From emerging at emergingthreats.net Sat Nov 1 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 1 Nov 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081101200008.039A34502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 1 16:00:07 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Nov 1 17:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 1 Nov 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081101220008.E6AC94502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 1 18:00:08 2008 [***] [+++] Added rules: [+++] 2008729 - SCAN Mini MySqlatOr SQL Injection Scanner (emerging-scan.rules) 2008730 - ET TROJAN Ipbill.com Related Dialer Trojan Checkin (emerging-virus.rules) 2008731 - ET TROJAN Ipbill.com Related Dialer Trojan Server Response (emerging-virus.rules) 2008732 - ET TROJAN FraudTool.Win32.SysCleaner.a (emerging-virus.rules) 2008733 - ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected (emerging-virus.rules) 2008734 - ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) (emerging-malware.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002395 - ET MALWARE Miva User Agent (TPSystem) (emerging-malware.rules) 2008655 - ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) (emerging-malware.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2000427 - ET POLICY PE EXE Install Windows file download (emerging-policy.rules) [---] Removed rules: [---] 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1345 # Generated 2008-11-01 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1345 # Generated 2008-11-01 00:03:02 EDT -> Added to emerging-policy.rules (1): #Disabling as it overlaps with 2000419 -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Added to emerging-rbn.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Added to emerging-sid-msg.map (15): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) 2008729 || SCAN Mini MySqlatOr SQL Injection Scanner || url,www.scrt.ch/pages_en/minimysqlator.html 2008730 || ET TROJAN Ipbill.com Related Dialer Trojan Checkin 2008731 || ET TROJAN Ipbill.com Related Dialer Trojan Server Response 2008732 || ET TROJAN FraudTool.Win32.SysCleaner.a 2008733 || ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected 2008734 || ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) 2406032 || ET RBN Known Russian Business Network Monitored Domains (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406033 || ET RBN Known Russian Business Network Monitored Domains (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406034 || ET RBN Known Russian Business Network Monitored Domains (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406035 || ET RBN Known Russian Business Network Monitored Domains (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407032 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407033 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407034 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (15): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) 2008729 || SCAN Mini MySqlatOr SQL Injection Scanner || url,www.scrt.ch/pages_en/minimysqlator.html 2008730 || ET TROJAN Ipbill.com Related Dialer Trojan Checkin 2008731 || ET TROJAN Ipbill.com Related Dialer Trojan Server Response 2008732 || ET TROJAN FraudTool.Win32.SysCleaner.a 2008733 || ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected 2008734 || ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) 2406032 || ET RBN Known Russian Business Network Monitored Domains (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406033 || ET RBN Known Russian Business Network Monitored Domains (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406034 || ET RBN Known Russian Business Network Monitored Domains (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406035 || ET RBN Known Russian Business Network Monitored Domains (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407032 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407033 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407034 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (2): #ref: c89eec06daf6ceb4ee1cdcd485db9916 #re 05574ba46ca69e91bdeec740cd3af10c [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1338 # Generated 2008-10-25 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1338 # Generated 2008-10-25 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Removed from emerging-rbn.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Removed from emerging-sid-msg.map (13): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (13): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From dxp2532 at gmail.com Sun Nov 2 12:36:04 2008 From: dxp2532 at gmail.com (dxp) Date: Sun, 02 Nov 2008 12:36:04 -0500 Subject: [Emerging-Sigs] ET POLICY PE EXE signatures In-Reply-To: <490A0600.1050702@jonkmans.com> References: <1225392384.6828.3.camel@kinta> <490A0600.1050702@jonkmans.com> Message-ID: <1225647364.6432.8.camel@kinta> I think the problem with these two sigs, well the one that's left, is that it specifically looks for the message in the DOS stub. This works well for most PE files but will not detect some which use some packers/crypters that don't use such stub. I have a bunch in my collection which are not detected by any ET sigs. I tried creating a sig using "byte_jump" to read 0x3C offset from "MZ" header to land in "PE" struct but was not able to get desired results. This is mainly due, at least in my understanding, to the fact that "byte_jump" pivots either from start of payload or relative to last match. However, for PE file one must pivot from start of MZ header. Perhaps a simple "within" match for PE after MZ would be better to generically pick up any PE file. Something like: content:"MZ"; content:"PE|00 00|"; within:512; - -=[ dxp ]=- 0xA3F3C6E3 On Thu, 2008-10-30 at 15:07 -0400, Matt Jonkman wrote: > You're right, and I think 2000419 appears to be the more accurate one. > I'll drop 2000427 barring any objections to eliminate the duplicated > effort. > > Already getting good stuff out of SIDReporter!! > > Matt > > dxp wrote: > > http://doc.emergingthreats.net/2000427 > > http://doc.emergingthreats.net/2000419 > > > > Seems like these two are more or less the same stuff. Wouldn't it make > > more sense to combine into one? > > I noticed this while looking at the SidReporter statistics. I think > > having one signature to detect any PE executable is more efficient as > > well as better for statistics. > > > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081102/ab357e03/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081102/ab357e03/attachment.bin From emerging at emergingthreats.net Sun Nov 2 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 2 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081102210008.56FF24502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Nov 2 16:00:08 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Mon Nov 3 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 3 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081103210008.6AFA14502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Nov 3 16:00:08 2008 [***] [+++] Added rules: [+++] 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #Pedro Marinho -> Added to emerging-sid-msg.map (1): 2008735 || ET MALWARE Suspicious User Agent (FTP) -> Added to emerging-sid-msg.map.txt (1): 2008735 || ET MALWARE Suspicious User Agent (FTP) From jonkman at jonkmans.com Mon Nov 3 22:53:46 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 03 Nov 2008 22:53:46 -0500 Subject: [Emerging-Sigs] BotHunter Windows XP and Live CD Releases Message-ID: <490FC74A.1090502@jonkmans.com> Great news from the BotHunter Team. The Windows XP and Self-booting CD Releases of BotHunter are now available for download at: http://www.bothunter.net The Unix (Beta 4 release) of BotHunter is also available at this website. If you're not familiar with BotHunter, you should be. :) It uses a number of tools like Snort, our Emerging Threats rulesets, and many more, all in one package, to identify malicious traffic. It will work wonders on bot command and control channels long before we have signatures for it. The XP version is a huge step forward for them. Please give it a try. All free stuff of course, and highly recommended. Let us know how it goes! Matt -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From wolvee_x at yahoo.com Tue Nov 4 02:47:34 2008 From: wolvee_x at yahoo.com (Mahesh Yelsani) Date: Mon, 3 Nov 2008 23:47:34 -0800 (PST) Subject: [Emerging-Sigs] distance with uricontent Message-ID: <61472.18616.qm@web59604.mail.ac4.yahoo.com> Hi, when I am using "uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; distance:0;" Instead of pcre:"/UNION.+SELECT/Ui" the distance descriptor is not working as we expected with the uricontent keyword. uricontent:"SELECT"; nocase; uricontent:"UNION"; nocase; distance:0; This case also passing. Thanks, Wolvee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081103/dbb6d969/attachment.html From jonkman at jonkmans.com Tue Nov 4 12:19:59 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 04 Nov 2008 12:19:59 -0500 Subject: [Emerging-Sigs] distance with uricontent In-Reply-To: <61472.18616.qm@web59604.mail.ac4.yahoo.com> References: <61472.18616.qm@web59604.mail.ac4.yahoo.com> Message-ID: <4910843F.6000600@jonkmans.com> Unfortunately anything location relevant doesn't apply to uricontent. Since it's normalized the length of the string and therefore position of characters may be different from the actual payload (vs normalized). So they just don't apply. You can go with a content: match if you want to take the risk of being evaded by a formatting change (such as %20 vs a space, unicode, etc). Depends on what you're hoping to see and who your attacker might be. The good news is you can use a pcre to do similar. The /U in pcre says use the normalized form, not the raw. So you can then do positional things in pcre. Just be sure to anchor it with a uri match to keep the load down. Matt Mahesh Yelsani wrote: > Hi, > > when I am using "uricontent:"UNION"; nocase; uricontent:"SELECT"; > nocase; distance:0;" Instead of pcre:"/UNION.+SELECT/Ui" the distance > descriptor is not working as we expected with the uricontent keyword. > > uricontent:"SELECT"; nocase; uricontent:"UNION"; nocase; distance:0; > > This case also passing. > > Thanks, > Wolvee > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Nov 4 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 4 Nov 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081104210009.0C6884502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Nov 4 16:00:08 2008 [***] [+++] Added rules: [+++] 2008736 - ET MALWARE Borlander Adware Checkin (emerging-malware.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules) 2008738 - ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related (emerging.rules) 2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #by Jeffrey Brown -> Added to emerging-sid-msg.map (4): 2008736 || ET MALWARE Borlander Adware Checkin 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound -> Added to emerging-sid-msg.map.txt (4): 2008736 || ET MALWARE Borlander Adware Checkin 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound -> Added to emerging.rules (1): #by David Wharton From chris.misztur at yahoo.com Wed Nov 5 10:38:03 2008 From: chris.misztur at yahoo.com (chris mr) Date: Wed, 5 Nov 2008 07:38:03 -0800 (PST) Subject: [Emerging-Sigs] sidreporter install Message-ID: <357282.50651.qm@web63707.mail.re1.yahoo.com> I am having some trouble installing sidreporter. sidreport.pl fails since it can not find GnuPG.pm (broken so I did not install). I did install GNUPG with apt-get as well as Perl's Crypt::OpenPGP but I do not know how to get either of those to work with sidreporter. Any help would be appreciated. Chris From lists at inliniac.net Wed Nov 5 11:02:08 2008 From: lists at inliniac.net (Victor Julien) Date: Wed, 05 Nov 2008 17:02:08 +0100 Subject: [Emerging-Sigs] sidreporter install In-Reply-To: <357282.50651.qm@web63707.mail.re1.yahoo.com> References: <357282.50651.qm@web63707.mail.re1.yahoo.com> Message-ID: <4911C380.4020704@inliniac.net> chris mr wrote: > I am having some trouble installing sidreporter. > > sidreport.pl fails since it can not find GnuPG.pm (broken so I did not install). I did install GNUPG with apt-get as well as Perl's Crypt::OpenPGP but I do not know how to get either of those to work with sidreporter. > > Any help would be appreciated. > > Hi Chris, Installing the libgnupg-perl package using apt should work. Afaik only the GnuPG.pm from CPAN is broken. Distro's generally fixed it. Hope this helps! Cheers, Victor From jonkman at jonkmans.com Wed Nov 5 12:16:20 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 05 Nov 2008 12:16:20 -0500 Subject: [Emerging-Sigs] sidreporter install In-Reply-To: <4911C380.4020704@inliniac.net> References: <357282.50651.qm@web63707.mail.re1.yahoo.com> <4911C380.4020704@inliniac.net> Message-ID: <4911D4E4.4090401@jonkmans.com> Did that fix things up for you Chris? Any other issues during install? Suggestions? Matt Victor Julien wrote: > chris mr wrote: >> I am having some trouble installing sidreporter. >> >> sidreport.pl fails since it can not find GnuPG.pm (broken so I did not install). I did install GNUPG with apt-get as well as Perl's Crypt::OpenPGP but I do not know how to get either of those to work with sidreporter. >> >> Any help would be appreciated. >> >> > Hi Chris, > > Installing the libgnupg-perl package using apt should work. Afaik only > the GnuPG.pm from CPAN is broken. Distro's