don't have 100% we should ignore that 80% we can detect? That > doesn't > make sense. It doesn't make sense to detect them at all, it doesn't give you _a thing_. > The RBN sigs, compromised hosts, Spamhaus DROP, and all the other IP > lists we run are hugely effective, and among the most downloaded. Just because they are alerting alot or the most downloaded doesn't mean that it's the right way to do it. Firewalls and routers are for IPs. Block them there. -- Joel Esler ? http://www.joelesler.net [m] From eslerj at gmail.com Thu Dec 18 15:04:48 2008 From: eslerj at gmail.com (Joel Esler) Date: Thu, 18 Dec 2008 15:04:48 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AAB4F.2010503@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> <494AAB4F.2010503@jonkmans.com> Message-ID: On Dec 18, 2008, at 2:58 PM, Matt Jonkman allegedly wrote: > The more suspicious > things they do the more points they get until they cross a threshold > and > get blocked. So properly configured we could detect someone probing > for > pages to attack before they got to the sql injection. Yeah, that's great, until you start blocking real customers. End of that product. >>> I am a member of the Church of Block 'em All. (services every >>> friday at >>> 5pm. email me for a list of parishes :)) >> >> Heh... then again, why not blocking TOR exit nodes outright on the >> firewall? Saves you so much alert fluff in the IDS ;) >> > > Because I'm not yet sure that everything coming at me from tor is bad. > And I doubt that I'll be able to say everything from there is bad. But > it tells me something about what's coming at me and helps me make a > block decision. Exactly my point. Just because something *can* alert, doesn't mean it should. Block at the perimeter devices and monitor what actually gets through. > More information is usually better IMHO. More information that allows you to have actionable intelligence is better. Alerts that go into a db just "Because"? Pointless. -- Joel Esler ? http://www.joelesler.net [m] From frank at knobbe.us Thu Dec 18 15:18:54 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 18 Dec 2008 14:18:54 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AAC3F.4040401@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <1229629472.63619.11.camel@localhost> <494AA976.80501@jonkmans.com> <1229630146.63619.19.camel@localhost> <494AAC3F.4040401@jonkmans.com> Message-ID: <1229631534.63619.21.camel@localhost> On Thu, 2008-12-18 at 15:02 -0500, Matt Jonkman wrote: > Frank Knobbe wrote: > > So are you reviewing all other TOR rules and making new sigs then? > > Could, but I don't see why. The ones we have are accurate, but they look > for the client-node and node-node traffic. As far as I know they're > still accurate. But that's not what we're seeing here. No no, I mean, reviewing the alerts generated by inbound TOR sigs and checking if there are SQL injection or other attacks that the regular didn't alert on -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081218/ee4957e4/attachment.bin From jonkman at jonkmans.com Thu Dec 18 15:35:14 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 15:35:14 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> Message-ID: <494AB402.5010709@jonkmans.com> Joel Esler wrote: >>> Taking one example and calling the entire concept less useful isn't >>> the >> best way to go at this. > > At what? We are having a discussion. At calling an entire concept of no use. Discussion is good. Absolutes don't help discussion. >> >> Your Company HTTP based Intranet VPN > > Your Intranet is available to the internet? Kinda defeats the > definition of "intra" No, mine isn't. But people have remote access to such things. You're aware of that ya? > >> Online Wiki's taking updated content > > That's why they should block, not alert. > Depends on who you are and what kind of content. I wouldn't presume to tell someone what to do with their stuff on their network. I'd rather make the tools available and let them do what suits their net, information and organization's policy. >> Places that GEOIP the source for copyright issues (online tv >> streaming, >> crypto software downloads, etc) > > Crapshoot. You have no idea where you are going to exit TOR. > Exactly, but it's likely not going to be the same geoip region as where you're really from. So if I want to know where someone is and they're Tor'ing I can assume I do NOT know where they are and act according to my legal constraints to talk to them. >> Any HR system, why would an employee tor themselves when looking at >> benefits? > > Why is your HR system available to the internet? IMO an employee > should VPN in, then HR. > Maybe. String auth on an ssl site is good for many folks. Everything's different, that's why we make available many tools and let people use those that apply to them. I'm sure there are sourcefire customers that go both ways as well. Would you care if someone were using tor to get to the vpn? That's an interesting thing to do, and can be done. I'd like to know when that's happening! >> Back to the bank example, there is the possibility to track this. Many >> banks have a cleartext login page for example, > > Which bank is this? That's just gross negligence. What's gross negligence about a login form that's cleartext? Ever seen a login here field on the front page of a bank? The submits are still to an ssl url but the front page is http. Two of the banks I use do that, and many I've pen tested over the years do it. Doesn't make them any less secure. Just different than others. >> or they have ssl >> proxies/accelerators so there is the opportunity to catch logins from >> tor nodes. > > So what value add does it give you? You know where they are coming > from. So what? No, I don't care where they're coming from. I care that they chose to anonymize their source. Keep up here. :) > As Frank said in the other thread. Useful? For research. Production > use? No. Depends who you are and what you're protecting. We put the info and tools out there and let folks use them. I don't presume to know better than any of our ET users what they should do and shouldn't. We put out every idea and tool that has any value to anyone. Use what fits you. Guess we're funny like that. :) >> lot of places. So choosing to use it when someone talks to me tells me >> something important. They REALLY don't want me to know who they are, >> so >> there is a reasonable chance they are going to do something I may >> not like. > > It still doesn't give me anything but what exit node they came out > of. It doesn't provide me anything. What am I going to do with the > information? What's my next actionable step purely on this > information alone? Again, it tells me they chose to anonymize. Don't care what node they came from, I care they came from ANY tor node. In my setup, if I choose to block on tor exit nodes should I decide that everything from there is bad I could block directly with snortsam. I doubt I'll make that decision. What I'll probably do is write SEC rules to sense when someone does a few other suspicious things AND is from tor node and block based on that being the deciding factor. You could (I assume) use rna to make that same decision, or a number of other event managers. So I need those snort hits on Tor nodes, to make the larger decision. >>> I'd be more interested in some TOR rules that alerted me to the >>> presence of people using TOR on *my* network. Not coming *to* my >>> network using TOR. I just don't see the value. >> We do have those sigs. The tor updates and sign ins are very easy to >> grab. The sigs are very reliable that we have. > > Then use those. Haha. We're not talking about detecting Tor client traffic. Those rules exist and are really good. But irrelevant to this. We're looking at traffic coming from Tor nodes inbound to me. Totally different concept. Have you looked at the differences in the rules? Do you know the hierarchy in how Tor works? >> live. But either way, lets pessimistically say we had 80% of them: >> since >> we don't have 100% we should ignore that 80% we can detect? That >> doesn't >> make sense. > > It doesn't make sense to detect them at all, it doesn't give you _a > thing_. To you maybe not. You're not following I don't think. To me it gives me great info. I think there are a lot of others that also think these valuable (or it wouldn't have been brought up in the first place) I'm not trying to talk you into using them. Do what you like, but there is value in this information. > >> The RBN sigs, compromised hosts, Spamhaus DROP, and all the other IP >> lists we run are hugely effective, and among the most downloaded. > > Just because they are alerting alot or the most downloaded doesn't > mean that it's the right way to do it. Firewalls and routers are for > IPs. Block them there. Haha. There is more than one way to do things. Many places don't have firewalls or can't easily add large lists of IPs to them automatically. Many don't WANT to block but want the alert to do other correlation (I'm in that boat). Some people are just curious who's using tor to talk to them. This is obviously not for you Joel. If it won't work in the confines of your systems you install that's too bad. It is useful and actionable intelligence in many places. My setup for example, and many others. Not all, but many. Thus I'll publish and support the ruleset until no one downloads it. Matt > > -- > Joel Esler > ? http://www.joelesler.net > [m] > > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Snort-sigs mailing list > Snort-sigs at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jjohnson at jdmc.org Thu Dec 18 15:34:22 2008 From: jjohnson at jdmc.org (John Johnson) Date: Thu, 18 Dec 2008 14:34:22 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> <494AAB4F.2010503@jonkmans.com> Message-ID: <494AB3CE.4080402@jdmc.org> Joel Esler wrote: > On Dec 18, 2008, at 2:58 PM, Matt Jonkman allegedly wrote: > > >> The more suspicious >> things they do the more points they get until they cross a threshold >> and >> get blocked. So properly configured we could detect someone probing >> for >> pages to attack before they got to the sql injection. >> > > Yeah, that's great, until you start blocking real customers. End of > that product. > It's as easy as turning off the sig. Do you enable all the current blocking sigs? > >>>> I am a member of the Church of Block 'em All. (services every >>>> friday at >>>> 5pm. email me for a list of parishes :)) >>>> >>> Heh... then again, why not blocking TOR exit nodes outright on the >>> firewall? Saves you so much alert fluff in the IDS ;) >>> >>> >> Because I'm not yet sure that everything coming at me from tor is bad. >> And I doubt that I'll be able to say everything from there is bad. But >> it tells me something about what's coming at me and helps me make a >> block decision With a new set of rules, thats a good way to roll out. And I'll help verify an actionable reason - most of my TOR hits on the new rules are simply DNS requests that are probably from spammers. Have to wait a bit for logs for the possible correlation. Needed a tool to verify it. > Exactly my point. Just because something *can* alert, doesn't mean it > should. Block at the perimeter devices and monitor what actually gets > through. > > >> More information is usually better IMHO. >> > > More information that allows you to have actionable intelligence is > better. Alerts that go into a db just "Because"? Pointless. > > I'm already feeding the spammers custom dns views for SMTP. Anything that helps me with that task is a worthwhile tool. Simply turning it off in your snort.conf will keep it out of your db, Joel. Removing it because you find no benefit would not help identify trends, much in that Matt has likened these rules to Spamassassin. -john From jonkman at jonkmans.com Thu Dec 18 15:37:45 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 15:37:45 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229631534.63619.21.camel@localhost> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <1229629472.63619.11.camel@localhost> <494AA976.80501@jonkmans.com> <1229630146.63619.19.camel@localhost> <494AAC3F.4040401@jonkmans.com> <1229631534.63619.21.camel@localhost> Message-ID: <494AB499.2080600@jonkmans.com> Frank Knobbe wrote: > > No no, I mean, reviewing the alerts generated by inbound TOR sigs and > checking if there are SQL injection or other attacks that the regular > didn't alert on Ahh ya. That's a very good idea. What I've been doing out of curiousity so far is grepping my apache logs for the IPs that trip tor exit nodes but nothing else, and so far they're all very obvious bad stuff. Looking for apps that don't exist, pass change forms, rfi's etc. Will look closer and see where we can tune rules to make sure there are hits where appropriate. Good idea frank! Mat > > -Frank > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 18 15:42:05 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 15:42:05 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> <494AAB4F.2010503@jonkmans.com> Message-ID: <494AB59D.5050200@jonkmans.com> Joel Esler wrote: >> The more suspicious >> things they do the more points they get until they cross a threshold >> and >> get blocked. So properly configured we could detect someone probing >> for >> pages to attack before they got to the sql injection. > > Yeah, that's great, until you start blocking real customers. End of > that product. No, then you adjust to not block real customers. We've been doing so for quite a long time and blocking IPS's are still around. >> Because I'm not yet sure that everything coming at me from tor is bad. >> And I doubt that I'll be able to say everything from there is bad. But >> it tells me something about what's coming at me and helps me make a >> block decision. > > Exactly my point. Just because something *can* alert, doesn't mean it > should. Block at the perimeter devices and monitor what actually gets > through. Different philosophies here. See my last post. I don't care to let people beat on the door until they get through. I would rather the night-watchman tazer the crackhead beating on the front window to my bank even though he may not be able to break the glass. Both approaches are valid. > >> More information is usually better IMHO. > > More information that allows you to have actionable intelligence is > better. Alerts that go into a db just "Because"? Pointless. > Agreed. But this isn't pointless by any means. Depends on how you act upon intelligence. Matt > -- > Joel Esler > ? http://www.joelesler.net > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Dec 18 15:45:05 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 15:45:05 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AB3CE.4080402@jdmc.org> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> <494AAB4F.2010503@jonkmans.com> <494AB3CE.4080402@jdmc.org> Message-ID: <494AB651.5040704@jonkmans.com> John Johnson wrote: > With a new set of rules, thats a good way to roll out. And I'll > help verify an actionable reason - most of my TOR hits on the new > rules are simply DNS requests that are probably from spammers. > Have to wait a bit for logs for the possible correlation. > Needed a tool to verify it. I am seeing a lot of dns from them as well. Interesting that you are as well. Possible that spammers are using tor, but seems it'd be tough to make effective. I'd guess the rbl's list the exit nodes as we're doing. Anyone know more about that? Most of my dns requests I think were mx. Matt >> More information that allows you to have actionable intelligence is >> better. Alerts that go into a db just "Because"? Pointless. >> >> > I'm already feeding the spammers custom dns views for SMTP. > Anything that helps me with that task is a worthwhile tool. Simply > turning it off in your snort.conf will keep it out of your db, Joel. > Removing it because you find no benefit would not help identify > trends, much in that Matt has likened these rules to Spamassassin. > > -john > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jjohnson at jdmc.org Thu Dec 18 15:53:24 2008 From: jjohnson at jdmc.org (John Johnson) Date: Thu, 18 Dec 2008 14:53:24 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494AB651.5040704@jonkmans.com> References: <17b0fcab0812162330x4195836axbe993945fe79c14a@mail.gmail.com> <494926CD.8080205@jonkmans.com> <20081217165128.712ABA4052@medusa.richmond-family.org> <20081217170646.5D58EA4052@medusa.richmond-family.org> <1229555236.22227.25.camel@localhost> <494A93BD.80206@jonkmans.com> <8F202DF4-82F0-48A8-8FEC-8386F14A22A7@gmail.com> <494AA75D.9030902@jonkmans.com> <1229629695.63619.16.camel@localhost> <494AAB4F.2010503@jonkmans.com> <494AB3CE.4080402@jdmc.org> <494AB651.5040704@jonkmans.com> Message-ID: <494AB844.1050000@jdmc.org> Matt Jonkman wrote: > I am seeing a lot of dns from them as well. Interesting that you are as > well. Possible that spammers are using tor, but seems it'd be tough to > make effective. I'd guess the rbl's list the exit nodes as we're doing. > > Anyone know more about that? Most of my dns requests I think were mx. > > Cool! 67.210.0.0/24 is the most active I'm seeing. And it's all after my primary MX. Alert-Block-ModifyDNSResponse ? :) From emerging at emergingthreats.net Thu Dec 18 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 18 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081218210009.8AAB645026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Dec 18 16:00:09 2008 [***] [///] Modified active rules: [///] 2520000 - ET TOR Known Tor Exit Node (1) (emerging-tor.rules) 2520001 - ET TOR Known Tor Exit Node (2) (emerging-tor.rules) 2520002 - ET TOR Known Tor Exit Node (3) (emerging-tor.rules) 2520003 - ET TOR Known Tor Exit Node (4) (emerging-tor.rules) 2520004 - ET TOR Known Tor Exit Node (5) (emerging-tor.rules) 2520005 - ET TOR Known Tor Exit Node (6) (emerging-tor.rules) 2520006 - ET TOR Known Tor Exit Node (7) (emerging-tor.rules) 2520007 - ET TOR Known Tor Exit Node (8) (emerging-tor.rules) 2520008 - ET TOR Known Tor Exit Node (9) (emerging-tor.rules) 2520009 - ET TOR Known Tor Exit Node (10) (emerging-tor.rules) 2520010 - ET TOR Known Tor Exit Node (11) (emerging-tor.rules) 2520011 - ET TOR Known Tor Exit Node (12) (emerging-tor.rules) 2520012 - ET TOR Known Tor Exit Node (13) (emerging-tor.rules) 2520013 - ET TOR Known Tor Exit Node (14) (emerging-tor.rules) 2520014 - ET TOR Known Tor Exit Node (15) (emerging-tor.rules) 2520015 - ET TOR Known Tor Exit Node (16) (emerging-tor.rules) 2520016 - ET TOR Known Tor Exit Node (17) (emerging-tor.rules) 2520017 - ET TOR Known Tor Exit Node (18) (emerging-tor.rules) 2520018 - ET TOR Known Tor Exit Node (19) (emerging-tor.rules) 2520019 - ET TOR Known Tor Exit Node (20) (emerging-tor.rules) 2520020 - ET TOR Known Tor Exit Node (21) (emerging-tor.rules) 2520021 - ET TOR Known Tor Exit Node (22) (emerging-tor.rules) 2520022 - ET TOR Known Tor Exit Node (23) (emerging-tor.rules) 2520023 - ET TOR Known Tor Exit Node (24) (emerging-tor.rules) 2520024 - ET TOR Known Tor Exit Node (25) (emerging-tor.rules) 2520025 - ET TOR Known Tor Exit Node (26) (emerging-tor.rules) 2520026 - ET TOR Known Tor Exit Node (27) (emerging-tor.rules) 2520027 - ET TOR Known Tor Exit Node (28) (emerging-tor.rules) 2520028 - ET TOR Known Tor Exit Node (29) (emerging-tor.rules) 2520029 - ET TOR Known Tor Exit Node (30) (emerging-tor.rules) 2520030 - ET TOR Known Tor Exit Node (31) (emerging-tor.rules) 2520031 - ET TOR Known Tor Exit Node (32) (emerging-tor.rules) 2520032 - ET TOR Known Tor Exit Node (33) (emerging-tor.rules) 2520033 - ET TOR Known Tor Exit Node (34) (emerging-tor.rules) 2520034 - ET TOR Known Tor Exit Node (35) (emerging-tor.rules) 2520035 - ET TOR Known Tor Exit Node (36) (emerging-tor.rules) 2520036 - ET TOR Known Tor Exit Node (37) (emerging-tor.rules) 2520037 - ET TOR Known Tor Exit Node (38) (emerging-tor.rules) 2520038 - ET TOR Known Tor Exit Node (39) (emerging-tor.rules) 2520039 - ET TOR Known Tor Exit Node (40) (emerging-tor.rules) 2520040 - ET TOR Known Tor Exit Node (41) (emerging-tor.rules) 2520041 - ET TOR Known Tor Exit Node (42) (emerging-tor.rules) 2520042 - ET TOR Known Tor Exit Node (43) (emerging-tor.rules) 2520043 - ET TOR Known Tor Exit Node (44) (emerging-tor.rules) 2520044 - ET TOR Known Tor Exit Node (45) (emerging-tor.rules) 2520045 - ET TOR Known Tor Exit Node (46) (emerging-tor.rules) 2520046 - ET TOR Known Tor Exit Node (47) (emerging-tor.rules) 2520047 - ET TOR Known Tor Exit Node (48) (emerging-tor.rules) 2520048 - ET TOR Known Tor Exit Node (49) (emerging-tor.rules) 2520049 - ET TOR Known Tor Exit Node (50) (emerging-tor.rules) 2520050 - ET TOR Known Tor Exit Node (51) (emerging-tor.rules) 2520051 - ET TOR Known Tor Exit Node (52) (emerging-tor.rules) 2520052 - ET TOR Known Tor Exit Node (53) (emerging-tor.rules) 2520053 - ET TOR Known Tor Exit Node (54) (emerging-tor.rules) 2520054 - ET TOR Known Tor Exit Node (55) (emerging-tor.rules) 2520055 - ET TOR Known Tor Exit Node (56) (emerging-tor.rules) 2520056 - ET TOR Known Tor Exit Node (57) (emerging-tor.rules) 2520057 - ET TOR Known Tor Exit Node (58) (emerging-tor.rules) 2520058 - ET TOR Known Tor Exit Node (59) (emerging-tor.rules) 2520059 - ET TOR Known Tor Exit Node (60) (emerging-tor.rules) 2520060 - ET TOR Known Tor Exit Node (61) (emerging-tor.rules) 2520061 - ET TOR Known Tor Exit Node (62) (emerging-tor.rules) 2520062 - ET TOR Known Tor Exit Node (63) (emerging-tor.rules) 2520063 - ET TOR Known Tor Exit Node (64) (emerging-tor.rules) 2520064 - ET TOR Known Tor Exit Node (65) (emerging-tor.rules) 2520065 - ET TOR Known Tor Exit Node (66) (emerging-tor.rules) 2520066 - ET TOR Known Tor Exit Node (67) (emerging-tor.rules) 2520067 - ET TOR Known Tor Exit Node (68) (emerging-tor.rules) 2520068 - ET TOR Known Tor Exit Node (69) (emerging-tor.rules) 2520069 - ET TOR Known Tor Exit Node (70) (emerging-tor.rules) 2520070 - ET TOR Known Tor Exit Node (71) (emerging-tor.rules) 2520071 - ET TOR Known Tor Exit Node (72) (emerging-tor.rules) 2520072 - ET TOR Known Tor Exit Node (73) (emerging-tor.rules) 2520073 - ET TOR Known Tor Exit Node (74) (emerging-tor.rules) 2520074 - ET TOR Known Tor Exit Node (75) (emerging-tor.rules) 2520075 - ET TOR Known Tor Exit Node (76) (emerging-tor.rules) 2520076 - ET TOR Known Tor Exit Node (77) (emerging-tor.rules) 2520077 - ET TOR Known Tor Exit Node (78) (emerging-tor.rules) 2520078 - ET TOR Known Tor Exit Node (79) (emerging-tor.rules) 2520079 - ET TOR Known Tor Exit Node (80) (emerging-tor.rules) 2520080 - ET TOR Known Tor Exit Node (81) (emerging-tor.rules) 2520081 - ET TOR Known Tor Exit Node (82) (emerging-tor.rules) 2520082 - ET TOR Known Tor Exit Node (83) (emerging-tor.rules) 2520083 - ET TOR Known Tor Exit Node (84) (emerging-tor.rules) 2520084 - ET TOR Known Tor Exit Node (85) (emerging-tor.rules) 2520085 - ET TOR Known Tor Exit Node (86) (emerging-tor.rules) 2520086 - ET TOR Known Tor Exit Node (87) (emerging-tor.rules) 2520087 - ET TOR Known Tor Exit Node (88) (emerging-tor.rules) 2520088 - ET TOR Known Tor Exit Node (89) (emerging-tor.rules) 2520089 - ET TOR Known Tor Exit Node (90) (emerging-tor.rules) 2520090 - ET TOR Known Tor Exit Node (91) (emerging-tor.rules) 2520091 - ET TOR Known Tor Exit Node (92) (emerging-tor.rules) 2520092 - ET TOR Known Tor Exit Node (93) (emerging-tor.rules) 2520093 - ET TOR Known Tor Exit Node (94) (emerging-tor.rules) 2520094 - ET TOR Known Tor Exit Node (95) (emerging-tor.rules) 2520095 - ET TOR Known Tor Exit Node (96) (emerging-tor.rules) 2520096 - ET TOR Known Tor Exit Node (97) (emerging-tor.rules) 2520097 - ET TOR Known Tor Exit Node (98) (emerging-tor.rules) 2520098 - ET TOR Known Tor Exit Node (99) (emerging-tor.rules) 2520099 - ET TOR Known Tor Exit Node (100) (emerging-tor.rules) 2520100 - ET TOR Known Tor Exit Node (101) (emerging-tor.rules) 2520101 - ET TOR Known Tor Exit Node (102) (emerging-tor.rules) 2520102 - ET TOR Known Tor Exit Node (103) (emerging-tor.rules) 2520103 - ET TOR Known Tor Exit Node (104) (emerging-tor.rules) 2520104 - ET TOR Known Tor Exit Node (105) (emerging-tor.rules) 2520105 - ET TOR Known Tor Exit Node (106) (emerging-tor.rules) 2520106 - ET TOR Known Tor Exit