[Emerging-Sigs] Emerging Threats Daily Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Fri Mar 28 16:00:11 EST 2008
[***] Results from Oinkmaster started Fri Mar 28 17:00:11 2008 [***]
[+++] Added rules: [+++]
2008062 - ET WEB Univeral HTTP File Upload Remote File Deletetion (bleeding-web.rules)
2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit (bleeding-exploit.rules)
2008064 - ET POLICY Nginx Server with no version string - Often Hostile Traffic (bleeding-policy.rules)
2008065 - ET POLICY Nginx Server with modified version string - Often Hostile Traffic (bleeding-policy.rules)
2008066 - ET MALWARE Suspicious Blank User-Agent (descriptor but no string) (bleeding-malware.rules)
[---] Disabled and modified rules: [---]
2008054 - ET POLICY Nginx Server in use - Often Hostile Traffic (bleeding-policy.rules)
[---] Disabled rules: [---]
2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report (bleeding.rules)
[---] Removed rules: [---]
2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) (bleeding.rules)
2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) (bleeding.rules)
2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) (bleeding.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (1):
# disabling by default, falses a lot but may be of interest to some folks
-> Added to bleeding-sid-msg.map (5):
2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)
-> Added to bleeding-sid-msg.map.txt (5):
2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272
2008063 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || bugtraq,28245 || url,www.milw0rm.com/exploits/5248
2008064 || ET POLICY Nginx Server with no version string - Often Hostile Traffic
2008065 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic
2008066 || ET MALWARE Suspicious Blank User-Agent (descriptor but no string)
-> Added to bleeding-web.rules (1):
#by akash mahajan of stillsecure
-> Added to bleeding.rules (1):
#disabling by default. Is used in some legit places as well. Use this if you have a need
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (4):
2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
-> Removed from bleeding-sid-msg.map.txt (4):
2007729 || ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe)
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
-> Removed from bleeding.rules (2):
# by matt jonkman, to be removed/reconsidered on feb 20 08
#keeping this, still getting reports of hits
More information about the Emerging-sigs
mailing list