generally fixed it. > > Hope this helps! > > Cheers, > Victor > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Nov 5 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 5 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081105210008.CB62145026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Nov 5 16:00:08 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt 2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt -> Removed from emerging-sid-msg.map.txt (2): 2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt 2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt From chris.misztur at yahoo.com Wed Nov 5 17:01:37 2008 From: chris.misztur at yahoo.com (chris mr) Date: Wed, 5 Nov 2008 14:01:37 -0800 (PST) Subject: [Emerging-Sigs] sidreporter install References: Message-ID: <178353.27984.qm@web63707.mail.re1.yahoo.com> Thanks Victor. libgnupg-perl package did the trick. From emerging at emergingthreats.net Thu Nov 6 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 6 Nov 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081106210009.22EBD4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Nov 6 16:00:09 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt 2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (4): 2402000 || ET DROP Dshield Block Listed Source || url,feeds.dshield.org/block.txt 2403000 || ET DROP Dshield Block Listed Source - BLOCKING || url,feeds.dshield.org/block.txt 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From r.fulton at auckland.ac.nz Thu Nov 6 18:50:05 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Fri, 7 Nov 2008 12:50:05 +1300 Subject: [Emerging-Sigs] false +ve for ET MALWARE Winsoftware.com Spyware User-Agent (Updater) 2003470 Message-ID: <0D6722C0-E3D6-4209-9A95-FE4D55787E1A@auckland.ac.nz> emule uses this User-Agent string... META SID CID TimeStamp Signature Sig ID 4 8897200 2008-11-07 09:15:32 ET MALWARE Winsoftware.com Spyware User- Agent (Updater) 2003470 Sensor Hostname Sensor Interface dmzi.insec.auckland.ac.nz Inside dmz IP Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum 130.216.67.30 210.51.44.91 4 5 0 360 2344 2 0 126 11747 Resolved Source Resolved Dest n.yao3.nzai.auckland.ac.nz Could Not Resolve TCP Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr 1115 80 1599342910 603622016 5 0 24 64512 16745 0 Options None Flags RB 1 RB 0 URG ACK PSH RST SYN FIN DATA GET /updateinfo HTTP/1.1..User-Agent: updater..Host: update. emule.org.cn..Connection: Keep-Alive..Cache-Control: no-cach e..Cookie: __utma=157134127.179130854.1222570783.1222570783. 1223237918.2; __utmz=157134127.1222570783.1.1.utmccn=(referr al)|utmcsr=lib.verycd.com|utmcct=/2005/09/30/0000067047.html |utmcmd=referral.... From rmkml at free.fr Fri Nov 7 00:52:00 2008 From: rmkml at free.fr (rmkml) Date: Fri, 7 Nov 2008 06:52:00 +0100 (CET) Subject: [Emerging-Sigs] Bro Emerging rules error Message-ID: Hi, When I download today: http://www.emergingthreats.net/bro/emerging-bro-all.sig I have errors: (remove extra carriage return) 1) signature sid-2008407-rev1 { payload /.*([sS][nN][aA][pP][sS][hH][oO][tT][pP][aA][tT][hH]|[cC][oO][m M][pP][rR][eE][sS][sS][eE][dD][pP][aA][tT][hH]|[pP][rR][i -I][nN][tT][sS][nN][aA][pP][sS][hH][oO][tT])/ 2) signature sid-2008408-rev1 { payload /.*([sS][nN][aA][pP][sS][hH][oO][tT][pP][aA][tT][hH]|[cC][oO][m M][pP][rR][eE][sS][sS][eE][dD][pP][aA][tT][hH]|[pP][rR][i -I][nN][tT][sS][hH][oO][tT])/ 3) signature sid-2008409-rev1 { payload /.*([sS][nN][aA][pP][sS][hH][oO][tT][pP][aA][tT][hH]|[cC][oO][m M][pP][rR][eE][sS][sS][eE][dD][pP][aA][tT][hH]|[pP][rR][i -I][nN][tT][sS][hH][oO][tT])/ 4) signature sid-2008473-rev2 { payload /GET[[:space:]]+[^\x0A\x0D]+\x3Fmod\x3D[[:alnum:]_]+\x26id\x3D[ ^\x26[:space:]]+\x5F[[:alnum:]_]+\x26up\x3D[^\x26]+\x26mi -d\x3D[^\x26[:space:]]+/ Thx for good rules (E.T.) for good tools !(bro) Regards Rmkml Crusoe-Researches.com From chris.misztur at yahoo.com Fri Nov 7 10:06:12 2008 From: chris.misztur at yahoo.com (chris mr) Date: Fri, 7 Nov 2008 07:06:12 -0800 (PST) Subject: [Emerging-Sigs] sidreporter install References: Message-ID: <410917.94234.qm@web63705.mail.re1.yahoo.com> I am trying to create a symbolic link in /etc/cron.daily for sidreport.pl. However, when I execute the symbolic link from /ect/cron.daily the code is failing in sidreport.pl's main sub since it can't instantiate the SnortDB and SidreportEvent classes. I added : use lib "/usr/local/bin/snort/sidreporter"; but I do not know how to get these lines to work: my SidreportEvent $e = new SidreportEvent; my SnortDB $s = new SnortDB; Thanks for your help Chris From philipp at bescht.de Fri Nov 7 10:41:41 2008 From: philipp at bescht.de (Philipp Bescht) Date: Fri, 7 Nov 2008 16:41:41 +0100 Subject: [Emerging-Sigs] sidreporter install In-Reply-To: <410917.94234.qm@web63705.mail.re1.yahoo.com> References: <410917.94234.qm@web63705.mail.re1.yahoo.com> Message-ID: <20081107164141.6a689724@desktop.philnet> Hi Chris, use lib "/usr/local/bin/snort/sidreporter"; afaik, this should work if: this line is specified in the list of namespace roots BEFORE 'use SnortDB;' and 'use SidreportEvent;' and those two packages are located in the directory /usr/local/bin/snort/sidreporter Hope that helps :) Regards, Philipp On Fri, 7 Nov 2008 07:06:12 -0800 (PST) chris mr wrote: > I am trying to create a symbolic link in /etc/cron.daily for > sidreport.pl. However, when I execute the symbolic link > from /ect/cron.daily the code is failing in sidreport.pl's main sub > since it can't instantiate the SnortDB and SidreportEvent classes. I > added : > > use lib "/usr/local/bin/snort/sidreporter"; > > but I do not know how to get these lines to work: > > my SidreportEvent $e = new SidreportEvent; > my SnortDB $s = new SnortDB; > > Thanks for your help > > Chris > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From chris.misztur at yahoo.com Fri Nov 7 11:24:26 2008 From: chris.misztur at yahoo.com (chris mr) Date: Fri, 7 Nov 2008 08:24:26 -0800 (PST) Subject: [Emerging-Sigs] sidreporter install References: <410917.94234.qm@web63705.mail.re1.yahoo.com> <20081107164141.6a689724@desktop.philnet> Message-ID: <251373.42910.qm@web63701.mail.re1.yahoo.com> That works. I also had to set $cnflocation to include the absolute path of the .conf file. Thanks. ----- Original Message ---- From: Philipp Bescht To: chris mr Cc: emerging-sigs at emergingthreats.net Sent: Friday, November 7, 2008 9:41:41 AM Subject: Re: [Emerging-Sigs] sidreporter install Hi Chris, use lib "/usr/local/bin/snort/sidreporter"; afaik, this should work if: this line is specified in the list of namespace roots BEFORE 'use SnortDB;' and 'use SidreportEvent;' and those two packages are located in the directory /usr/local/bin/snort/sidreporter Hope that helps :) Regards, Philipp On Fri, 7 Nov 2008 07:06:12 -0800 (PST) chris mr wrote: > I am trying to create a symbolic link in /etc/cron.daily for > sidreport.pl. However, when I execute the symbolic link > from /ect/cron.daily the code is failing in sidreport.pl's main sub > since it can't instantiate the SnortDB and SidreportEvent classes. I > added : > > use lib "/usr/local/bin/snort/sidreporter"; > > but I do not know how to get these lines to work: > > my SidreportEvent $e = new SidreportEvent; > my SnortDB $s = new SnortDB; > > Thanks for your help > > Chris > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From jonkman at jonkmans.com Fri Nov 7 11:44:38 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 07 Nov 2008 11:44:38 -0500 Subject: [Emerging-Sigs] false +ve for ET MALWARE Winsoftware.com Spyware User-Agent (Updater) 2003470 In-Reply-To: <0D6722C0-E3D6-4209-9A95-FE4D55787E1A@auckland.ac.nz> References: <0D6722C0-E3D6-4209-9A95-FE4D55787E1A@auckland.ac.nz> Message-ID: <49147076.8070606@jonkmans.com> I guess we could just use a content:!"emule.org"; Anyone see an issue with that? Matt Russell Fulton wrote: > emule uses this User-Agent string... > > META > SID CID TimeStamp Signature Sig ID > 4 8897200 2008-11-07 09:15:32 ET MALWARE Winsoftware.com Spyware User- > Agent (Updater) 2003470 > Sensor Hostname Sensor Interface > dmzi.insec.auckland.ac.nz Inside dmz > IP > Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL > chksum > 130.216.67.30 210.51.44.91 4 5 0 360 2344 2 0 126 11747 > Resolved Source Resolved Dest > n.yao3.nzai.auckland.ac.nz Could Not Resolve > TCP > Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum > Urgent Ptr > 1115 80 1599342910 603622016 5 0 24 64512 16745 0 > Options > None > Flags > RB 1 RB 0 URG ACK PSH RST SYN FIN > > DATA > > GET /updateinfo HTTP/1.1..User-Agent: updater..Host: update. > emule.org.cn..Connection: Keep-Alive..Cache-Control: no-cach > e..Cookie: __utma=157134127.179130854.1222570783.1222570783. > 1223237918.2; __utmz=157134127.1222570783.1.1.utmccn=(referr > al)|utmcsr=lib.verycd.com|utmcct=/2005/09/30/0000067047.html > |utmcmd=referral.... > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Fri Nov 7 13:02:21 2008 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 07 Nov 2008 12:02:21 -0600 Subject: [Emerging-Sigs] false +ve for ET MALWARE Winsoftware.com Spyware User-Agent (Updater) 2003470 In-Reply-To: <49147076.8070606@jonkmans.com> References: <0D6722C0-E3D6-4209-9A95-FE4D55787E1A@auckland.ac.nz> <49147076.8070606@jonkmans.com> Message-ID: <1226080941.31163.1.camel@localhost> On Fri, 2008-11-07 at 11:44 -0500, Matt Jonkman wrote: > I guess we could just use a content:!"emule.org"; Is emule.org.cn (<-!) a valid mirror for emule.org? -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081107/ae5396d3/attachment.bin From staneyre at bol.com.br Fri Nov 7 13:49:14 2008 From: staneyre at bol.com.br (staneyre) Date: Fri, 7 Nov 2008 16:49:14 -0200 Subject: [Emerging-Sigs] Rules to detect attempts to use the software FreeGate anonymous access to the Internet. Message-ID: <49148daabb55_6ccc15be8dae4eb03271@winter10.tmail> An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081107/6e687999/attachment.html From phatbuckett at gmail.com Fri Nov 7 14:20:45 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 7 Nov 2008 12:20:45 -0700 Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes In-Reply-To: <20081104210009.0C6884502B@goliath.jonkmans.com> References: <20081104210009.0C6884502B@goliath.jonkmans.com> Message-ID: <839aec700811071120m1b21a7b5o28c9fe5ae2a19fa7@mail.gmail.com> On Tue, Nov 4, 2008 at 2:00 PM, wrote: > 2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules) > 2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules) Nitpicky, really, but someone searching for the correct vulnerability identifier "MS08-067" might miss these rules. # Change MS08-67 to MS08-067 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/kernel/zz.htm?"; uricontent:"Ver="; classtype:trojan-activity; sid:2008737; rev:3;) # Change MS08067 to MS08-067 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; classtype:trojan-activity; sid:2008739; rev:2;) -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Fri Nov 7 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 7 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081107210008.613904501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Nov 7 16:00:08 2008 [***] [+++] Added rules: [+++] 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Added to emerging-rbn.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Added to emerging-sid-msg.map (18): 2406036 || ET RBN Known Russian Business Network Monitored Domains (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406037 || ET RBN Known Russian Business Network Monitored Domains (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406038 || ET RBN Known Russian Business Network Monitored Domains (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406039 || ET RBN Known Russian Business Network Monitored Domains (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406040 || ET RBN Known Russian Business Network Monitored Domains (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406041 || ET RBN Known Russian Business Network Monitored Domains (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406042 || ET RBN Known Russian Business Network Monitored Domains (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406043 || ET RBN Known Russian Business Network Monitored Domains (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406044 || ET RBN Known Russian Business Network Monitored Domains (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407037 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407038 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407039 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407040 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407041 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407042 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407043 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407044 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (18): 2406036 || ET RBN Known Russian Business Network Monitored Domains (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406037 || ET RBN Known Russian Business Network Monitored Domains (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406038 || ET RBN Known Russian Business Network Monitored Domains (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406039 || ET RBN Known Russian Business Network Monitored Domains (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406040 || ET RBN Known Russian Business Network Monitored Domains (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406041 || ET RBN Known Russian Business Network Monitored Domains (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406042 || ET RBN Known Russian Business Network Monitored Domains (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406043 || ET RBN Known Russian Business Network Monitored Domains (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406044 || ET RBN Known Russian Business Network Monitored Domains (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407037 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407038 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407039 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407040 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407041 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407042 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407043 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407044 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Removed from emerging-rbn.