Node (107) (emerging-tor.rules) 2520107 - ET TOR Known Tor Exit Node (108) (emerging-tor.rules) 2520108 - ET TOR Known Tor Exit Node (109) (emerging-tor.rules) 2520109 - ET TOR Known Tor Exit Node (110) (emerging-tor.rules) 2520110 - ET TOR Known Tor Exit Node (111) (emerging-tor.rules) 2520111 - ET TOR Known Tor Exit Node (112) (emerging-tor.rules) 2520112 - ET TOR Known Tor Exit Node (113) (emerging-tor.rules) 2520113 - ET TOR Known Tor Exit Node (114) (emerging-tor.rules) 2520114 - ET TOR Known Tor Exit Node (115) (emerging-tor.rules) 2520115 - ET TOR Known Tor Exit Node (116) (emerging-tor.rules) 2520116 - ET TOR Known Tor Exit Node (117) (emerging-tor.rules) 2520117 - ET TOR Known Tor Exit Node (118) (emerging-tor.rules) 2520118 - ET TOR Known Tor Exit Node (119) (emerging-tor.rules) 2520119 - ET TOR Known Tor Exit Node (120) (emerging-tor.rules) 2520120 - ET TOR Known Tor Exit Node (121) (emerging-tor.rules) 2520121 - ET TOR Known Tor Exit Node (122) (emerging-tor.rules) 2520122 - ET TOR Known Tor Exit Node (123) (emerging-tor.rules) 2520123 - ET TOR Known Tor Exit Node (124) (emerging-tor.rules) 2520124 - ET TOR Known Tor Exit Node (125) (emerging-tor.rules) 2520125 - ET TOR Known Tor Exit Node (126) (emerging-tor.rules) 2520126 - ET TOR Known Tor Exit Node (127) (emerging-tor.rules) 2520127 - ET TOR Known Tor Exit Node (128) (emerging-tor.rules) 2520128 - ET TOR Known Tor Exit Node (129) (emerging-tor.rules) 2520129 - ET TOR Known Tor Exit Node (130) (emerging-tor.rules) 2520130 - ET TOR Known Tor Exit Node (131) (emerging-tor.rules) 2520131 - ET TOR Known Tor Exit Node (132) (emerging-tor.rules) 2520132 - ET TOR Known Tor Exit Node (133) (emerging-tor.rules) 2520133 - ET TOR Known Tor Exit Node (134) (emerging-tor.rules) 2520134 - ET TOR Known Tor Exit Node (135) (emerging-tor.rules) 2520135 - ET TOR Known Tor Exit Node (136) (emerging-tor.rules) 2520136 - ET TOR Known Tor Exit Node (137) (emerging-tor.rules) 2520137 - ET TOR Known Tor Exit Node (138) (emerging-tor.rules) 2520138 - ET TOR Known Tor Exit Node (139) (emerging-tor.rules) 2520139 - ET TOR Known Tor Exit Node (140) (emerging-tor.rules) 2520140 - ET TOR Known Tor Exit Node (141) (emerging-tor.rules) 2520141 - ET TOR Known Tor Exit Node (142) (emerging-tor.rules) 2520142 - ET TOR Known Tor Exit Node (143) (emerging-tor.rules) 2520143 - ET TOR Known Tor Exit Node (144) (emerging-tor.rules) 2520144 - ET TOR Known Tor Exit Node (145) (emerging-tor.rules) 2520145 - ET TOR Known Tor Exit Node (146) (emerging-tor.rules) 2520146 - ET TOR Known Tor Exit Node (147) (emerging-tor.rules) 2520147 - ET TOR Known Tor Exit Node (148) (emerging-tor.rules) 2520148 - ET TOR Known Tor Exit Node (149) (emerging-tor.rules) 2520149 - ET TOR Known Tor Exit Node (150) (emerging-tor.rules) 2520150 - ET TOR Known Tor Exit Node (151) (emerging-tor.rules) 2520151 - ET TOR Known Tor Exit Node (152) (emerging-tor.rules) 2520152 - ET TOR Known Tor Exit Node (153) (emerging-tor.rules) 2520153 - ET TOR Known Tor Exit Node (154) (emerging-tor.rules) 2520154 - ET TOR Known Tor Exit Node (155) (emerging-tor.rules) 2520155 - ET TOR Known Tor Exit Node (156) (emerging-tor.rules) 2520156 - ET TOR Known Tor Exit Node (157) (emerging-tor.rules) 2520157 - ET TOR Known Tor Exit Node (158) (emerging-tor.rules) 2520158 - ET TOR Known Tor Exit Node (159) (emerging-tor.rules) 2520159 - ET TOR Known Tor Exit Node (160) (emerging-tor.rules) 2520160 - ET TOR Known Tor Exit Node (161) (emerging-tor.rules) 2520161 - ET TOR Known Tor Exit Node (162) (emerging-tor.rules) 2520162 - ET TOR Known Tor Exit Node (163) (emerging-tor.rules) 2520163 - ET TOR Known Tor Exit Node (164) (emerging-tor.rules) 2520164 - ET TOR Known Tor Exit Node (165) (emerging-tor.rules) 2520165 - ET TOR Known Tor Exit Node (166) (emerging-tor.rules) 2520166 - ET TOR Known Tor Exit Node (167) (emerging-tor.rules) 2520167 - ET TOR Known Tor Exit Node (168) (emerging-tor.rules) 2520168 - ET TOR Known Tor Exit Node (169) (emerging-tor.rules) 2520169 - ET TOR Known Tor Exit Node (170) (emerging-tor.rules) 2520170 - ET TOR Known Tor Exit Node (171) (emerging-tor.rules) 2525000 - ET TOR Known Tor Exit Node - BLOCKING (1) (emerging-tor-BLOCK.rules) 2525001 - ET TOR Known Tor Exit Node - BLOCKING (2) (emerging-tor-BLOCK.rules) 2525002 - ET TOR Known Tor Exit Node - BLOCKING (3) (emerging-tor-BLOCK.rules) 2525003 - ET TOR Known Tor Exit Node - BLOCKING (4) (emerging-tor-BLOCK.rules) 2525004 - ET TOR Known Tor Exit Node - BLOCKING (5) (emerging-tor-BLOCK.rules) 2525005 - ET TOR Known Tor Exit Node - BLOCKING (6) (emerging-tor-BLOCK.rules) 2525006 - ET TOR Known Tor Exit Node - BLOCKING (7) (emerging-tor-BLOCK.rules) 2525007 - ET TOR Known Tor Exit Node - BLOCKING (8) (emerging-tor-BLOCK.rules) 2525008 - ET TOR Known Tor Exit Node - BLOCKING (9) (emerging-tor-BLOCK.rules) 2525009 - ET TOR Known Tor Exit Node - BLOCKING (10) (emerging-tor-BLOCK.rules) 2525010 - ET TOR Known Tor Exit Node - BLOCKING (11) (emerging-tor-BLOCK.rules) 2525011 - ET TOR Known Tor Exit Node - BLOCKING (12) (emerging-tor-BLOCK.rules) 2525012 - ET TOR Known Tor Exit Node - BLOCKING (13) (emerging-tor-BLOCK.rules) 2525013 - ET TOR Known Tor Exit Node - BLOCKING (14) (emerging-tor-BLOCK.rules) 2525014 - ET TOR Known Tor Exit Node - BLOCKING (15) (emerging-tor-BLOCK.rules) 2525015 - ET TOR Known Tor Exit Node - BLOCKING (16) (emerging-tor-BLOCK.rules) 2525016 - ET TOR Known Tor Exit Node - BLOCKING (17) (emerging-tor-BLOCK.rules) 2525017 - ET TOR Known Tor Exit Node - BLOCKING (18) (emerging-tor-BLOCK.rules) 2525018 - ET TOR Known Tor Exit Node - BLOCKING (19) (emerging-tor-BLOCK.rules) 2525019 - ET TOR Known Tor Exit Node - BLOCKING (20) (emerging-tor-BLOCK.rules) 2525020 - ET TOR Known Tor Exit Node - BLOCKING (21) (emerging-tor-BLOCK.rules) 2525021 - ET TOR Known Tor Exit Node - BLOCKING (22) (emerging-tor-BLOCK.rules) 2525022 - ET TOR Known Tor Exit Node - BLOCKING (23) (emerging-tor-BLOCK.rules) 2525023 - ET TOR Known Tor Exit Node - BLOCKING (24) (emerging-tor-BLOCK.rules) 2525024 - ET TOR Known Tor Exit Node - BLOCKING (25) (emerging-tor-BLOCK.rules) 2525025 - ET TOR Known Tor Exit Node - BLOCKING (26) (emerging-tor-BLOCK.rules) 2525026 - ET TOR Known Tor Exit Node - BLOCKING (27) (emerging-tor-BLOCK.rules) 2525027 - ET TOR Known Tor Exit Node - BLOCKING (28) (emerging-tor-BLOCK.rules) 2525028 - ET TOR Known Tor Exit Node - BLOCKING (29) (emerging-tor-BLOCK.rules) 2525029 - ET TOR Known Tor Exit Node - BLOCKING (30) (emerging-tor-BLOCK.rules) 2525030 - ET TOR Known Tor Exit Node - BLOCKING (31) (emerging-tor-BLOCK.rules) 2525031 - ET TOR Known Tor Exit Node - BLOCKING (32) (emerging-tor-BLOCK.rules) 2525032 - ET TOR Known Tor Exit Node - BLOCKING (33) (emerging-tor-BLOCK.rules) 2525033 - ET TOR Known Tor Exit Node - BLOCKING (34) (emerging-tor-BLOCK.rules) 2525034 - ET TOR Known Tor Exit Node - BLOCKING (35) (emerging-tor-BLOCK.rules) 2525035 - ET TOR Known Tor Exit Node - BLOCKING (36) (emerging-tor-BLOCK.rules) 2525036 - ET TOR Known Tor Exit Node - BLOCKING (37) (emerging-tor-BLOCK.rules) 2525037 - ET TOR Known Tor Exit Node - BLOCKING (38) (emerging-tor-BLOCK.rules) 2525038 - ET TOR Known Tor Exit Node - BLOCKING (39) (emerging-tor-BLOCK.rules) 2525039 - ET TOR Known Tor Exit Node - BLOCKING (40) (emerging-tor-BLOCK.rules) 2525040 - ET TOR Known Tor Exit Node - BLOCKING (41) (emerging-tor-BLOCK.rules) 2525041 - ET TOR Known Tor Exit Node - BLOCKING (42) (emerging-tor-BLOCK.rules) 2525042 - ET TOR Known Tor Exit Node - BLOCKING (43) (emerging-tor-BLOCK.rules) 2525043 - ET TOR Known Tor Exit Node - BLOCKING (44) (emerging-tor-BLOCK.rules) 2525044 - ET TOR Known Tor Exit Node - BLOCKING (45) (emerging-tor-BLOCK.rules) 2525045 - ET TOR Known Tor Exit Node - BLOCKING (46) (emerging-tor-BLOCK.rules) 2525046 - ET TOR Known Tor Exit Node - BLOCKING (47) (emerging-tor-BLOCK.rules) 2525047 - ET TOR Known Tor Exit Node - BLOCKING (48) (emerging-tor-BLOCK.rules) 2525048 - ET TOR Known Tor Exit Node - BLOCKING (49) (emerging-tor-BLOCK.rules) 2525049 - ET TOR Known Tor Exit Node - BLOCKING (50) (emerging-tor-BLOCK.rules) 2525050 - ET TOR Known Tor Exit Node - BLOCKING (51) (emerging-tor-BLOCK.rules) 2525051 - ET TOR Known Tor Exit Node - BLOCKING (52) (emerging-tor-BLOCK.rules) 2525052 - ET TOR Known Tor Exit Node - BLOCKING (53) (emerging-tor-BLOCK.rules) 2525053 - ET TOR Known Tor Exit Node - BLOCKING (54) (emerging-tor-BLOCK.rules) 2525054 - ET TOR Known Tor Exit Node - BLOCKING (55) (emerging-tor-BLOCK.rules) 2525055 - ET TOR Known Tor Exit Node - BLOCKING (56) (emerging-tor-BLOCK.rules) 2525056 - ET TOR Known Tor Exit Node - BLOCKING (57) (emerging-tor-BLOCK.rules) 2525057 - ET TOR Known Tor Exit Node - BLOCKING (58) (emerging-tor-BLOCK.rules) 2525058 - ET TOR Known Tor Exit Node - BLOCKING (59) (emerging-tor-BLOCK.rules) 2525059 - ET TOR Known Tor Exit Node - BLOCKING (60) (emerging-tor-BLOCK.rules) 2525060 - ET TOR Known Tor Exit Node - BLOCKING (61) (emerging-tor-BLOCK.rules) 2525061 - ET TOR Known Tor Exit Node - BLOCKING (62) (emerging-tor-BLOCK.rules) 2525062 - ET TOR Known Tor Exit Node - BLOCKING (63) (emerging-tor-BLOCK.rules) 2525063 - ET TOR Known Tor Exit Node - BLOCKING (64) (emerging-tor-BLOCK.rules) 2525064 - ET TOR Known Tor Exit Node - BLOCKING (65) (emerging-tor-BLOCK.rules) 2525065 - ET TOR Known Tor Exit Node - BLOCKING (66) (emerging-tor-BLOCK.rules) 2525066 - ET TOR Known Tor Exit Node - BLOCKING (67) (emerging-tor-BLOCK.rules) 2525067 - ET TOR Known Tor Exit Node - BLOCKING (68) (emerging-tor-BLOCK.rules) 2525068 - ET TOR Known Tor Exit Node - BLOCKING (69) (emerging-tor-BLOCK.rules) 2525069 - ET TOR Known Tor Exit Node - BLOCKING (70) (emerging-tor-BLOCK.rules) 2525070 - ET TOR Known Tor Exit Node - BLOCKING (71) (emerging-tor-BLOCK.rules) 2525071 - ET TOR Known Tor Exit Node - BLOCKING (72) (emerging-tor-BLOCK.rules) 2525072 - ET TOR Known Tor Exit Node - BLOCKING (73) (emerging-tor-BLOCK.rules) 2525073 - ET TOR Known Tor Exit Node - BLOCKING (74) (emerging-tor-BLOCK.rules) 2525074 - ET TOR Known Tor Exit Node - BLOCKING (75) (emerging-tor-BLOCK.rules) 2525075 - ET TOR Known Tor Exit Node - BLOCKING (76) (emerging-tor-BLOCK.rules) 2525076 - ET TOR Known Tor Exit Node - BLOCKING (77) (emerging-tor-BLOCK.rules) 2525077 - ET TOR Known Tor Exit Node - BLOCKING (78) (emerging-tor-BLOCK.rules) 2525078 - ET TOR Known Tor Exit Node - BLOCKING (79) (emerging-tor-BLOCK.rules) 2525079 - ET TOR Known Tor Exit Node - BLOCKING (80) (emerging-tor-BLOCK.rules) 2525080 - ET TOR Known Tor Exit Node - BLOCKING (81) (emerging-tor-BLOCK.rules) 2525081 - ET TOR Known Tor Exit Node - BLOCKING (82) (emerging-tor-BLOCK.rules) 2525082 - ET TOR Known Tor Exit Node - BLOCKING (83) (emerging-tor-BLOCK.rules) 2525083 - ET TOR Known Tor Exit Node - BLOCKING (84) (emerging-tor-BLOCK.rules) 2525084 - ET TOR Known Tor Exit Node - BLOCKING (85) (emerging-tor-BLOCK.rules) 2525085 - ET TOR Known Tor Exit Node - BLOCKING (86) (emerging-tor-BLOCK.rules) 2525086 - ET TOR Known Tor Exit Node - BLOCKING (87) (emerging-tor-BLOCK.rules) 2525087 - ET TOR Known Tor Exit Node - BLOCKING (88) (emerging-tor-BLOCK.rules) 2525088 - ET TOR Known Tor Exit Node - BLOCKING (89) (emerging-tor-BLOCK.rules) 2525089 - ET TOR Known Tor Exit Node - BLOCKING (90) (emerging-tor-BLOCK.rules) 2525090 - ET TOR Known Tor Exit Node - BLOCKING (91) (emerging-tor-BLOCK.rules) 2525091 - ET TOR Known Tor Exit Node - BLOCKING (92) (emerging-tor-BLOCK.rules) 2525092 - ET TOR Known Tor Exit Node - BLOCKING (93) (emerging-tor-BLOCK.rules) 2525093 - ET TOR Known Tor Exit Node - BLOCKING (94) (emerging-tor-BLOCK.rules) 2525094 - ET TOR Known Tor Exit Node - BLOCKING (95) (emerging-tor-BLOCK.rules) 2525095 - ET TOR Known Tor Exit Node - BLOCKING (96) (emerging-tor-BLOCK.rules) 2525096 - ET TOR Known Tor Exit Node - BLOCKING (97) (emerging-tor-BLOCK.rules) 2525097 - ET TOR Known Tor Exit Node - BLOCKING (98) (emerging-tor-BLOCK.rules) 2525098 - ET TOR Known Tor Exit Node - BLOCKING (99) (emerging-tor-BLOCK.rules) 2525099 - ET TOR Known Tor Exit Node - BLOCKING (100) (emerging-tor-BLOCK.rules) 2525100 - ET TOR Known Tor Exit Node - BLOCKING (101) (emerging-tor-BLOCK.rules) 2525101 - ET TOR Known Tor Exit Node - BLOCKING (102) (emerging-tor-BLOCK.rules) 2525102 - ET TOR Known Tor Exit Node - BLOCKING (103) (emerging-tor-BLOCK.rules) 2525103 - ET TOR Known Tor Exit Node - BLOCKING (104) (emerging-tor-BLOCK.rules) 2525104 - ET TOR Known Tor Exit Node - BLOCKING (105) (emerging-tor-BLOCK.rules) 2525105 - ET TOR Known Tor Exit Node - BLOCKING (106) (emerging-tor-BLOCK.rules) 2525106 - ET TOR Known Tor Exit Node - BLOCKING (107) (emerging-tor-BLOCK.rules) 2525107 - ET TOR Known Tor Exit Node - BLOCKING (108) (emerging-tor-BLOCK.rules) 2525108 - ET TOR Known Tor Exit Node - BLOCKING (109) (emerging-tor-BLOCK.rules) 2525109 - ET TOR Known Tor Exit Node - BLOCKING (110) (emerging-tor-BLOCK.rules) 2525110 - ET TOR Known Tor Exit Node - BLOCKING (111) (emerging-tor-BLOCK.rules) 2525111 - ET TOR Known Tor Exit Node - BLOCKING (112) (emerging-tor-BLOCK.rules) 2525112 - ET TOR Known Tor Exit Node - BLOCKING (113) (emerging-tor-BLOCK.rules) 2525113 - ET TOR Known Tor Exit Node - BLOCKING (114) (emerging-tor-BLOCK.rules) 2525114 - ET TOR Known Tor Exit Node - BLOCKING (115) (emerging-tor-BLOCK.rules) 2525115 - ET TOR Known Tor Exit Node - BLOCKING (116) (emerging-tor-BLOCK.rules) 2525116 - ET TOR Known Tor Exit Node - BLOCKING (117) (emerging-tor-BLOCK.rules) 2525117 - ET TOR Known Tor Exit Node - BLOCKING (118) (emerging-tor-BLOCK.rules) 2525118 - ET TOR Known Tor Exit Node - BLOCKING (119) (emerging-tor-BLOCK.rules) 2525119 - ET TOR Known Tor Exit Node - BLOCKING (120) (emerging-tor-BLOCK.rules) 2525120 - ET TOR Known Tor Exit Node - BLOCKING (121) (emerging-tor-BLOCK.rules) 2525121 - ET TOR Known Tor Exit Node - BLOCKING (122) (emerging-tor-BLOCK.rules) 2525122 - ET TOR Known Tor Exit Node - BLOCKING (123) (emerging-tor-BLOCK.rules) 2525123 - ET TOR Known Tor Exit Node - BLOCKING (124) (emerging-tor-BLOCK.rules) 2525124 - ET TOR Known Tor Exit Node - BLOCKING (125) (emerging-tor-BLOCK.rules) 2525125 - ET TOR Known Tor Exit Node - BLOCKING (126) (emerging-tor-BLOCK.rules) 2525126 - ET TOR Known Tor Exit Node - BLOCKING (127) (emerging-tor-BLOCK.rules) 2525127 - ET TOR Known Tor Exit Node - BLOCKING (128) (emerging-tor-BLOCK.rules) 2525128 - ET TOR Known Tor Exit Node - BLOCKING (129) (emerging-tor-BLOCK.rules) 2525129 - ET TOR Known Tor Exit Node - BLOCKING (130) (emerging-tor-BLOCK.rules) 2525130 - ET TOR Known Tor Exit Node - BLOCKING (131) (emerging-tor-BLOCK.rules) 2525131 - ET TOR Known Tor Exit Node - BLOCKING (132) (emerging-tor-BLOCK.rules) 2525132 - ET TOR Known Tor Exit Node - BLOCKING (133) (emerging-tor-BLOCK.rules) 2525133 - ET TOR Known Tor Exit Node - BLOCKING (134) (emerging-tor-BLOCK.rules) 2525134 - ET TOR Known Tor Exit Node - BLOCKING (135) (emerging-tor-BLOCK.rules) 2525135 - ET TOR Known Tor Exit Node - BLOCKING (136) (emerging-tor-BLOCK.rules) 2525136 - ET TOR Known Tor Exit Node - BLOCKING (137) (emerging-tor-BLOCK.rules) 2525137 - ET TOR Known Tor Exit Node - BLOCKING (138) (emerging-tor-BLOCK.rules) 2525138 - ET TOR Known Tor Exit Node - BLOCKING (139) (emerging-tor-BLOCK.rules) 2525139 - ET TOR Known Tor Exit Node - BLOCKING (140) (emerging-tor-BLOCK.rules) 2525140 - ET TOR Known Tor Exit Node - BLOCKING (141) (emerging-tor-BLOCK.rules) 2525141 - ET TOR Known Tor Exit Node - BLOCKING (142) (emerging-tor-BLOCK.rules) 2525142 - ET TOR Known Tor Exit Node - BLOCKING (143) (emerging-tor-BLOCK.rules) 2525143 - ET TOR Known Tor Exit Node - BLOCKING (144) (emerging-tor-BLOCK.rules) 2525144 - ET TOR Known Tor Exit Node - BLOCKING (145) (emerging-tor-BLOCK.rules) 2525145 - ET TOR Known Tor Exit Node - BLOCKING (146) (emerging-tor-BLOCK.rules) 2525146 - ET TOR Known Tor Exit Node - BLOCKING (147) (emerging-tor-BLOCK.rules) 2525147 - ET TOR Known Tor Exit Node - BLOCKING (148) (emerging-tor-BLOCK.rules) 2525148 - ET TOR Known Tor Exit Node - BLOCKING (149) (emerging-tor-BLOCK.rules) 2525149 - ET TOR Known Tor Exit Node - BLOCKING (150) (emerging-tor-BLOCK.rules) 2525150 - ET TOR Known Tor Exit Node - BLOCKING (151) (emerging-tor-BLOCK.rules) 2525151 - ET TOR Known Tor Exit Node - BLOCKING (152) (emerging-tor-BLOCK.rules) 2525152 - ET TOR Known Tor Exit Node - BLOCKING (153) (emerging-tor-BLOCK.rules) 2525153 - ET TOR Known Tor Exit Node - BLOCKING (154) (emerging-tor-BLOCK.rules) 2525154 - ET TOR Known Tor Exit Node - BLOCKING (155) (emerging-tor-BLOCK.rules) 2525155 - ET TOR Known Tor Exit Node - BLOCKING (156) (emerging-tor-BLOCK.rules) 2525156 - ET TOR Known Tor Exit Node - BLOCKING (157) (emerging-tor-BLOCK.rules) 2525157 - ET TOR Known Tor Exit Node - BLOCKING (158) (emerging-tor-BLOCK.rules) 2525158 - ET TOR Known Tor Exit Node - BLOCKING (159) (emerging-tor-BLOCK.rules) 2525159 - ET TOR Known Tor Exit Node - BLOCKING (160) (emerging-tor-BLOCK.rules) 2525160 - ET TOR Known Tor Exit Node - BLOCKING (161) (emerging-tor-BLOCK.rules) 2525161 - ET TOR Known Tor Exit Node - BLOCKING (162) (emerging-tor-BLOCK.rules) 2525162 - ET TOR Known Tor Exit Node - BLOCKING (163) (emerging-tor-BLOCK.rules) 2525163 - ET TOR Known Tor Exit Node - BLOCKING (164) (emerging-tor-BLOCK.rules) 2525164 - ET TOR Known Tor Exit Node - BLOCKING (165) (emerging-tor-BLOCK.rules) 2525165 - ET TOR Known Tor Exit Node - BLOCKING (166) (emerging-tor-BLOCK.rules) 2525166 - ET TOR Known Tor Exit Node - BLOCKING (167) (emerging-tor-BLOCK.rules) 2525167 - ET TOR Known Tor Exit Node - BLOCKING (168) (emerging-tor-BLOCK.rules) 2525168 - ET TOR Known Tor Exit Node - BLOCKING (169) (emerging-tor-BLOCK.rules) 2525169 - ET TOR Known Tor Exit Node - BLOCKING (170) (emerging-tor-BLOCK.rules) 2525170 - ET TOR Known Tor Exit Node - BLOCKING (171) (emerging-tor-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-tor-BLOCK.rules (2): # VERSION 7 # Updated 2008-12-18 00:03:02 -> Added to emerging-tor.rules (2): # VERSION 7 # Updated 2008-12-18 00:03:02 [---] Removed non-rule lines: [---] -> Removed from emerging-tor-BLOCK.rules (2): # VERSION 2 # Updated 2008-12-17 11:46:12 -> Removed from emerging-tor.rules (2): # VERSION 2 # Updated 2008-12-17 11:46:12 From thierry.chich at ac-clermont.fr Fri Dec 19 05:43:26 2008 From: thierry.chich at ac-clermont.fr (Thierry CHICH) Date: Fri, 19 Dec 2008 11:43:26 +0100 Subject: [Emerging-Sigs] =?iso-8859-1?q?=5BSnort-sigs=5D_Snort_rules_again?= =?iso-8859-1?q?st=09traffic=09from_Tor?= In-Reply-To: <494AB651.5040704@jonkmans.com> References: <494AB3CE.4080402@jdmc.org> <494AB651.5040704@jonkmans.com> Message-ID: <200812191143.26355.thierry.chich@ac-clermont.fr> Hi, About the discussion you had here, I have just one thing to say. For me, traffic coming from tor node should be considered in the same way that rbn traffic. You can not be sure it is bad traffic, but you should be careful with it. However, I am not sure of what I see with these rules. I see http traffic coming from classical web site. Some of them are both in rbn rules and tor rules. For instance : 68.178.232.99 is a web site, is in rbn rule and is a tor node. This is not very pleasant becasue there will be a lot of false alert. A work around should be to add ! [HTTP_PORTS], but I am not sure it will be enough or perhaps 1024: (for the source port) ? -- Thierry CHICH Equipe R?seaux / Rectorat de Clermont-Ferrand Tel: +33 4 73 99 30 54 From jonkman at jonkmans.com Fri Dec 19 10:50:22 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 19 Dec 2008 10:50:22 -0500 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <200812191143.26355.thierry.chich@ac-clermont.fr> References: <494AB3CE.4080402@jdmc.org> <494AB651.5040704@jonkmans.com> <200812191143.26355.thierry.chich@ac-clermont.fr> Message-ID: <494BC2BE.3050103@jonkmans.com> Why do you want to exclude http traffic? Are you just more interested in direct attack stuff? Interesting that there is an rbn node that's also an exit node. I'll look into that. Matt Thierry CHICH wrote: > Hi, > > About the discussion you had here, I have just one thing to say. For me, > traffic coming from tor node should be considered in the same way that rbn > traffic. You can not be sure it is bad traffic, but you should be careful > with it. > > However, I am not sure of what I see with these rules. I see http traffic > coming from classical web site. > Some of them are both in rbn rules and tor rules. > For instance : 68.178.232.99 is a web site, is in rbn rule and is a tor node. > This is not very pleasant becasue there will be a lot of false alert. > A work around should be to add ! [HTTP_PORTS], but I am not sure it will be > enough or perhaps 1024: (for the source port) ? > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From thierry.chich at ac-clermont.fr Fri Dec 19 14:28:05 2008 From: thierry.chich at ac-clermont.fr (Thierry Chich) Date: Fri, 19 Dec 2008 20:28:05 +0100 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <494BC2BE.3050103@jonkmans.com> References: <494AB3CE.4080402@jdmc.org> <494AB651.5040704@jonkmans.com> <200812191143.26355.thierry.chich@ac-clermont.fr> <494BC2BE.3050103@jonkmans.com> Message-ID: <1229714885.6749.10.camel@janet> Le vendredi 19 d?cembre 2008 ? 10:50 -0500, Matt Jonkman a ?crit : > Why do you want to exclude http traffic? Are you just more interested in > direct attack stuff? > > Interesting that there is an rbn node that's also an exit node. I'll > look into that. There is a lot of adresses that are in both list. In two minutes, I have seen two cases. Furthermore, a lot of alerts I see, are tcp connection initiated by http browsers in my home net to http servers that are also tor nodes. This kind of connection is not related to the tor activity of the computer. However, I agree that this is very intrigating. I didn't think that tor nodes could be maintained by computers known to be aggressive. It should indicate that the tor network is used by people trying to do bad things. Thierry > Matt > > Thierry CHICH wrote: > > Hi, > > > > About the discussion you had here, I have just one thing to say. For me, > > traffic coming from tor node should be considered in the same way that rbn > > traffic. You can not be sure it is bad traffic, but you should be careful > > with it. > > > > However, I am not sure of what I see with these rules. I see http traffic > > coming from classical web site. > > Some of them are both in rbn rules and tor rules. > > For instance : 68.178.232.99 is a web site, is in rbn rule and is a tor node. > > This is not very pleasant becasue there will be a lot of false alert. > > A work around should be to add ! [HTTP_PORTS], but I am not sure it will be > > enough or perhaps 1024: (for the source port) ? > > > From jjohnson at jdmc.org Fri Dec 19 15:02:56 2008 From: jjohnson at jdmc.org (John Johnson) Date: Fri, 19 Dec 2008 14:02:56 -0600 Subject: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor In-Reply-To: <1229714885.6749.10.camel@janet> References: <494AB3CE.4080402@jdmc.org> <494AB651.5040704@jonkmans.com> <200812191143.26355.thierry.chich@ac-clermont.fr> <494BC2BE.3050103@jonkmans.com> <1229714885.6749.10.camel@janet> Message-ID: <494BFDF0.8060000@jdmc.org> Thierry Chich wrote: > There is a lot of adresses that are in both list. In two minutes, I have seen two cases. > Furthermore, a lot of alerts I see, are tcp connection initiated by http browsers in my > home net to http servers that are also tor nodes. > > This kind of connection is not related to the tor activity of the computer. > I'm seeing that too, Thierry. One of the IP's I'm seeing hit is 66.246.235.42 the domain associated with the GET was oxymoronik.com . I am not sure if it was the users intention to go to that site. > However, I agree that this is very intrigating. I didn't think that tor nodes could > be maintained by computers known to be aggressive. It should indicate that the tor > network is used by people trying to do bad things. > If you google a bit, you'll see where an exit node was used to do man-in-the-middle attacks. The correlation of RBN and TOR exit nodes already is something new to me. Snort has been 3 things to me: 1. a research tool (like the above) 2. a forensics tool (logs for after the fact attacks) 3. a verification of my firewall