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Removed from emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From jgimer at gmail.com Fri Nov 7 20:53:51 2008 From: jgimer at gmail.com (Joshua Gimer) Date: Fri, 7 Nov 2008 18:53:51 -0700 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild Message-ID: All, Could you please review this sig? I am far from being even decent at writing these rules, but thought that I would create one for the worm activity that has been reported to SANS ISC due to the lack of Anti-Virus coverage. http://isc.sans.org/diary.html?storyid=5312 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; content:"|25 50 44 46|"; pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), (nm)?\)"; classtype:malware-activity; reference:url, isc.sans.org/diary.html?storyid=5312; reference:url, cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; sid:2008117; rev:1;) -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081107/208a26ce/attachment-0001.html From jgimer at gmail.com Fri Nov 7 21:06:34 2008 From: jgimer at gmail.com (Joshua Gimer) Date: Fri, 7 Nov 2008 19:06:34 -0700 Subject: [Emerging-Sigs] UPDATE: Sig Adobe Reader vulnerability exploited in the wild Message-ID: Here is the new one. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; content:"|25 50 44 46|"; pcre:"/util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), (nm)?\)/"; classtype:trojan-activity; reference:url, isc.sans.org/diary.html?storyid=5312; reference:url, cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; sid:2008117; rev:1;) -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081107/60d39011/attachment.html From urule99 at gmail.com Fri Nov 7 22:56:00 2008 From: urule99 at gmail.com (Blake Hartstein) Date: Fri, 07 Nov 2008 22:56:00 -0500 Subject: [Emerging-Sigs] UPDATE: Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: References: Message-ID: <49150DD0.9030107@gmail.com> Josh, Thanks for the signature. However, I'm afraid this will not detect this issue. Malicious PDF files have encoded and encrypted JavaScript therefore you will likely never see the util.printf string on the network. Blake Joshua Gimer wrote: > Here is the new one. > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS > CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; > content:"|25 50 44 46|"; > pcre:"/util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), > (nm)?\)/"; classtype:trojan-activity; reference:url, > isc.sans.org/diary.html?storyid=5312; reference:url, > cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; sid:2008117; rev:1;) > From bojan.isc at gmail.com Sat Nov 8 04:01:14 2008 From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC)) Date: Sat, 8 Nov 2008 10:01:14 +0100 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: References: Message-ID: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> Joshua, On Sat, Nov 8, 2008 at 2:53 AM, Joshua Gimer wrote: > All, > > Could you please review this sig? I am far from being even decent at writing > these rules, but thought that I would create one for the worm activity that > has been reported to SANS ISC due to the lack of Anti-Virus coverage. > > http://isc.sans.org/diary.html?storyid=5312 > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS > CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; > content:"|25 50 44 46|"; > pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), > (nm)?\)"; classtype:malware-activity; > reference:url,isc.sans.org/diary.html?storyid=5312; > reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; > sid:2008117; rev:1;) This won't work because the JavaScript part is obfuscated, and deflated in the PDF document. Frankly, this doesn't look to me like something we should write a sig for -- there are just too many ways for obfuscating things and changing the content. Probably the best way is to catch outgoing connections, once the machine gets infected. Cheers, Bojan From jgimer at gmail.com Sat Nov 8 12:12:10 2008 From: jgimer at gmail.com (Joshua Gimer) Date: Sat, 8 Nov 2008 10:12:10 -0700 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> References: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> Message-ID: Outgoing connections to where? There was nothing in your ISC post? Maybe the rule focus is incorrect, we could write a rule to watch for these outgoing connections? With roughly 10,000 machines there is no way that I am going to be able to minimize the risk that is associated with this active exploitation through patching Adobe installations. That was why I was trying to find another way to find possibly infected machines. Josh On Sat, Nov 8, 2008 at 2:01 AM, Bojan Zdrnja (SANS ISC) wrote: > Joshua, > > On Sat, Nov 8, 2008 at 2:53 AM, Joshua Gimer wrote: > > All, > > > > Could you please review this sig? I am far from being even decent at > writing > > these rules, but thought that I would create one for the worm activity > that > > has been reported to SANS ISC due to the lack of Anti-Virus coverage. > > > > http://isc.sans.org/diary.html?storyid=5312 > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS > > CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; > > content:"|25 50 44 46|"; > > pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), > > (nm)?\)"; classtype:malware-activity; > > reference:url,isc.sans.org/diary.html?storyid=5312; > > reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; > > sid:2008117; rev:1;) > > This won't work because the JavaScript part is obfuscated, and > deflated in the PDF document. > Frankly, this doesn't look to me like something we should write a sig > for -- there are just too many ways for obfuscating things and > changing the content. > > Probably the best way is to catch outgoing connections, once the > machine gets infected. > > Cheers, > > Bojan > -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081108/fc744252/attachment.html From bojan.isc at gmail.com Sat Nov 8 16:14:17 2008 From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC)) Date: Sat, 8 Nov 2008 22:14:17 +0100 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: References: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> Message-ID: <9d6a1ae60811081314p4aea9880w43a084481cba884f@mail.gmail.com> On Sat, Nov 8, 2008 at 6:12 PM, Joshua Gimer wrote: > Outgoing connections to where? There was nothing in your ISC post? Maybe the > rule focus is incorrect, we could write a rule to watch for these outgoing > connections? Ah yes - I was actually supposed to update the diary but never managed to do it (got dragged to do some other things). As the moment, they make loads of connections to the following URL: hxxp://ssa.adxdnet.net/get.php?src= Where the src parameter varies (they download 10+ malware from this). So a rule to catch this will at least point to machines that got infected with the sample I analyzed. Cheers, Bojan From emerging at emergingthreats.net Sat Nov 8 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 8 Nov 2008 18:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081108230008.6E96F4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 8 18:00:08 2008 [***] [+++] Added rules: [+++] 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules) 2008736 - ET MALWARE Borlander Adware Checkin (emerging-malware.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules) 2008738 - ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related (emerging.rules) 2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1352 # Generated 2008-11-08 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1352 # Generated 2008-11-08 00:03:02 EDT -> Added to emerging-malware.rules (2): #by Jeffrey Brown #Pedro Marinho -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Added to emerging-rbn.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Added to emerging-sid-msg.map (23): 2008735 || ET MALWARE Suspicious User Agent (FTP) 2008736 || ET MALWARE Borlander Adware Checkin 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound 2406036 || ET RBN Known Russian Business Network Monitored Domains (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406037 || ET RBN Known Russian Business Network Monitored Domains (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406038 || ET RBN Known Russian Business Network Monitored Domains (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406039 || ET RBN Known Russian Business Network Monitored Domains (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406040 || ET RBN Known Russian Business Network Monitored Domains (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406041 || ET RBN Known Russian Business Network Monitored Domains (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406042 || ET RBN Known Russian Business Network Monitored Domains (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406043 || ET RBN Known Russian Business Network Monitored Domains (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406044 || ET RBN Known Russian Business Network Monitored Domains (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407037 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407038 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407039 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407040 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407041 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407042 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407043 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407044 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (23): 2008735 || ET MALWARE Suspicious User Agent (FTP) 2008736 || ET MALWARE Borlander Adware Checkin 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound 2406036 || ET RBN Known Russian Business Network Monitored Domains (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406037 || ET RBN Known Russian Business Network Monitored Domains (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406038 || ET RBN Known Russian Business Network Monitored Domains (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406039 || ET RBN Known Russian Business Network Monitored Domains (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406040 || ET RBN Known Russian Business Network Monitored Domains (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406041 || ET RBN Known Russian Business Network Monitored Domains (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406042 || ET RBN Known Russian Business Network Monitored Domains (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406043 || ET RBN Known Russian Business Network Monitored Domains (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406044 || ET RBN Known Russian Business Network Monitored Domains (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407037 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407038 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407039 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407040 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407041 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407042 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407043 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407044 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging.rules (1): #by David Wharton [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1345 # Generated 2008-11-01 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1345 # Generated 2008-11-01 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Removed from emerging-rbn.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Removed from emerging-sid-msg.map (2): 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Sat Nov 8 20:00:20 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 08 Nov 2008 20:00:20 -0500 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: <9d6a1ae60811081314p4aea9880w43a084481cba884f@mail.gmail.com> References: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> <9d6a1ae60811081314p4aea9880w43a084481cba884f@mail.gmail.com> Message-ID: <49163624.8030306@jonkmans.com> Is the parameter for src all digits or something else we could look for? Thanks Bojan! Matt Bojan Zdrnja (SANS ISC) wrote: > On Sat, Nov 8, 2008 at 6:12 PM, Joshua Gimer wrote: >> Outgoing connections to where? There was nothing in your ISC post? Maybe the >> rule focus is incorrect, we could write a rule to watch for these outgoing >> connections? > > Ah yes - I was actually supposed to update the diary but never managed > to do it (got dragged to do some other things). > > As the moment, they make loads of connections to the following URL: > > hxxp://ssa.adxdnet.net/get.php?src= > > Where the src parameter varies (they download 10+ malware from this). > > So a rule to catch this will at least point to machines that got > infected with the sample I analyzed. > > Cheers, > > Bojan > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Nov 8 20:43:45 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 08 Nov 2008 20:43:45 -0500 Subject: [Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild In-Reply-To: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> References: <9d6a1ae60811080101n4eee1feco2546831ec9597fec@mail.gmail.com> Message-ID: <49164051.1010106@jonkmans.com> Got some new info with a sample. The UA is unique, so going with this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin"; flow:established,to_server; uricontent:"/get.php?src="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; Win32\; WinHttp.W inHttpRequest.5)"; classtype:trojan-activity; sid:2008741; rev:1;) Matt Bojan Zdrnja (SANS ISC) wrote: > Joshua, > > On Sat, Nov 8, 2008 at 2:53 AM, Joshua Gimer wrote: >> All, >> >> Could you please review this sig? I am far from being even decent at writing >> these rules, but thought that I would create one for the worm activity that >> has been reported to SANS ISC due to the lack of Anti-Virus coverage. >> >> http://isc.sans.org/diary.html?storyid=5312 >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS >> CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server; >> content:"|25 50 44 46|"; >> pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\), >> (nm)?\)"; classtype:malware-activity; >> reference:url,isc.sans.org/diary.html?storyid=5312; >> reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992; >> sid:2008117; rev:1;) > > This won't work because the JavaScript part is obfuscated, and > deflated in the PDF document. > Frankly, this doesn't look to me like something we should write a sig > for -- there are just too many ways for obfuscating things and > changing the content. > > Probably the best way is to catch outgoing connections, once the > machine gets infected. > > Cheers, > > Bojan > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Nov 8 21:06:47 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 08 Nov 2008 21:06:47 -0500 Subject: [Emerging-Sigs] Rules to detect attempts to use the software FreeGate anonymous access to the Internet. In-Reply-To: <49148daabb55_6ccc15be8dae4eb03271@winter10.tmail> References: <49148daabb55_6ccc15be8dae4eb03271@winter10.tmail> Message-ID: <491645B7.1010009@jonkmans.com> These look really interesting. Will give them a try! Thanks Matt staneyre wrote: > #Created by Sandro Reis - > > > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; > threshold:type limit, track by_src,count 1, seconds 30; sid:2009000; rev:1;) > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; > threshold:type limit, track by_src,count 1, seconds 30; sid:2009001; rev:1;) > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; > threshold:type limit, track by_src,count 1, seconds 30; sid:2009002; rev:1;) > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; > threshold:type limit, track by_src,count 1, seconds 30; sid:2009003; rev:1;) > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; offset: 13; depth: 23; > classtype:policy-violation; threshold:type limit, track by_src,count 3, > seconds 30; sid:2009004; rev:1;) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sun Nov 9 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 9 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081109210008.57FFF45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Nov 9 16:00:08 2008 [***] [+++] Added rules: [+++] 2008740 - ET TROJAN Ligats/DR.Ilomo Agent Post (emerging-virus.rules) 2008741 - ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin (emerging.rules) 2008742 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) (emerging-malware.rules) 2008743 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) (emerging-malware.rules) 2008744 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008745 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008746 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008747 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008748 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) [///] Modified active rules: [///] 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #by Sandro Reis -> Added to emerging-sid-msg.map (10): 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008744 || ET POLICY Possible External FreeGate DNS Query 2008745 || ET POLICY Possible External FreeGate DNS Query 2008746 || ET POLICY Possible External FreeGate DNS Query 2008747 || ET POLICY Possible External FreeGate DNS Query 2008748 || ET POLICY Possible External FreeGate DNS Query -> Added to emerging-sid-msg.map.txt (10): 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008744 || ET POLICY Possible External FreeGate DNS Query 2008745 || ET POLICY Possible External FreeGate DNS Query 2008746 || ET POLICY Possible External FreeGate DNS Query 2008747 || ET POLICY Possible External FreeGate DNS Query 2008748 || ET POLICY Possible External FreeGate DNS Query -> Added to emerging.rules (1): #many sources [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin -> Removed from emerging-sid-msg.map.txt (1): 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin From veerendragg at secpod.com Mon Nov 10 07:59:18 2008 From: veerendragg at secpod.com (Veerendra GG) Date: Mon, 10 Nov 2008 18:29:18 +0530 Subject: [Emerging-Sigs] Signature on Malware E-mail and GuildFTPd Attacks. Message-ID: <49183026.1020200@secpod.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST Command Heap Overflow - POC"; pcre:"cwd (\/\.){70,}/i"; pcre:"list [\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; sid:9033; rev:1;) # 10/11/2008 Activation Key Malware - Trojan horse alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: Recovery KEYS for your account"; nocase; pcre:"The_Keys.zip/i"; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; sid:9035; rev:1;) # 10/11/2008 Activation Key Malware - Trojan horse alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: The Activation Keys"; nocase; pcre:"/active_key.zip|new_activation_keys.zip/i"; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; sid:9036; rev:1;) - -- regards, Veerendra GG http://secpod.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSRgwJeEQO76B7pCmAQLeJBAAjIBKKH6EN9aVKwILnJeUgZ34NUqNTSRy 8nq5VMhwJ8X9ofmdAL7TjtLtVPoUgK6J3Gy8TP2r4lkKWb8rzn/1VPwugMWxa5kv /0x+IH8WXUMW72G+glS+kwLqNwVUlP/ZKwCS3Ly8TDAAIFcyv7LCW+vSxIFmgYk5 5wQErXVCqZRLmEEN0PSA3HWXZ0qoc5+s6xLZDVUJ2jEUO5ZtQmfDLCPPt9i6oGGn uXtqsS8s0zVhhyF/J3SU6Bg/xaZijTVgY7uKoV+mVCg2Zr8eY6227Uz/WDqu8Bxo 1DuXxycroUjFVlzBv6He5H3zEhm/qhKbRZQ9DL2Gbkq/i1fvwJczDm2rSJtUXd3j SySqr5wcv92hwM2GqF95cSNd0TE8jhzxPqceQqeUCzZhrGgnUXam6t+YgGg8EXkb ny/QxRZd+rMrFDwT4CWJr1WQZncStOyj5cJtaG8VpjAVlF+HZc0vO50l01vCE+3T QNlXm0I9zWBShXfo5BqHNP51mJW/pr/eObaB6aMbDNy+9SZfGsDLYFauGw0Ud5X2 dlxsfQrL3fHGp6FDOG/5tArBnmL1nEcS4sXyFpdp3IsgGjlgbgmcNAe+Xj5eui8x i13E27QdHWf0ZGGC51ZFsfXeP5+s1tIquyfAlReW946spDxbXGSCV+tJyoFsx60Y AmKWz+Q75W4= =M0F6 -----END PGP SIGNATURE----- From jonkman at jonkmans.com Mon Nov 10 10:57:22 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 10 Nov 2008 10:57:22 -0500 Subject: [Emerging-Sigs] Signature on Malware E-mail and GuildFTPd Attacks. In-Reply-To: <49183026.1020200@secpod.com> References: <49183026.1020200@secpod.com> Message-ID: <491859E2.7030900@jonkmans.com> Hi Veerendra, nice to hear from you. Comments inline: Veerendra GG wrote: > > # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST > Command Heap Overflow - POC"; pcre:"cwd (\/\.){70,}/i"; pcre:"list > [\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; > reference:cve,CVE-2008-4572; reference:bugtraq,31729; > classtype:web-application-attack; sid:9033; rev:1;) > We've got to anchor this one before we pcre. Is it just a long string to the cwd? So anything but an end of line? Single packet right? So maybe we could do a content for the cwd and a dsize over 74? > # 10/11/2008 Activation Key Malware - Trojan horse > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your > account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: > Recovery KEYS for your account"; nocase; pcre:"The_Keys.zip/i"; > classtype:trojan-activity; > reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; > reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; > sid:9035; rev:1;) Why the pcre in this one? Can that just be a content match? > > # 10/11/2008 Activation Key Malware - Trojan horse > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - > Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: The > Activation Keys"; nocase; > pcre:"/active_key.zip|new_activation_keys.zip/i"; > classtype:trojan-activity; > reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; > reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; > sid:9036; rev:1;) > > Maybe we just split this one into 2 sigs to avoid the pcre? Thanks Veerendra!! Matt _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From sun at vakharia.info Tue Nov 11 08:59:20 2008 From: sun at vakharia.info (=?iso-8859-1?Q?=AF`=B7.=5FThe_Sun=5F.=B7=B4=AF?=) Date: Tue, 11 Nov 2008 19:29:20 +0530 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster Message-ID: I am quite new to Snort rule updates and am looking at a simple guide to help me integrate the emergingthreats' rules into my Snort test setup. My apologies if this is not the right forum for this question, but I am unable to locate information that I am looking for on the emergingthreats.net website. I already have the rules from snort.org (VRT Certified Rules for Snort v2.8 (snortrules-snapshot-2.8.tar.gz). However, they do not seem to pick the MS08-067 exploit (which I am using as a test case). Here is what I have done so far. 1. Snort has been setup and works fine - I can detect port scans etc. without problems without any rule changes. 2. I have also downloaded rules from emergingthreats.net and extracted them to /etc/snort/rules where my the official rules have also been placed. 3. Now, I edited my snort conf file and included a few rules include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging.rules include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules And restarted snort. But that did not detect the exploit. Is there something else that I need to do? I also had setup Oinkmaster. Does that work with download of rules from emergingthreasts? Or do I have to download via cvs? Thanks. _________________________________________________________________ Register once and play all contests. Increase your scores with bonus credits for logging in daily on MSN. http://specials.msn.co.in/msncontest/index.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081111/f4dbda6b/attachment.html From emerging at emergingthreats.net Tue Nov 11 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 11 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081111210008.8D50A4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Nov 11 16:00:08 2008 [***] [+++] Added rules: [+++] 2008749 - ET MALWARE Suspicious User-Agent (checkonline) (emerging-malware.rules) 2008750 - ET TROJAN Buzus FTP Log Upload (emerging-virus.rules) 2008751 - ET TROJAN Alureon Checkin (Post) (emerging-virus.rules) [///] Modified active rules: [///] 2003607 - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (emerging-malware.rules) 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules) 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules) 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2008749 || ET MALWARE Suspicious User-Agent (checkonline) 2008750 || ET TROJAN Buzus FTP Log Upload 2008751 || ET TROJAN Alureon Checkin (Post) -> Added to emerging-sid-msg.map.txt (3): 2008749 || ET MALWARE Suspicious User-Agent (checkonline) 2008750 || ET TROJAN Buzus FTP Log Upload 2008751 || ET TROJAN Alureon Checkin (Post) From phatbuckett at gmail.com Tue Nov 11 19:59:56 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 11 Nov 2008 17:59:56 -0700 Subject: [Emerging-Sigs] Ligats POST data (sid 2008740) Message-ID: <839aec700811111659i2ccbde03tf05ed36a0b993991@mail.gmail.com> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ligats/DR.Ilomo Agent Post"; flow:established,to_server; content:"POST /"; depth:6; content:" HTTP/1.0|0d 0a|"; distance:16; within:28; content:"|0d 0a 0d 0a|o="; content:"&s=000"; distance:1; within:8; classtype:trojan-activity; sid:2008740; rev:1;) 2008740 seems to be assuming POST requests like e.g. POST /HBM3DVDRwaYTn382 HTTP/1.0 User-Agent: Mozilla 5.0 Accept: */* Host: 206.225.90.83 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 22 o=c&s=0000000000153CA2 I've been getting low detection on this and realized there's another POST format in use: POST /FjFcB74BmIlgzEhr HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 66.226.76.83 Content-Length: 225 Cache-Control: no-cache o=d&s=00000000005C0743&b=jAAAACi3IEgIyVlk2fGhmHQmhrk3Ws2Si48HsmKkjlGQIzUjxpH/aJ3M3+5tqeHb1tnuuYXfi1E PKSdMTKatOxytFTBsF/0IBMaHX7Iby5iR6En[snip] The second request (observed 11/11/08) utilizes HTTP/1.1, has a more standard UA string, and also passes data in a 'b' parameter. -- Darren Spruell phatbuckett at gmail.com From chris.misztur at yahoo.com Tue Nov 11 20:13:08 2008 From: chris.misztur at yahoo.com (chris mr) Date: Tue, 11 Nov 2008 17:13:08 -0800 (PST) Subject: [Emerging-Sigs] ET and Oinkmaster References: Message-ID: <182737.91381.qm@web63703.mail.re1.yahoo.com> Take a look at http://oinkmaster.cvs.sourceforge.net/oinkmaster/oinkmaster/FAQ?view=markup A26. From jonkman at jonkmans.com Wed Nov 12 05:16:32 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 12 Nov 2008 05:16:32 -0500 Subject: [Emerging-Sigs] Interesting: Gif/rar Message-ID: <491AAD00.6010304@jonkmans.com> Our class in vienna found something interesting. HTTP/1.1 200 OK Content-Length: 13708 Content-Type: image/gif Last-Modified: Sat, 25 Oct 2008 02:13:00 GMT Accept-Ranges: bytes ETag: "1c3c1d344736c91:a23" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sat, 25 Oct 2008 07:48:31 GMT Rar!.....s..... Malware requesting a gif, server reporting it's sending a gif, but the file is actually a rar archive. The rule below should detect, please test and let us know how this goes. We'll look at other filetypes if this continues to prove reliable! alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type\: image/"; content:"|0d 0a|Rar!"; classtype: trojan-activity; sid:2008754; rev:1;) Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From veerendragg at secpod.com Wed Nov 12 04:32:31 2008 From: veerendragg at secpod.com (Veerendra GG) Date: Wed, 12 Nov 2008 15:02:31 +0530 Subject: [Emerging-Sigs] Signature on Malware E-mail and GuildFTPd Attacks. In-Reply-To: <491859E2.7030900@jonkmans.com> References: <49183026.1020200@secpod.com> <491859E2.7030900@jonkmans.com> Message-ID: <491AA2AF.3060107@secpod.