tool With the ability to tune it down to my needs, giving me the choice to enable or disable a rule, I'm happy. -john From emerging at emergingthreats.net Fri Dec 19 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 19 Dec 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081219210009.6921D4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Dec 19 16:00:09 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Dec 20 16:06:10 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 20 Dec 2008 16:06:10 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081220210610.A8A3845026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 20 16:06:10 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Dec 20 18:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 20 Dec 2008 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081220230009.3DF8A45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Dec 20 18:00:09 2008 [***] [+++] Added rules: [+++] 2008892 - ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) (emerging-malware.rules) 2008893 - ET TROJAN Perfect Keylogger Install Email Report (emerging-virus.rules) 2008894 - ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) (emerging-malware.rules) 2008895 - ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite (emerging-web.rules) 2008896 - ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection (emerging-web_sql_injection.rules) 2008897 - ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion (emerging-web_sql_injection.rules) 2008898 - ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion (emerging-web_sql_injection.rules) 2008899 - ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion (emerging-web_sql_injection.rules) 2008900 - ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008901 - ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008902 - ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008903 - ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008904 - ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008905 - ET TROJAN Trojan.Delf-5496 Checkin Error (emerging-virus.rules) 2008906 - ET TROJAN Trojan.Delf-5496 Egg Request (emerging-virus.rules) 2008907 - ET TROJAN Trojan.Delf-5496 File Manager Access Report (emerging-virus.rules) 2008908 - ET TROJAN Trojan.Delf-5496 New Infection Report (emerging-virus.rules) 2008909 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 (emerging.rules) 2008910 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 (emerging.rules) 2008911 - ET TROJAN Spyguarder.com Fake AV Install Report (emerging-virus.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002848 - ET EXPLOIT SIP UDP Softphone INVITE overflow (emerging-exploit.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-botcc-BLOCK.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-botcc.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-dos.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-drop-BLOCK.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 1394 # Generated 2008-12-20 00:03:02 EDT -> Added to emerging-drop.rules (3): # Copyright (c) 2003-2009, Emerging Threats # VERSION 1394 # Generated 2008-12-20 00:03:02 EDT -> Added to emerging-dshield-BLOCK.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-dshield.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-exploit.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-game.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-inappropriate.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-malware.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-p2p.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-policy.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 92 # Updated 2008-12-14 22:44:48 -> Added to emerging-rbn.rules (2): # VERSION 92 # Updated 2008-12-14 22:44:48 -> Added to emerging-scan.rules (1): # Copyright (c) 2003-2009, Emerging Threats -> Added to emerging-sid-msg.map (393): 2008891 || ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin 2008892 || ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) 2008893 || ET TROJAN Perfect Keylogger Install Email Report 2008894 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2008895 || ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/7358 || bugtraq,32664 2008896 || ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection || bugtraq,32454 || url,www.milw0rm.com/exploits/7215 2008897 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008898 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008899 || ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion || url,milw0rm.com/exploits/7225 || bugtraq,32465 2008900 || ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008901 || ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008902 || ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008903 || ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008904 || ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008905 || ET TROJAN Trojan.Delf-5496 Checkin Error 2008906 || ET TROJAN Trojan.Delf-5496 Egg Request 2008907 || ET TROJAN Trojan.Delf-5496 File Manager Access Report 2008908 || ET TROJAN Trojan.Delf-5496 New Infection Report 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008911 || ET TROJAN Spyguarder.com Fake AV Install Report 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2520000 || ET TOR Known Tor Exit Node (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520001 || ET TOR Known Tor Exit Node (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520002 || ET TOR Known Tor Exit Node (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520003 || ET TOR Known Tor Exit Node (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520004 || ET TOR Known Tor Exit Node (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520005 || ET TOR Known Tor Exit Node (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520006 || ET TOR Known Tor Exit Node (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520007 || ET TOR Known Tor Exit Node (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520008 || ET TOR Known Tor Exit Node (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520009 || ET TOR Known Tor Exit Node (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520010 || ET TOR Known Tor Exit Node (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520011 || ET TOR Known Tor Exit Node (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520012 || ET TOR Known Tor Exit Node (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520013 || ET TOR Known Tor Exit Node (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520014 || ET TOR Known Tor Exit Node (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520015 || ET TOR Known Tor Exit Node (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520016 || ET TOR Known Tor Exit Node (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520017 || ET TOR Known Tor Exit Node (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520018 || ET TOR Known Tor Exit Node (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520019 || ET TOR Known Tor Exit Node (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520020 || ET TOR Known Tor Exit Node (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520021 || ET TOR Known Tor Exit Node (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520022 || ET TOR Known Tor Exit Node (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520023 || ET TOR Known Tor Exit Node (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520024 || ET TOR Known Tor Exit Node (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520025 || ET TOR Known Tor Exit Node (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520026 || ET TOR Known Tor Exit Node (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520027 || ET TOR Known Tor Exit Node (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520028 || ET TOR Known Tor Exit Node (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520029 || ET TOR Known Tor Exit Node (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520030 || ET TOR Known Tor Exit Node (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520031 || ET TOR Known Tor Exit Node (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520032 || ET TOR Known Tor Exit Node (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520033 || ET TOR Known Tor Exit Node (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520034 || ET TOR Known Tor Exit Node (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520035 || ET TOR Known Tor Exit Node (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520036 || ET TOR Known Tor Exit Node (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520037 || ET TOR Known Tor Exit Node (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520038 || ET TOR Known Tor Exit Node (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520039 || ET TOR Known Tor Exit Node (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520040 || ET TOR Known Tor Exit Node (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520041 || ET TOR Known Tor Exit Node (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520042 || ET TOR Known Tor Exit Node (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520043 || ET TOR Known Tor Exit Node (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520044 || ET TOR Known Tor Exit Node (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520045 || ET TOR Known Tor Exit Node (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520046 || ET TOR Known Tor Exit Node (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520047 || ET TOR Known Tor Exit Node (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520048 || ET TOR Known Tor Exit Node (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520049 || ET TOR Known Tor Exit Node (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520050 || ET TOR Known Tor Exit Node (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520051 || ET TOR Known Tor Exit Node (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520052 || ET TOR Known Tor Exit Node (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520053 || ET TOR Known Tor Exit Node (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520054 || ET TOR Known Tor Exit Node (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520055 || ET TOR Known Tor Exit Node (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520056 || ET TOR Known Tor Exit Node (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520057 || ET TOR Known Tor Exit Node (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520058 || ET TOR Known Tor Exit Node (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520059 || ET TOR Known Tor Exit Node (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520060 || ET TOR Known Tor Exit Node (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520061 || ET TOR Known Tor Exit Node (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520062 || ET TOR Known Tor Exit Node (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520063 || ET TOR Known Tor Exit Node (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520064 || ET TOR Known Tor Exit Node (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520065 || ET TOR Known Tor Exit Node (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520066 || ET TOR Known Tor Exit Node (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520067 || ET TOR Known Tor Exit Node (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520068 || ET TOR Known Tor Exit Node (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520069 || ET TOR Known Tor Exit Node (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520070 || ET TOR Known Tor Exit Node (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520071 || ET TOR Known Tor Exit Node (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520072 || ET TOR Known Tor Exit Node (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520073 || ET TOR Known Tor Exit Node (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520074 || ET TOR Known Tor Exit Node (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520075 || ET TOR Known Tor Exit Node (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520076 || ET TOR Known Tor Exit Node (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520077 || ET TOR Known Tor Exit Node (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520078 || ET TOR Known Tor Exit Node (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520079 || ET TOR Known Tor Exit Node (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520080 || ET TOR Known Tor Exit Node (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520081 || ET TOR Known Tor Exit Node (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520082 || ET TOR Known Tor Exit Node (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520083 || ET TOR Known Tor Exit Node (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520084 || ET TOR Known Tor Exit Node (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520085 || ET TOR Known Tor Exit Node (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520086 || ET TOR Known Tor Exit Node (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520087 || ET TOR Known Tor Exit Node (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520088 || ET TOR Known Tor Exit Node (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520089 || ET TOR Known Tor Exit Node (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520090 || ET TOR Known Tor Exit Node (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520091 || ET TOR Known Tor Exit Node (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520092 || ET TOR Known Tor Exit Node (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520093 || ET TOR Known Tor Exit Node (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520094 || ET TOR Known Tor Exit Node (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520095 || ET TOR Known Tor Exit Node (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520096 || ET TOR Known Tor Exit Node (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520097 || ET TOR Known Tor Exit Node (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520098 || ET TOR Known Tor Exit Node (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520099 || ET TOR Known Tor Exit Node (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520100 || ET TOR Known Tor Exit Node (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520101 || ET TOR Known Tor Exit Node (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520102 || ET TOR Known Tor Exit Node (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520103 || ET TOR Known Tor Exit Node (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520104 || ET TOR Known Tor Exit Node (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520105 || ET TOR Known Tor Exit Node (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520106 || ET TOR Known Tor Exit Node (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520107 || ET TOR Known Tor Exit Node (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520108 || ET TOR Known Tor Exit Node (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520109 || ET TOR Known Tor Exit Node (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520110 || ET TOR Known Tor Exit Node (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520111 || ET TOR Known Tor Exit Node (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520112 || ET TOR Known Tor Exit Node (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520113 || ET TOR Known Tor Exit Node (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520114 || ET TOR Known Tor Exit Node (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520115 || ET TOR Known Tor Exit Node (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520116 || ET TOR Known Tor Exit Node (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520117 || ET TOR Known Tor Exit Node (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520118 || ET TOR Known Tor Exit Node (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520119 || ET TOR Known Tor Exit Node (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520120 || ET TOR Known Tor Exit Node (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520121 || ET TOR Known Tor Exit Node (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520122 || ET TOR Known Tor Exit Node (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520123 || ET TOR Known Tor Exit Node (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520124 || ET TOR Known Tor Exit Node (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520125 || ET TOR Known Tor Exit Node (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520126 || ET TOR Known Tor Exit Node (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520127 || ET TOR Known Tor Exit Node (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520128 || ET TOR Known Tor Exit Node (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520129 || ET TOR Known Tor Exit Node (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520130 || ET TOR Known Tor Exit Node (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520131 || ET TOR Known Tor Exit Node (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520132 || ET TOR Known Tor Exit Node (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520133 || ET TOR Known Tor Exit Node (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520134 || ET TOR Known Tor Exit Node (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520135 || ET TOR Known Tor Exit Node (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520136 || ET TOR Known Tor Exit Node (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520137 || ET TOR Known Tor Exit Node (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520138 || ET TOR Known Tor Exit Node (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520139 || ET TOR Known Tor Exit Node (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520140 || ET TOR Known Tor Exit Node (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520141 || ET TOR Known Tor Exit Node (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520142 || ET TOR Known Tor Exit Node (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520143 || ET TOR Known Tor Exit Node (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520144 || ET TOR Known Tor Exit Node (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520145 || ET TOR Known Tor Exit Node (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520146 || ET TOR Known Tor Exit Node (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520147 || ET TOR Known Tor Exit Node (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520148 || ET TOR Known Tor Exit Node (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520149 || ET TOR Known Tor Exit Node (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520150 || ET TOR Known Tor Exit Node (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520151 || ET TOR Known Tor Exit Node (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520152 || ET TOR Known Tor Exit Node (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520153 || ET TOR Known Tor Exit Node (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520154 || ET TOR Known Tor Exit Node (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520155 || ET TOR Known Tor Exit Node (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520156 || ET TOR Known Tor Exit Node (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520157 || ET TOR Known Tor Exit Node (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520158 || ET TOR Known Tor Exit Node (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520159 || ET TOR Known Tor Exit Node (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520160 || ET TOR Known Tor Exit Node (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520161 || ET TOR Known Tor Exit Node (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520162 || ET TOR Known Tor Exit Node (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520163 || ET TOR Known Tor Exit Node (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520164 || ET TOR Known Tor Exit Node (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520165 || ET TOR Known Tor Exit Node (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520166 || ET TOR Known Tor Exit Node (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520167 || ET TOR Known Tor Exit Node (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520168 || ET TOR Known Tor Exit Node (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520169 || ET TOR Known Tor Exit Node (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520170 || ET TOR Known Tor Exit Node (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525000 || ET TOR Known Tor Exit Node - BLOCKING (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525001 || ET TOR Known Tor Exit Node - BLOCKING (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525002 || ET TOR Known Tor Exit Node - BLOCKING (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525003 || ET TOR Known Tor Exit Node - BLOCKING (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525004 || ET TOR Known Tor Exit Node - BLOCKING (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525005 || ET TOR Known Tor Exit Node - BLOCKING (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525006 || ET TOR Known Tor Exit Node - BLOCKING (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525007 || ET TOR Known Tor Exit Node - BLOCKING (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525008 || ET TOR Known Tor Exit Node - BLOCKING (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525009 || ET TOR Known Tor Exit Node - BLOCKING (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525010 || ET TOR Known Tor Exit Node - BLOCKING (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525011 || ET TOR Known Tor Exit Node - BLOCKING (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525012 || ET TOR Known Tor Exit Node - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525013 || ET TOR Known Tor Exit Node - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525014 || ET TOR Known Tor Exit Node - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525015 || ET TOR Known Tor Exit Node - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525016 || ET TOR Known Tor Exit Node - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525017 || ET TOR Known Tor Exit Node - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525018 || ET TOR Known Tor Exit Node - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525019 || ET TOR Known Tor Exit Node - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525020 || ET TOR Known Tor Exit Node - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525021 || ET TOR Known Tor Exit Node - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525022 || ET TOR Known Tor Exit Node - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525023 || ET TOR Known Tor Exit Node - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525024 || ET TOR Known Tor Exit Node - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525025 || ET TOR Known Tor Exit Node - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525026 || ET TOR Known Tor Exit Node - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525027 || ET TOR Known Tor Exit Node - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525028 || ET TOR Known Tor Exit Node - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525029 || ET TOR Known Tor Exit Node - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525030 || ET TOR Known Tor Exit Node - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525031 || ET TOR Known Tor Exit Node - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525032 || ET TOR Known Tor Exit Node - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525033 || ET TOR Known Tor Exit Node - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525034 || ET TOR Known Tor Exit Node - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525035 || ET TOR Known Tor Exit Node - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525036 || ET TOR Known Tor