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Malware E-mail Trojan rules are modified as your comments by moving those pcre to content. For GuildFtpd, we split into two rules to match huge string of "pwd" and "list" command. Expecting some Feedback on GuildFtpd rules. # 10/11/2008 Activation Key Malware - Trojan horse alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: Recovery KEYS for your account"; nocase; content:"The_Keys.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; sid:9035; rev:2;) # 10/11/2008 Activation Key Malware - Trojan horse alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - Trojan-1"; flow:established,to_server; content:"|0d 0a|Subject\: The Activation Keys"; nocase; content:"new_activation_keys.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; sid:9034; rev:1;) # 10/11/2008 Activation Key Malware - Trojan horse alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - Trojan-2"; flow:established,to_server; content:"|0d 0a|Subject\: The Activation Keys"; nocase; content:"active_key.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; sid:9036; rev:2;) # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; sid:9033; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; sid:9037; rev:1;) - -- regards, Veerendra GG http://www.secpod.com/ Matt Jonkman wrote: > Hi Veerendra, nice to hear from you. Comments inline: > > Veerendra GG wrote: >> # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST >> Command Heap Overflow - POC"; pcre:"cwd (\/\.){70,}/i"; pcre:"list >> [\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; >> reference:cve,CVE-2008-4572; reference:bugtraq,31729; >> classtype:web-application-attack; sid:9033; rev:1;) >> > > We've got to anchor this one before we pcre. Is it just a long string to > the cwd? So anything but an end of line? > > Single packet right? So maybe we could do a content for the cwd and a > dsize over 74? > >> # 10/11/2008 Activation Key Malware - Trojan horse >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your >> account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: >> Recovery KEYS for your account"; nocase; pcre:"The_Keys.zip/i"; >> classtype:trojan-activity; >> reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; >> reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; >> sid:9035; rev:1;) > > Why the pcre in this one? Can that just be a content match? > >> # 10/11/2008 Activation Key Malware - Trojan horse >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - >> Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: The >> Activation Keys"; nocase; >> pcre:"/active_key.zip|new_activation_keys.zip/i"; >> classtype:trojan-activity; >> reference:url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/; >> reference:url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/; >> sid:9036; rev:1;) >> >> > > Maybe we just split this one into 2 sigs to avoid the pcre? > > Thanks Veerendra!! > > Matt > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > - -- regards, Veerendra GG Security Analyst @ Secpod http://www.secpod.com/ L-16, 3rd Cross, 26th Main Road, 1st Phase, JP Nagar, Bangalore - 560078 Mobile: +919886535533 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSRqir+EQO76B7pCmAQJxuw/9EFdTTDjO6bUOPkPpvPQ5A9MkQNBl5aDH 8Y/BlkzHi4P7eRSYBq3thLRyl769QJTGi4fw1af7bXl/gOmN6oFE4srYpQiGNUrk U0iB7DMTtrC6O2/f25p0ZQIzfmvtSN4NVTtDW0zpf5rJLjABcdXcaPRGT2PCqjqk StB+dIc9NMTncDe+DlIQ2hXxI7iBWKliTip9kj+B4n0SCxAivO/BQTDx2S3Xqp+L Z40uf3xEGbuJV+hAKJbBvnjGKbJi+dtMWf9II6vPxM3IEPqEJINLhaSkthBODGYU dC0k6pa7gt2q5OMFQH1dukAxNM/8t+BOuEi/utPrbKcI+UeppPkK92IpprHCEZUs AycKY6ZLvp9OsrJiZzCLHHzF2wwqzGrbV467qo0jYLf1VvtxhdLDI0jrOpoBJA/Q W5jPgKri7LQNkKwvrm6KO5sbCxdCsoFoxIQWseh9WiWJ5a0ehBZcsFyKLx/NSlEz GoNJ8rVdyG3YVsUYCQ48QAG+wBob4xArIPuYsHgpqHkTry7Vgt3Qiykb/H0NUP/o 4oINAkcO7eQvG+wXQa4F4cdxAAa5yFoKZkhZkfkrda4gJ8mORuZfm7VDicfjMrX7 RQx/94McfhxefbGtkSR9GU41ugr7wWE47Id+zkWGmHrZzoPPToLl1iNWRQaqCaG6 RuhXqT3WdKI= =qRt3 -----END PGP SIGNATURE----- From jonkman at jonkmans.com Wed Nov 12 12:17:46 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 12 Nov 2008 12:17:46 -0500 Subject: [Emerging-Sigs] New P2P Trojan? Message-ID: <491B0FBA.1080003@jonkmans.com> We've just run across in the sandnet a new (possibly) P2P (possibly) trojan. It's similar to storm, not sure exactly what and how, but we've put up sigs for it. If you get hits on these please let us know. AV so far isn't detecting it, although the sample is over a month old. Quite concerning. Sigs posted are: #re 60fa2ff79411dd1cb829e8a966aa86fc #Unknown so far, no AV coverage, appears to be peer to peer alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin"; flow:established,to_server; dsize:<30; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 01 00 00|"; distance:1; within:9; threshold:type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008768; rev:2;) alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response"; flow:established,from_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 07 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; classtype:trojan-activity; sid:2008769; rev:2;) #moves to 7090 in samples alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008771; rev:2;) alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; classtype:trojan-activity; sid:2008770; rev:2;) #moved to 5622 in samples alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET CURRENT_EVENTS Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2008772; rev:2;) PLEASE report any hits! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Nov 12 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 12 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081112210008.C78BA4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Nov 12 16:00:08 2008 [***] [+++] Added rules: [+++] 2008752 - ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) (emerging-virus.rules) 2008753 - ET TROJAN AdWare.Win32.Yokbar Checkin URL (emerging-virus.rules) 2008754 - ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image (emerging-malware.rules) 2008755 - ET TROJAN Autorun.qvi Related HTTP Get on Off Port (emerging-virus.rules) 2008756 - ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) (emerging-malware.rules) 2008757 - ET MALWARE Zenosearch Malware Checkin HTTP POST (emerging-malware.rules) 2008758 - ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL (emerging-virus.rules) 2008759 - ET MALWARE Matcash Trojan Related Spyware Code Download (emerging-malware.rules) 2008760 - ET TROJAN Insidebar.co.kr Related Infection Checkin (emerging-virus.rules) 2008761 - ET POLICY Rar File Requested (1) (emerging-policy.rules) 2008762 - ET POLICY Rar File Requested (2) (emerging-policy.rules) 2008763 - ET POLICY Rar Requested but Received Something Else (1) (emerging-policy.rules) 2008764 - ET POLICY Rar Requested but Received Something Else (2) (emerging-policy.rules) 2008765 - ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) (emerging-virus.rules) 2008766 - ET TROJAN Generic Downloader Checkin Url Detected (emerging-virus.rules) 2008767 - ET TROJAN Kangkio User-Agent (lsosss) (emerging-virus.rules) 2008768 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin (emerging.rules) 2008769 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response (emerging.rules) 2008770 - ET CURRENT_EVENTS Unknown Trojan P2P Data Download (emerging.rules) 2008771 - ET CURRENT_EVENTS Unknown Trojan P2P Download Request (emerging.rules) 2008772 - ET CURRENT_EVENTS Unknown Trojan P2P Request (emerging.rules) [///] Modified active rules: [///] 2000536 - ET SCAN NMAP -sO (emerging-scan.rules) 2000537 - ET SCAN NMAP -sS (emerging-scan.rules) 2000538 - ET SCAN NMAP -sA (1) (emerging-scan.rules) 2000540 - ET SCAN NMAP -sA (2) (emerging-scan.rules) 2000543 - ET SCAN NMAP -f -sF (emerging-scan.rules) 2000544 - ET SCAN NMAP -f -sN (emerging-scan.rules) 2000545 - ET SCAN NMAP -f -sS (emerging-scan.rules) 2000546 - ET SCAN NMAP -f -sX (emerging-scan.rules) 2003607 - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (emerging-malware.rules) 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules) 2008743 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) (emerging-malware.rules) [---] Removed rules: [---] 2002968 - ET MALWARE Matcash.com Spyware Code Download (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #from vienna -> Added to emerging-sid-msg.map (30): 2000536 || ET SCAN NMAP -sO 2000537 || ET SCAN NMAP -sS 2000538 || ET SCAN NMAP -sA (1) 2000540 || ET SCAN NMAP -sA (2) 2000543 || ET SCAN NMAP -f -sF 2000544 || ET SCAN NMAP -f -sN 2000545 || ET SCAN NMAP -f -sS 2000546 || ET SCAN NMAP -f -sX 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) 2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) 2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL 2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image 2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port 2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) 2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST 2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL 2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download 2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin 2008761 || ET POLICY Rar File Requested (1) 2008762 || ET POLICY Rar File Requested (2) 2008763 || ET POLICY Rar Requested but Received Something Else (1) 2008764 || ET POLICY Rar Requested but Received Something Else (2) 2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) 2008766 || ET TROJAN Generic Downloader Checkin Url Detected 2008767 || ET TROJAN Kangkio User-Agent (lsosss) 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request -> Added to emerging-sid-msg.map.txt (30): 2000536 || ET SCAN NMAP -sO 2000537 || ET SCAN NMAP -sS 2000538 || ET SCAN NMAP -sA (1) 2000540 || ET SCAN NMAP -sA (2) 2000543 || ET SCAN NMAP -f -sF 2000544 || ET SCAN NMAP -f -sN 2000545 || ET SCAN NMAP -f -sS 2000546 || ET SCAN NMAP -f -sX 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) 2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) 2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL 2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image 2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port 2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) 2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST 2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL 2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download 2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin 2008761 || ET POLICY Rar File Requested (1) 2008762 || ET POLICY Rar File Requested (2) 2008763 || ET POLICY Rar Requested but Received Something Else (1) 2008764 || ET POLICY Rar Requested but Received Something Else (2) 2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) 2008766 || ET TROJAN Generic Downloader Checkin Url Detected 2008767 || ET TROJAN Kangkio User-Agent (lsosss) 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request -> Added to emerging-virus.rules (1): #these are mcboo.com and bundlext.com related. David Yawsa registrant -> Added to emerging.rules (5): #from Vienna with love #re 60fa2ff79411dd1cb829e8a966aa86fc #Unknown so far, no AV coverage, appears to be peer to peer #moves to 7090 in samples #moved to 5622 in samples [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (10): 2000536 || ET SCAN NMAP -sO || arachnids,162 2000537 || ET SCAN NMAP -sS || arachnids,162 2000538 || ET SCAN NMAP -sA (1) || arachnids,162 2000540 || ET SCAN NMAP -sA (2) || arachnids,162 2000543 || ET SCAN NMAP -f -sF || arachnids,162 2000544 || ET SCAN NMAP -f -sN || arachnids,162 2000545 || ET SCAN NMAP -f -sS || arachnids,162 2000546 || ET SCAN NMAP -f -sX || arachnids,162 2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) -> Removed from emerging-sid-msg.map.txt (10): 2000536 || ET SCAN NMAP -sO || arachnids,162 2000537 || ET SCAN NMAP -sS || arachnids,162 2000538 || ET SCAN NMAP -sA (1) || arachnids,162 2000540 || ET SCAN NMAP -sA (2) || arachnids,162 2000543 || ET SCAN NMAP -f -sF || arachnids,162 2000544 || ET SCAN NMAP -f -sN || arachnids,162 2000545 || ET SCAN NMAP -f -sS || arachnids,162 2000546 || ET SCAN NMAP -f -sX || arachnids,162 2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) From joel.esler at sourcefire.com Thu Nov 13 07:59:40 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Thu, 13 Nov 2008 07:59:40 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: References: Message-ID: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> The rule to detect MS08-067 is a Shared Object rule. You'll need to follow the instructions here:http://www.snort.org/docs/faq/3Q06/node87.html or here: http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html in order to use this rule. Joel On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? wrote: > I am quite new to Snort rule updates and am looking at a simple guide to > help me integrate the emergingthreats' rules into my Snort test setup. > > My apologies if this is not the right forum for this question, but I am > unable to locate information that I am looking for on the > emergingthreats.net website. > > I already have the rules from snort.org (*VRT Certified Rules for Snort > v2.8* *(snortrules-snapshot-2.8.tar.gz). > *However, they do not seem to pick the MS08-067 exploit (which I am using > as a test case). > > Here is what I have done so far. > 1. Snort has been setup and works fine - I can detect port scans etc. > without problems without any rule changes. > 2. I have also downloaded rules from emergingthreats.net and extracted > them to /etc/snort/rules where my the official rules have also been placed. > > 3. Now, I edited my snort conf file and included a few rules > include $RULE_PATH/emerging.conf > include $RULE_PATH/emerging-malware.rules > include $RULE_PATH/emerging-exploit.rules > include $RULE_PATH/emerging-web.rules > include $RULE_PATH/emerging-scan.rules > include $RULE_PATH/emerging.rules > include $RULE_PATH/local.rules > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > > And restarted snort. But that did not detect the exploit. > > Is there something else that I need to do? > > I also had setup Oinkmaster. Does that work with download of rules from > emergingthreasts? Or do I have to download via cvs? > > Thanks. > > * > * > ------------------------------ > Team India gets set to thwart Australia's quest for the final frontier. > Catch the action on MSN Try it now! > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081113/e9cadb99/attachment.html From joel.esler at sourcefire.com Thu Nov 13 08:07:27 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Thu, 13 Nov 2008 08:07:27 -0500 Subject: [Emerging-Sigs] Signature on Malware E-mail and GuildFTPd Attacks. In-Reply-To: <491AA2AF.3060107@secpod.com> References: <49183026.1020200@secpod.com> <491859E2.7030900@jonkmans.com> <491AA2AF.3060107@secpod.com> Message-ID: <314cf0830811130507n7e4aeaa0j7f043e79a3b5a5d3@mail.gmail.com> As food for thought, You could specify a ftp_server definition for your FTP servers and set CWD and LIST to 70. That way the ftp preproc is handling this. J On Wed, Nov 12, 2008 at 4:32 AM, Veerendra GG wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Malware E-mail Trojan rules are modified as your comments by moving > those pcre to content. > For GuildFtpd, we split into two rules to match huge string of "pwd" > and "list" command. > Expecting some Feedback on GuildFtpd rules. > > > # 10/11/2008 Activation Key Malware - Trojan horse > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your > account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: > Recovery KEYS for your account"; nocase; content:"The_Keys.zip"; nocase; > classtype:trojan-activity; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ > ; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ > ; > sid:9035; rev:2;) > > > # 10/11/2008 Activation Key Malware - Trojan horse > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - > Trojan-1"; flow:established,to_server; content:"|0d 0a|Subject\: The > Activation Keys"; nocase; content:"new_activation_keys.zip"; nocase; > classtype:trojan-activity; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ > ; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ > ; > sid:9034; rev:1;) > > # 10/11/2008 Activation Key Malware - Trojan horse > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - > Trojan-2"; flow:established,to_server; content:"|0d 0a|Subject\: The > Activation Keys"; nocase; content:"active_key.zip"; nocase; > classtype:trojan-activity; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ > ; > reference:url, > www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ > ; > sid:9036; rev:2;) > > > # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST > Command Heap Overflow - POC-1"; content:"cwd"; depth:4; nocase; > dsize:>74; pcre:"/(\/\.){70,}/i"; > reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; > reference:bugtraq,31729; classtype:web-application-attack; sid:9033; > rev:2;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST > Command Heap Overflow - POC-2"; content:"list"; depth:5; nocase; > dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; > reference:cve,CVE-2008-4572; reference:bugtraq,31729; > classtype:web-application-attack; sid:9037; rev:1;) > > - -- > regards, > Veerendra GG > http://www.secpod.com/ > > Matt Jonkman wrote: > > Hi Veerendra, nice to hear from you. Comments inline: > > > > Veerendra GG wrote: > >> # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. > >> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GuildFTPd CWD and LIST > >> Command Heap Overflow - POC"; pcre:"cwd (\/\.){70,}/i"; pcre:"list > >> [\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; > >> reference:cve,CVE-2008-4572; reference:bugtraq,31729; > >> classtype:web-application-attack; sid:9033; rev:1;) > >> > > > > We've got to anchor this one before we pcre. Is it just a long string to > > the cwd? So anything but an end of line? > > > > Single packet right? So maybe we could do a content for the cwd and a > > dsize over 74? > > > >> # 10/11/2008 Activation Key Malware - Trojan horse > >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Recovery KEYS for your > >> account - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: > >> Recovery KEYS for your account"; nocase; pcre:"The_Keys.zip/i"; > >> classtype:trojan-activity; > >> reference:url, > www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ > ; > >> reference:url, > www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ > ; > >> sid:9035; rev:1;) > > > > Why the pcre in this one? Can that just be a content match? > > > >> # 10/11/2008 Activation Key Malware - Trojan horse > >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"The Activation Keys - > >> Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: The > >> Activation Keys"; nocase; > >> pcre:"/active_key.zip|new_activation_keys.zip/i"; > >> classtype:trojan-activity; > >> reference:url, > www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ > ; > >> reference:url, > www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ > ; > >> sid:9036; rev:1;) > >> > >> > > > > Maybe we just split this one into 2 sigs to avoid the pcre? > > > > Thanks Veerendra!! > > > > Matt > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > - -- > regards, > Veerendra GG > > Security Analyst @ Secpod > http://www.secpod.com/ > > L-16, 3rd Cross, 26th Main Road, 1st Phase, JP Nagar, Bangalore - 560078 > Mobile: +919886535533 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQIVAwUBSRqir+EQO76B7pCmAQJxuw/9EFdTTDjO6bUOPkPpvPQ5A9MkQNBl5aDH > 8Y/BlkzHi4P7eRSYBq3thLRyl769QJTGi4fw1af7bXl/gOmN6oFE4srYpQiGNUrk > U0iB7DMTtrC6O2/f25p0ZQIzfmvtSN4NVTtDW0zpf5rJLjABcdXcaPRGT2PCqjqk > StB+dIc9NMTncDe+DlIQ2hXxI7iBWKliTip9kj+B4n0SCxAivO/BQTDx2S3Xqp+L > Z40uf3xEGbuJV+hAKJbBvnjGKbJi+dtMWf9II6vPxM3IEPqEJINLhaSkthBODGYU > dC0k6pa7gt2q5OMFQH1dukAxNM/8t+BOuEi/utPrbKcI+UeppPkK92IpprHCEZUs > AycKY6ZLvp9OsrJiZzCLHHzF2wwqzGrbV467qo0jYLf1VvtxhdLDI0jrOpoBJA/Q > W5jPgKri7LQNkKwvrm6KO5sbCxdCsoFoxIQWseh9WiWJ5a0ehBZcsFyKLx/NSlEz > GoNJ8rVdyG3YVsUYCQ48QAG+wBob4xArIPuYsHgpqHkTry7Vgt3Qiykb/H0NUP/o > 4oINAkcO7eQvG+wXQa4F4cdxAAa5yFoKZkhZkfkrda4gJ8mORuZfm7VDicfjMrX7 > RQx/94McfhxefbGtkSR9GU41ugr7wWE47Id+zkWGmHrZzoPPToLl1iNWRQaqCaG6 > RuhXqT3WdKI= > =qRt3 > -----END PGP SIGNATURE----- > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081113/dea2223d/attachment-0001.html From jonkman at jonkmans.com Thu Nov 13 08:40:45 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 13 Nov 2008 08:40:45 -0500 Subject: [Emerging-Sigs] Ligats POST data (sid 2008740) In-Reply-To: <839aec700811111659i2ccbde03tf05ed36a0b993991@mail.gmail.com> References: <839aec700811111659i2ccbde03tf05ed36a0b993991@mail.gmail.com> Message-ID: <491C2E5D.3030508@jonkmans.com> Nice catch Darren. Going through the sandnet I see some of these as well. posting a similar sig for the other parameters momentarily. Thanks! Matt Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Ligats/DR.Ilomo Agent Post"; flow:established,to_server; content:"POST > /"; depth:6; content:" HTTP/1.0|0d 0a|"; distance:16; within:28; > content:"|0d 0a 0d 0a|o="; content:"&s=000"; distance:1; within:8; > classtype:trojan-activity; sid:2008740; rev:1;) > > 2008740 seems to be assuming POST requests like e.g. > > POST /HBM3DVDRwaYTn382 HTTP/1.0 > User-Agent: Mozilla 5.0 > Accept: */* > Host: 206.225.90.83 > Connection: Keep-Alive > Content-Type: application/x-www-form-urlencoded > Content-Length: 22 > > o=c&s=0000000000153CA2 > > > I've been getting low detection on this and realized there's another > POST format in use: > > POST /FjFcB74BmIlgzEhr HTTP/1.1 > Content-Type: application/x-www-form-urlencoded > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > Host: 66.226.76.83 > Content-Length: 225 > Cache-Control: no-cache > > o=d&s=00000000005C0743&b=jAAAACi3IEgIyVlk2fGhmHQmhrk3Ws2Si48HsmKkjlGQIzUjxpH/aJ3M3+5tqeHb1tnuuYXfi1E > PKSdMTKatOxytFTBsF/0IBMaHX7Iby5iR6En[snip] > > > The second request (observed 11/11/08) utilizes HTTP/1.1, has a more > standard UA string, and also passes data in a 'b' parameter. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From staneyre at bol.com.br Thu Nov 13 14:14:54 2008 From: staneyre at bol.com.br (staneyre) Date: Thu, 13 Nov 2008 17:14:54 -0200 Subject: [Emerging-Sigs] Correction of rule Message-ID: <491c7cae7173a_3b99155555587eb4998@winter23.tmail> An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081113/d127425e/attachment.html From emerging at emergingthreats.net Thu Nov 13 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 13 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081113210008.18D774501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Nov 13 16:00:08 2008 [***] [+++] Added rules: [+++] 2008773 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (emerging.rules) 2008774 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008775 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008776 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 (emerging-exploit.rules) 2008777 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 (emerging-exploit.rules) 2008778 - ET TROJAN Ligats/DR.Ilomo Agent Post (2) (emerging-virus.rules) 2008779 - ET CURRENT_EVENTS Unknown Keepalive up (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive down (emerging.rules) [///] Modified active rules: [///] 2008739 - ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (2): #by Veerendra # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. -> Added to emerging-sid-msg.map (13): 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2) 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (13): 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2) 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging.rules (2): #by Veererendra # 10/11/2008 Activation Key Malware - Trojan horse [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound -> Removed from emerging-sid-msg.map.txt (1): 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound From cunningpike at gmail.com Thu Nov 13 17:26:09 2008 From: cunningpike at gmail.com (CunningPike) Date: Thu, 13 Nov 2008 14:26:09 -0800 Subject: [Emerging-Sigs] Interesting: Gif/rar In-Reply-To: <491AAD00.6010304@jonkmans.com> References: <491AAD00.6010304@jonkmans.com> Message-ID: <1226615169.6662.6.camel@arodgers-panasonic> We had a couple of hits on 2008764 ET POLICY Rar Requested but Received Something Else (2) that look like this: SRC: GET /2008rar2/pr/pr410.rar HTTP/1.0 SRC: Accept: */* SRC: Accept-Language: en-CA SRC: Referer: http://www.tv-video.net/swf/prison/prison410.swf SRC: x-flash-version: 9,0,124,0 SRC: UA-CPU: x86 SRC: Accept-Encoding: gzip, deflate SRC: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506) SRC: Host: 85.17.182.71 SRC: Via: 1.1 squid.dnv.ca:3128 (squid/2.5.STABLE6) SRC: X-Forwarded-For: 204.239.8.66 SRC: Cache-Control: max-age=259200 SRC: Connection: keep-alive Not sure if this is related or not - pcaps available if interested...... CP On Wed, 2008-11-12 at 05:16 -0500, Matt Jonkman wrote: > Our class in vienna found something interesting. > > HTTP/1.1 200 OK > Content-Length: 13708 > Content-Type: image/gif > Last-Modified: Sat, 25 Oct 2008 02:13:00 GMT > Accept-Ranges: bytes > ETag: "1c3c1d344736c91:a23" > Server: Microsoft-IIS/6.0 > X-Powered-By: ASP.NET > Date: Sat, 25 Oct 2008 07:48:31 GMT > > Rar!.....s..... > > > Malware requesting a gif, server reporting it's sending a gif, but the > file is actually a rar archive. The rule below should detect, please > test and let us know how this goes. We'll look at other filetypes if > this continues to prove reliable! > > > alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd > Malware sent when remote host claims to send an Image"; > flow:established,from_server; content:"Content-Type\: image/"; > content:"|0d 