Exit Node - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525037 || ET TOR Known Tor Exit Node - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525038 || ET TOR Known Tor Exit Node - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525039 || ET TOR Known Tor Exit Node - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525040 || ET TOR Known Tor Exit Node - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525041 || ET TOR Known Tor Exit Node - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525042 || ET TOR Known Tor Exit Node - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525043 || ET TOR Known Tor Exit Node - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525044 || ET TOR Known Tor Exit Node - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525045 || ET TOR Known Tor Exit Node - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525046 || ET TOR Known Tor Exit Node - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525047 || ET TOR Known Tor Exit Node - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525048 || ET TOR Known Tor Exit Node - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525049 || ET TOR Known Tor Exit Node - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525050 || ET TOR Known Tor Exit Node - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525051 || ET TOR Known Tor Exit Node - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525052 || ET TOR Known Tor Exit Node - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525053 || ET TOR Known Tor Exit Node - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525054 || ET TOR Known Tor Exit Node - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525055 || ET TOR Known Tor Exit Node - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525056 || ET TOR Known Tor Exit Node - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525057 || ET TOR Known Tor Exit Node - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525058 || ET TOR Known Tor Exit Node - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525059 || ET TOR Known Tor Exit Node - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525060 || ET TOR Known Tor Exit Node - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525061 || ET TOR Known Tor Exit Node - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525062 || ET TOR Known Tor Exit Node - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525063 || ET TOR Known Tor Exit Node - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525064 || ET TOR Known Tor Exit Node - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525065 || ET TOR Known Tor Exit Node - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525066 || ET TOR Known Tor Exit Node - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525067 || ET TOR Known Tor Exit Node - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525068 || ET TOR Known Tor Exit Node - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525069 || ET TOR Known Tor Exit Node - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525070 || ET TOR Known Tor Exit Node - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525071 || ET TOR Known Tor Exit Node - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525072 || ET TOR Known Tor Exit Node - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525073 || ET TOR Known Tor Exit Node - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525074 || ET TOR Known Tor Exit Node - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525075 || ET TOR Known Tor Exit Node - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525076 || ET TOR Known Tor Exit Node - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525077 || ET TOR Known Tor Exit Node - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525078 || ET TOR Known Tor Exit Node - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525079 || ET TOR Known Tor Exit Node - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525080 || ET TOR Known Tor Exit Node - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525081 || ET TOR Known Tor Exit Node - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525082 || ET TOR Known Tor Exit Node - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525083 || ET TOR Known Tor Exit Node - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525084 || ET TOR Known Tor Exit Node - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525085 || ET TOR Known Tor Exit Node - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525086 || ET TOR Known Tor Exit Node - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525087 || ET TOR Known Tor Exit Node - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525088 || ET TOR Known Tor Exit Node - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525089 || ET TOR Known Tor Exit Node - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525090 || ET TOR Known Tor Exit Node - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525091 || ET TOR Known Tor Exit Node - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525092 || ET TOR Known Tor Exit Node - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525093 || ET TOR Known Tor Exit Node - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525094 || ET TOR Known Tor Exit Node - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525095 || ET TOR Known Tor Exit Node - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525096 || ET TOR Known Tor Exit Node - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525097 || ET TOR Known Tor Exit Node - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525098 || ET TOR Known Tor Exit Node - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525099 || ET TOR Known Tor Exit Node - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525100 || ET TOR Known Tor Exit Node - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525101 || ET TOR Known Tor Exit Node - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525102 || ET TOR Known Tor Exit Node - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525103 || ET TOR Known Tor Exit Node - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525104 || ET TOR Known Tor Exit Node - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525105 || ET TOR Known Tor Exit Node - BLOCKING (106) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525106 || ET TOR Known Tor Exit Node - BLOCKING (107) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525107 || ET TOR Known Tor Exit Node - BLOCKING (108) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525108 || ET TOR Known Tor Exit Node - BLOCKING (109) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525109 || ET TOR Known Tor Exit Node - BLOCKING (110) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525110 || ET TOR Known Tor Exit Node - BLOCKING (111) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525111 || ET TOR Known Tor Exit Node - BLOCKING (112) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525112 || ET TOR Known Tor Exit Node - BLOCKING (113) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525113 || ET TOR Known Tor Exit Node - BLOCKING (114) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525114 || ET TOR Known Tor Exit Node - BLOCKING (115) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525115 || ET TOR Known Tor Exit Node - BLOCKING (116) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525116 || ET TOR Known Tor Exit Node - BLOCKING (117) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525117 || ET TOR Known Tor Exit Node - BLOCKING (118) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525118 || ET TOR Known Tor Exit Node - BLOCKING (119) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525119 || ET TOR Known Tor Exit Node - BLOCKING (120) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525120 || ET TOR Known Tor Exit Node - BLOCKING (121) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525121 || ET TOR Known Tor Exit Node - BLOCKING (122) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525122 || ET TOR Known Tor Exit Node - BLOCKING (123) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525123 || ET TOR Known Tor Exit Node - BLOCKING (124) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525124 || ET TOR Known Tor Exit Node - BLOCKING (125) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525125 || ET TOR Known Tor Exit Node - BLOCKING (126) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525126 || ET TOR Known Tor Exit Node - BLOCKING (127) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525127 || ET TOR Known Tor Exit Node - BLOCKING (128) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525128 || ET TOR Known Tor Exit Node - BLOCKING (129) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525129 || ET TOR Known Tor Exit Node - BLOCKING (130) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525130 || ET TOR Known Tor Exit Node - BLOCKING (131) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525131 || ET TOR Known Tor Exit Node - BLOCKING (132) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525132 || ET TOR Known Tor Exit Node - BLOCKING (133) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525133 || ET TOR Known Tor Exit Node - BLOCKING (134) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525134 || ET TOR Known Tor Exit Node - BLOCKING (135) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525135 || ET TOR Known Tor Exit Node - BLOCKING (136) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525136 || ET TOR Known Tor Exit Node - BLOCKING (137) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525137 || ET TOR Known Tor Exit Node - BLOCKING (138) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525138 || ET TOR Known Tor Exit Node - BLOCKING (139) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525139 || ET TOR Known Tor Exit Node - BLOCKING (140) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525140 || ET TOR Known Tor Exit Node - BLOCKING (141) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525141 || ET TOR Known Tor Exit Node - BLOCKING (142) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525142 || ET TOR Known Tor Exit Node - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525143 || ET TOR Known Tor Exit Node - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525144 || ET TOR Known Tor Exit Node - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525145 || ET TOR Known Tor Exit Node - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525146 || ET TOR Known Tor Exit Node - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525147 || ET TOR Known Tor Exit Node - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525148 || ET TOR Known Tor Exit Node - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525149 || ET TOR Known Tor Exit Node - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525150 || ET TOR Known Tor Exit Node - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525151 || ET TOR Known Tor Exit Node - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525152 || ET TOR Known Tor Exit Node - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525153 || ET TOR Known Tor Exit Node - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525154 || ET TOR Known Tor Exit Node - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525155 || ET TOR Known Tor Exit Node - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525156 || ET TOR Known Tor Exit Node - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525157 || ET TOR Known Tor Exit Node - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525158 || ET TOR Known Tor Exit Node - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525159 || ET TOR Known Tor Exit Node - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525160 || ET TOR Known Tor Exit Node - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525161 || ET TOR Known Tor Exit Node - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525162 || ET TOR Known Tor Exit Node - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525163 || ET TOR Known Tor Exit Node - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525164 || ET TOR Known Tor Exit Node - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525165 || ET TOR Known Tor Exit Node - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525166 || ET TOR Known Tor Exit Node - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525167 || ET TOR Known Tor Exit Node - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525168 || ET TOR Known Tor Exit Node - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525169 || ET TOR Known Tor Exit Node - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2525170 || ET TOR Known Tor Exit Node - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/TorRules -> Added to emerging-sid-msg.map.txt (393): 2008891 || ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin 2008892 || ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) 2008893 || ET TROJAN Perfect Keylogger Install Email Report 2008894 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) 2008895 || ET WEB_ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/7358 || bugtraq,32664 2008896 || ET WEB_SPECIFIC Bandwebsite lyrics.php id parameter Sql Injection || bugtraq,32454 || url,www.milw0rm.com/exploits/7215 2008897 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Remote File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008898 || ET WEB_SPECIFIC MODx CMS snippet.reflect.php reflect_base Local File Inclusion || url,secunia.com/advisories/32824/ || url,www.milw0rm.com/exploits/7204 2008899 || ET WEB+SPECIFIC Pie RSS module lib parameter remote file inclusion || url,milw0rm.com/exploits/7225 || bugtraq,32465 2008900 || ET WEB_SPECIFIC ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008901 || ET WEB_SPECIFIC ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008902 || ET WEB_SPECIFIC ModernBill send_email_cache.