0a|Rar!"; classtype: trojan-activity; sid:2008754; rev:1;) > > Matt > > From jonkman at jonkmans.com Thu Nov 13 17:33:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 13 Nov 2008 17:33:40 -0500 Subject: [Emerging-Sigs] Correction of rule In-Reply-To: <491c7cae7173a_3b99155555587eb4998@winter23.tmail> References: <491c7cae7173a_3b99155555587eb4998@winter23.tmail> Message-ID: <491CAB44.5000508@jonkmans.com> Appreciate the update. What was the change due to? Matt staneyre wrote: > #By Sandro Reis > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible > External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c > 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; > threshold:type limit, track by_src,count 3, seconds 30; sid:2008748; rev:2;) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Nov 13 17:29:55 2008 From: jonkman at jonkmans.com (jonkman@jonkmans.com) Date: Thu, 13 Nov 2008 22:29:55 +0000 Subject: [Emerging-Sigs] Interesting: Gif/rar In-Reply-To: <1226615169.6662.6.camel@arodgers-panasonic> References: <491AAD00.6010304@jonkmans.com><1226615169.6662.6.camel@arodgers-panasonic> Message-ID: <1498547973-1226615429-cardhu_decombobulator_blackberry.rim.net-1888054275-@bxe310.bisx.prod.on.blackberry> How does the payload start off? Matt Sent via BlackBerry by AT&T -----Original Message----- From: CunningPike Date: Thu, 13 Nov 2008 14:26:09 To: Subject: Re: [Emerging-Sigs] Interesting: Gif/rar We had a couple of hits on 2008764 ET POLICY Rar Requested but Received Something Else (2) that look like this: SRC: GET /2008rar2/pr/pr410.rar HTTP/1.0 SRC: Accept: */* SRC: Accept-Language: en-CA SRC: Referer: http://www.tv-video.net/swf/prison/prison410.swf SRC: x-flash-version: 9,0,124,0 SRC: UA-CPU: x86 SRC: Accept-Encoding: gzip, deflate SRC: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506) SRC: Host: 85.17.182.71 SRC: Via: 1.1 squid.dnv.ca:3128 (squid/2.5.STABLE6) SRC: X-Forwarded-For: 204.239.8.66 SRC: Cache-Control: max-age=259200 SRC: Connection: keep-alive Not sure if this is related or not - pcaps available if interested...... CP On Wed, 2008-11-12 at 05:16 -0500, Matt Jonkman wrote: > Our class in vienna found something interesting. > > HTTP/1.1 200 OK > Content-Length: 13708 > Content-Type: image/gif > Last-Modified: Sat, 25 Oct 2008 02:13:00 GMT > Accept-Ranges: bytes > ETag: "1c3c1d344736c91:a23" > Server: Microsoft-IIS/6.0 > X-Powered-By: ASP.NET > Date: Sat, 25 Oct 2008 07:48:31 GMT > > Rar!.....s..... > > > Malware requesting a gif, server reporting it's sending a gif, but the > file is actually a rar archive. The rule below should detect, please > test and let us know how this goes. We'll look at other filetypes if > this continues to prove reliable! > > > alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd > Malware sent when remote host claims to send an Image"; > flow:established,from_server; content:"Content-Type\: image/"; > content:"|0d 0a|Rar!"; classtype: trojan-activity; sid:2008754; rev:1;) > > Matt > > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From elvishkp at gmail.com Fri Nov 14 13:25:04 2008 From: elvishkp at gmail.com (Anthony Maughan) Date: Fri, 14 Nov 2008 12:25:04 -0600 Subject: [Emerging-Sigs] Fwd: Re: Snort rules, EmergingThreats rules and Oinkmaster Message-ID: Forgive my newbie-ness but I followed the instructions below, but am still confused about where to get the source for the Shared Object Rule that matches the netbios.rule. I recompiled with the option, and set the dynamic directory in my snort.conf, but I can't find the source to compile to check for MS08-067. Thanks. ----- Forwarded message from joel.esler at sourcefire.com----- Date: Thu, 13 Nov 2008 07:59:40 -0500 From: Joel Esler > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster To: "?`?._The Sun_.???" > Cc: emerging-sigs at emergingthreats.net The rule to detect MS08-067 is a Shared Object rule. You'll need to follow the instructions here:http://www.snort.org/docs/faq/3Q06/node87.html or here: http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html in order to use this rule. Joel On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? >wrote: [Hide Quoted Text] I am quite new to Snort rule updates and am looking at a simple guide to help me integrate the emergingthreats' rules into my Snort test setup. My apologies if this is not the right forum for this question, but I am unable to locate information that I am looking for on the emergingthreats.net website. I already have the rules from snort.org (*VRT Certified Rules for Snort v2.8* *(snortrules-snapshot-2.8.tar.gz). *However, they do not seem to pick the MS08-067 exploit (which I am using as a test case). Here is what I have done so far. 1. Snort has been setup and works fine - I can detect port scans etc. without problems without any rule changes. 2. I have also downloaded rules from emergingthreats.net and extracted them to /etc/snort/rules where my the official rules have also been placed. 3. Now, I edited my snort conf file and included a few rules include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging.rules include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules And restarted snort. But that did not detect the exploit. Is there something else that I need to do? I also had setup Oinkmaster. Does that work with download of rules from emergingthreasts? Or do I have to download via cvs? Thanks. * * ------------------------------ Team India gets set to thwart Australia's quest for the final frontier. Catch the action on MSN Try it now! _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs ----- End forwarded message ----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081114/a726005c/attachment.html From emerging at emergingthreats.net Fri Nov 14 16:00:07 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 14 Nov 2008 16:00:07 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081114210007.DAEA34501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Nov 14 16:00:07 2008 [***] [+++] Added rules: [+++] 2008781 - ET POLICY Set flow on rar file get (emerging-policy.rules) 2008782 - ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) (emerging-policy.rules) 2008783 - ET POLICY Possible Trojan File Download - Rar Requested but not received (emerging-policy.rules) [///] Modified active rules: [///] 2008748 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) [---] Removed rules: [---] 2001950 - ET POLICY RAR File Outbound (emerging-policy.rules) 2001951 - ET POLICY RAR File Inbound (emerging-policy.rules) 2008761 - ET POLICY Rar File Requested (1) (emerging-policy.rules) 2008762 - ET POLICY Rar File Requested (2) (emerging-policy.rules) 2008763 - ET POLICY Rar Requested but Received Something Else (1) (emerging-policy.rules) 2008764 - ET POLICY Rar Requested but Received Something Else (2) (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #by Jeremy at sudosecure -> Added to emerging-sid-msg.map (3): 2008781 || ET POLICY Set flow on rar file get 2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 -> Added to emerging-sid-msg.map.txt (3): 2008781 || ET POLICY Set flow on rar file get 2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 [---] Removed non-rule lines: [---] -> Removed from emerging-policy.rules (1): #By Sam Pabon -> Removed from emerging-sid-msg.map (8): 2001950 || ET POLICY RAR File Outbound 2001951 || ET POLICY RAR File Inbound 2008761 || ET POLICY Rar File Requested (1) 2008762 || ET POLICY Rar File Requested (2) 2008763 || ET POLICY Rar Requested but Received Something Else (1) 2008764 || ET POLICY Rar Requested but Received Something Else (2) 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (8): 2001950 || ET POLICY RAR File Outbound 2001951 || ET POLICY RAR File Inbound 2008761 || ET POLICY Rar File Requested (1) 2008762 || ET POLICY Rar File Requested (2) 2008763 || ET POLICY Rar Requested but Received Something Else (1) 2008764 || ET POLICY Rar Requested but Received Something Else (2) 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From phatbuckett at gmail.com Fri Nov 14 17:50:51 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 14 Nov 2008 15:50:51 -0700 Subject: [Emerging-Sigs] Fwd: Re: Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: References: Message-ID: <839aec700811141450u426bb7f6g114c7ffc0936309c@mail.gmail.com> On Fri, Nov 14, 2008 at 11:25 AM, Anthony Maughan wrote: > Forgive my newbie-ness but I followed the instructions below, but am still > confused about where to get the source for the Shared Object Rule that > matches the netbios.rule. I recompiled with the option, and set the dynamic > directory in my snort.conf, but I can't find the source to compile to check > for MS08-067. Might have something to do with the 30-day lag between VRT release and the 30 day release to registered users. At least, I don't see a bit of reference to ms08-067 or 958644 in snortrules-snapshot-2.8.tar.gz. http://snort.org/vrt/ -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Sat Nov 15 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 15 Nov 2008 18:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081115230008.86ED445026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 15 18:00:08 2008 [***] [+++] Added rules: [+++] 2008740 - ET TROJAN Ligats/DR.Ilomo Agent Post (emerging-virus.rules) 2008741 - ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin (emerging.rules) 2008742 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) (emerging-malware.rules) 2008743 - ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) (emerging-malware.rules) 2008744 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008745 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008746 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008747 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008748 - ET POLICY Possible External FreeGate DNS Query (emerging-policy.rules) 2008749 - ET MALWARE Suspicious User-Agent (checkonline) (emerging-malware.rules) 2008750 - ET TROJAN Buzus FTP Log Upload (emerging-virus.rules) 2008751 - ET TROJAN Alureon Checkin (Post) (emerging-virus.rules) 2008752 - ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) (emerging-virus.rules) 2008753 - ET TROJAN AdWare.Win32.Yokbar Checkin URL (emerging-virus.rules) 2008754 - ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image (emerging-malware.rules) 2008755 - ET TROJAN Autorun.qvi Related HTTP Get on Off Port (emerging-virus.rules) 2008756 - ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) (emerging-malware.rules) 2008757 - ET MALWARE Zenosearch Malware Checkin HTTP POST (emerging-malware.rules) 2008758 - ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL (emerging-virus.rules) 2008759 - ET MALWARE Matcash Trojan Related Spyware Code Download (emerging-malware.rules) 2008760 - ET TROJAN Insidebar.co.kr Related Infection Checkin (emerging-virus.rules) 2008765 - ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) (emerging-virus.rules) 2008766 - ET TROJAN Generic Downloader Checkin Url Detected (emerging-virus.rules) 2008767 - ET TROJAN Kangkio User-Agent (lsosss) (emerging-virus.rules) 2008768 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin (emerging.rules) 2008769 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response (emerging.rules) 2008770 - ET CURRENT_EVENTS Unknown Trojan P2P Data Download (emerging.rules) 2008771 - ET CURRENT_EVENTS Unknown Trojan P2P Download Request (emerging.rules) 2008772 - ET CURRENT_EVENTS Unknown Trojan P2P Request (emerging.rules) 2008773 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (emerging.rules) 2008774 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008775 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008776 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 (emerging-exploit.rules) 2008777 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 (emerging-exploit.rules) 2008778 - ET TROJAN Ligats/DR.Ilomo Agent Post (2) (emerging-virus.rules) 2008779 - ET CURRENT_EVENTS Unknown Keepalive up (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive down (emerging.rules) 2008781 - ET POLICY Set flow on rar file get (emerging-policy.rules) 2008782 - ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) (emerging-policy.rules) 2008783 - ET POLICY Possible Trojan File Download - Rar Requested but not received (emerging-policy.rules) [///] Modified active rules: [///] 2000536 - ET SCAN NMAP -sO (emerging-scan.rules) 2000537 - ET SCAN NMAP -sS (emerging-scan.rules) 2000538 - ET SCAN NMAP -sA (1) (emerging-scan.rules) 2000540 - ET SCAN NMAP -sA (2) (emerging-scan.rules) 2000543 - ET SCAN NMAP -f -sF (emerging-scan.rules) 2000544 - ET SCAN NMAP -f -sN (emerging-scan.rules) 2000545 - ET SCAN NMAP -f -sS (emerging-scan.rules) 2000546 - ET SCAN NMAP -f -sX (emerging-scan.rules) 2003607 - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (emerging-malware.rules) 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules) 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules) 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules) 2008735 - ET MALWARE Suspicious User Agent (FTP) (emerging-malware.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin (emerging.rules) 2008739 - ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound (emerging.