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008903 || ET WEB_SPECIFIC ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008904 || ET WEB_SPECIFIC ModernBill nettools.popup.php DIR Parameter Remote File Inclusion || url,milw0rm.com/exploits/6916 || url,secunia.com/advisories/32529/ 2008905 || ET TROJAN Trojan.Delf-5496 Checkin Error 2008906 || ET TROJAN Trojan.Delf-5496 Egg Request 2008907 || ET TROJAN Trojan.Delf-5496 File Manager Access Report 2008908 || ET TROJAN Trojan.Delf-5496 New Infection Report 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008911 || ET TROJAN Spyguarder.com Fake AV Install Report 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500012 || ET COMPROMISED Known Compromised or Hostile Host Traffic (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500013 || ET COMPROMISED Known Compromised or Hostile Host Traffic (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500014 || ET COMPROMISED Known Compromised or Hostile Host Traffic (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500015 || ET COMPROMISED Known Compromised or Hostile Host Traffic (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500016 || ET COMPROMISED Known Compromised or Hostile Host Traffic (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500017 || ET COMPROMISED Known Compromised or Hostile Host Traffic (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500018 || ET COMPROMISED Known Compromised or Hostile Host Traffic (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500019 || ET COMPROMISED Known Compromised or Hostile Host Traffic (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500020 || ET COMPROMISED Known Compromised or Hostile Host Traffic (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500021 || ET COMPROMISED Known Compromised or Hostile Host Traffic (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500022 || ET COMPROMISED Known Compromised or Hostile Host Traffic (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500023 || ET COMPROMISED Known Compromised or Hostile Host Traffic (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500024 || ET COMPROMISED Known Compromised or Hostile Host Traffic (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510012 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (13) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510013 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (14) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510014 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (15) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510015 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (16) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510016 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (17) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510017 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (18) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510018 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (19) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510019 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (20) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510020 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (21) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510021 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510022 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510023 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510024 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2520000 || ET TOR Known Tor Exit Node (1) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520001 || ET TOR Known Tor Exit Node (2) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520002 || ET TOR Known Tor Exit Node (3) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520003 || ET TOR Known Tor Exit Node (4) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520004 || ET TOR Known Tor Exit Node (5) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520005 || ET TOR Known Tor Exit Node (6) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520006 || ET TOR Known Tor Exit Node (7) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520007 || ET TOR Known Tor Exit Node (8) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520008 || ET TOR Known Tor Exit Node (9) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520009 || ET TOR Known Tor Exit Node (10) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520010 || ET TOR Known Tor Exit Node (11) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520011 || ET TOR Known Tor Exit Node (12) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520012 || ET TOR Known Tor Exit Node (13) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520013 || ET TOR Known Tor Exit Node (14) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520014 || ET TOR Known Tor Exit Node (15) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520015 || ET TOR Known Tor Exit Node (16) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520016 || ET TOR Known Tor Exit Node (17) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520017 || ET TOR Known Tor Exit Node (18) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520018 || ET TOR Known Tor Exit Node (19) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520019 || ET TOR Known Tor Exit Node (20) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520020 || ET TOR Known Tor Exit Node (21) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520021 || ET TOR Known Tor Exit Node (22) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520022 || ET TOR Known Tor Exit Node (23) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520023 || ET TOR Known Tor Exit Node (24) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520024 || ET TOR Known Tor Exit Node (25) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520025 || ET TOR Known Tor Exit Node (26) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520026 || ET TOR Known Tor Exit Node (27) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520027 || ET TOR Known Tor Exit Node (28) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520028 || ET TOR Known Tor Exit Node (29) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520029 || ET TOR Known Tor Exit Node (30) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520030 || ET TOR Known Tor Exit Node (31) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520031 || ET TOR Known Tor Exit Node (32) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520032 || ET TOR Known Tor Exit Node (33) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520033 || ET TOR Known Tor Exit Node (34) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520034 || ET TOR Known Tor Exit Node (35) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520035 || ET TOR Known Tor Exit Node (36) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520036 || ET TOR Known Tor Exit Node (37) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520037 || ET TOR Known Tor Exit Node (38) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520038 || ET TOR Known Tor Exit Node (39) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520039 || ET TOR Known Tor Exit Node (40) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520040 || ET TOR Known Tor Exit Node (41) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520041 || ET TOR Known Tor Exit Node (42) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520042 || ET TOR Known Tor Exit Node (43) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520043 || ET TOR Known Tor Exit Node (44) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520044 || ET TOR Known Tor Exit Node (45) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520045 || ET TOR Known Tor Exit Node (46) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520046 || ET TOR Known Tor Exit Node (47) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520047 || ET TOR Known Tor Exit Node (48) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520048 || ET TOR Known Tor Exit Node (49) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520049 || ET TOR Known Tor Exit Node (50) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520050 || ET TOR Known Tor Exit Node (51) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520051 || ET TOR Known Tor Exit Node (52) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520052 || ET TOR Known Tor Exit Node (53) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520053 || ET TOR Known Tor Exit Node (54) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520054 || ET TOR Known Tor Exit Node (55) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520055 || ET TOR Known Tor Exit Node (56) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520056 || ET TOR Known Tor Exit Node (57) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520057 || ET TOR Known Tor Exit Node (58) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520058 || ET TOR Known Tor Exit Node (59) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520059 || ET TOR Known Tor Exit Node (60) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520060 || ET TOR Known Tor Exit Node (61) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520061 || ET TOR Known Tor Exit Node (62) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520062 || ET TOR Known Tor Exit Node (63) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520063 || ET TOR Known Tor Exit Node (64) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520064 || ET TOR Known Tor Exit Node (65) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520065 || ET TOR Known Tor Exit Node (66) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520066 || ET TOR Known Tor Exit Node (67) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520067 || ET TOR Known Tor Exit Node (68) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520068 || ET TOR Known Tor Exit Node (69) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520069 || ET TOR Known Tor Exit Node (70) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520070 || ET TOR Known Tor Exit Node (71) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520071 || ET TOR Known Tor Exit Node (72) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520072 || ET TOR Known Tor Exit Node (73) || url,