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [---] Removed rules: [---] 2001950 - ET POLICY RAR File Outbound (emerging-policy.rules) 2001951 - ET POLICY RAR File Inbound (emerging-policy.rules) 2002968 - ET MALWARE Matcash.com Spyware Code Download (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1359 # Generated 2008-11-15 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1359 # Generated 2008-11-15 00:03:02 EDT -> Added to emerging-exploit.rules (2): #by Veerendra # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. -> Added to emerging-malware.rules (1): #from vienna -> Added to emerging-policy.rules (2): #by Sandro Reis #by Jeremy at sudosecure -> Added to emerging-sid-msg.map (52): 2000536 || ET SCAN NMAP -sO 2000537 || ET SCAN NMAP -sS 2000538 || ET SCAN NMAP -sA (1) 2000540 || ET SCAN NMAP -sA (2) 2000543 || ET SCAN NMAP -f -sF 2000544 || ET SCAN NMAP -f -sN 2000545 || ET SCAN NMAP -f -sS 2000546 || ET SCAN NMAP -f -sX 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) 2008744 || ET POLICY Possible External FreeGate DNS Query 2008745 || ET POLICY Possible External FreeGate DNS Query 2008746 || ET POLICY Possible External FreeGate DNS Query 2008747 || ET POLICY Possible External FreeGate DNS Query 2008748 || ET POLICY Possible External FreeGate DNS Query 2008749 || ET MALWARE Suspicious User-Agent (checkonline) 2008750 || ET TROJAN Buzus FTP Log Upload 2008751 || ET TROJAN Alureon Checkin (Post) 2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) 2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL 2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image 2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port 2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) 2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST 2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL 2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download 2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin 2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) 2008766 || ET TROJAN Generic Downloader Checkin Url Detected 2008767 || ET TROJAN Kangkio User-Agent (lsosss) 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2) 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2008781 || ET POLICY Set flow on rar file get 2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (52): 2000536 || ET SCAN NMAP -sO 2000537 || ET SCAN NMAP -sS 2000538 || ET SCAN NMAP -sA (1) 2000540 || ET SCAN NMAP -sA (2) 2000543 || ET SCAN NMAP -f -sF 2000544 || ET SCAN NMAP -f -sN 2000545 || ET SCAN NMAP -f -sS 2000546 || ET SCAN NMAP -f -sX 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008740 || ET TROJAN Ligats/DR.Ilomo Agent Post 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008742 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdwinrun) 2008743 || ET MALWARE Suspicious User Agent - Possible Admoke Admware (bdsclk) 2008744 || ET POLICY Possible External FreeGate DNS Query 2008745 || ET POLICY Possible External FreeGate DNS Query 2008746 || ET POLICY Possible External FreeGate DNS Query 2008747 || ET POLICY Possible External FreeGate DNS Query 2008748 || ET POLICY Possible External FreeGate DNS Query 2008749 || ET MALWARE Suspicious User-Agent (checkonline) 2008750 || ET TROJAN Buzus FTP Log Upload 2008751 || ET TROJAN Alureon Checkin (Post) 2008752 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) 2008753 || ET TROJAN AdWare.Win32.Yokbar Checkin URL 2008754 || ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image 2008755 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port 2008756 || ET MALWARE Suspicious User-Agent (Kvadrlson 1.0) 2008757 || ET MALWARE Zenosearch Malware Checkin HTTP POST 2008758 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL 2008759 || ET MALWARE Matcash Trojan Related Spyware Code Download 2008760 || ET TROJAN Insidebar.co.kr Related Infection Checkin 2008765 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) 2008766 || ET TROJAN Generic Downloader Checkin Url Detected 2008767 || ET TROJAN Kangkio User-Agent (lsosss) 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008776 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008777 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || bugtraq,31729 || cve,CVE-2008-4572 || url,milw0rm.com/exploits/6738 2008778 || ET TROJAN Ligats/DR.Ilomo Agent Post (2) 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2008781 || ET POLICY Set flow on rar file get 2008782 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2008783 || ET POLICY Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #these are mcboo.com and bundlext.com related. David Yawsa registrant -> Added to emerging.rules (8): #by Veererendra # 10/11/2008 Activation Key Malware - Trojan horse #many sources #from Vienna with love #re 60fa2ff79411dd1cb829e8a966aa86fc #Unknown so far, no AV coverage, appears to be peer to peer #moves to 7090 in samples #moved to 5622 in samples [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1352 # Generated 2008-11-08 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1352 # Generated 2008-11-08 00:03:02 EDT -> Removed from emerging-policy.rules (1): #By Sam Pabon -> Removed from emerging-sid-msg.map (13): 2000536 || ET SCAN NMAP -sO || arachnids,162 2000537 || ET SCAN NMAP -sS || arachnids,162 2000538 || ET SCAN NMAP -sA (1) || arachnids,162 2000540 || ET SCAN NMAP -sA (2) || arachnids,162 2000543 || ET SCAN NMAP -f -sF || arachnids,162 2000544 || ET SCAN NMAP -f -sN || arachnids,162 2000545 || ET SCAN NMAP -f -sS || arachnids,162 2000546 || ET SCAN NMAP -f -sX || arachnids,162 2001950 || ET POLICY RAR File Outbound 2001951 || ET POLICY RAR File Inbound 2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound -> Removed from emerging-sid-msg.map.txt (13): 2000536 || ET SCAN NMAP -sO || arachnids,162 2000537 || ET SCAN NMAP -sS || arachnids,162 2000538 || ET SCAN NMAP -sA (1) || arachnids,162 2000540 || ET SCAN NMAP -sA (2) || arachnids,162 2000543 || ET SCAN NMAP -f -sF || arachnids,162 2000544 || ET SCAN NMAP -f -sN || arachnids,162 2000545 || ET SCAN NMAP -f -sS || arachnids,162 2000546 || ET SCAN NMAP -f -sX || arachnids,162 2001950 || ET POLICY RAR File Outbound 2001951 || ET POLICY RAR File Inbound 2002968 || ET MALWARE Matcash.com Spyware Code Download || url,matcash.com 2008737 || ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin 2008739 || ET CURRENT_EVENTS MS08067 Worm Traffic Outbound From dxp2532 at gmail.com Sat Nov 15 23:03:11 2008 From: dxp2532 at gmail.com (dxp) Date: Sat, 15 Nov 2008 23:03:11 -0500 Subject: [Emerging-Sigs] Detecting Windows executables Message-ID: <1226808191.6140.8.camel@kinta> http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html The following regular rule worked fine for me so far. If anyone is willing to try the dynamic (SO) rule then I'd love to hear your feedback. Dynamic (SO) Rule ---------------------------- http://www.geocities.com/dxp2532/snort_so_pe.tgz Standard Rule ---------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable download"; flow:established,from_server; content:"MZ"; content:"PE|00 00|"; within:512; sid:XXXXXX; rev:1;) - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081115/4008dc13/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081115/4008dc13/attachment.bin From joel.esler at sourcefire.com Mon Nov 17 09:06:13 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Mon, 17 Nov 2008 09:06:13 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: References: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> Message-ID: <4112A0FF-9F73-4E60-AF8A-B806A551638B@sourcefire.com> Looks like this is the portion you need to focus on. The Techtarget article will show you how to solve this. I am about to walk out the door for a meeting. J On Nov 17, 2008, at 7:52 AM, ?`?._The Sun_.??? wrote: > After this: > Rule application order: activation->dynamic->pass->drop->alert->log > Log directory = /var/log/snort > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > Disabling this rule. -- Joel Esler [m] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081117/785562c9/attachment.html From jonkman at jonkmans.com Mon Nov 17 10:37:26 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 17 Nov 2008 10:37:26 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <1226808191.6140.8.camel@kinta> References: <1226808191.6140.8.camel@kinta> Message-ID: <49218FB6.8070707@jonkmans.com> Interesting, what kind of performance difference do you see with the dynamic sig? Matt dxp wrote: > http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html > > The following regular rule worked fine for me so far. If anyone is > willing to try the dynamic (SO) rule then I'd love to hear your feedback. > > Dynamic (SO) Rule > ---------------------------- > http://www.geocities.com/dxp2532/snort_so_pe.tgz > > Standard Rule > ---------------------- > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable > download"; flow:established,from_server; content:"MZ"; content:"PE|00 > 00|"; within:512; sid:XXXXXX; rev:1;) > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Mon Nov 17 09:51:56 2008 From: dxp2532 at gmail.com (dxp) Date: Mon, 17 Nov 2008 09:51:56 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <49218FB6.8070707@jonkmans.com> References: <1226808191.6140.8.camel@kinta> <49218FB6.8070707@jonkmans.com> Message-ID: <1226933516.6553.2.camel@kinta> I have not completely tested the performance yet. I don't think it should cause any issues since the logic of the rule is small and simple. I'll try to get some timing numbers this week. - -=[ dxp ]=- 0xA3F3C6E3 On Mon, 2008-11-17 at 10:37 -0500, Matt Jonkman wrote: > Interesting, what kind of performance difference do you see with the > dynamic sig? > > Matt > > dxp wrote: > > http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html > > > > The following regular rule worked fine for me so far. If anyone is > > willing to try the dynamic (SO) rule then I'd love to hear your feedback. > > > > Dynamic (SO) Rule > > ---------------------------- > > http://www.geocities.com/dxp2532/snort_so_pe.tgz > > > > Standard Rule > > ---------------------- > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable > > download"; flow:established,from_server; content:"MZ"; content:"PE|00 > > 00|"; within:512; sid:XXXXXX; rev:1;) > > > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081117/1de856a8/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081117/1de856a8/attachment.bin From emerging at emergingthreats.net Mon Nov 17 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 17 Nov 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081117210009.173EE45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Nov 17 16:00:09 2008 [***] [///] Modified active rules: [///] 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules) 2002751 - ET POLICY Reserved IP Space Traffic - Bogon Nets 3 (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From signatures at stillsecure.com Tue Nov 18 07:25:34 2008 From: signatures at stillsecure.com (signatures) Date: Tue, 18 Nov 2008 05:25:34 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-18-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2910@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. Aj Square RSS Reader url SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Aj Square RSS Reader url SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/EditUrl.php?"; nocase; uricontent:"url="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; sid:10025; rev:1;) 2. PozScripts Classified Auctions id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PozScripts Classified Auctions id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gotourl.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6839; reference:url,secunia.com/advisories/32373; sid:10027; rev:1;) 3. All In One Control Panel poll_id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"All In One Control Panel poll_id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cp_polls_results.php?"; nocase; uricontent:"poll_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6854; reference:url,secunia.com/advisories/32431; sid:10028; rev:1;) 4. e107 BLOG Engine macgurublog.php uid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"e107 BLOG Engine macgurublog.php uid Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/macgurublog.php?"; nocase; uricontent:"uid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,29344; reference:url,milw0rm.com/exploits/6856; sid:10029; rev:1;) 5. SFS Ez Forum forum Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS Ez Forum forum Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/forum.php?"; nocase; uricontent:"forum="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32397/; reference:url,milw0rm.com/exploits/6843; sid:10030; rev:1;) 6. DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; distance:0; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; classtype:web-application-attack; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; sid:10031; rev:1;) 7. DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; classtype:web-application-attack; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; sid:10032; rev:1;) 8. Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; classtype:web-application-attack; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; sid:10033; rev:1;) 9. Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; distance:0; content:"GetEntryPointForThread"; nocase; classtype:web-application-attack; reference:bugtraq,31996; sid:10037; rev:1;) 10. SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/track.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; distance:0; classtype:web-application-attack; reference:url,secunia.com/advisories/32552/; reference:url,milw0rm.com/exploits/6910; sid:10038; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/89b7f77e/attachment.html From jonkman at jonkmans.com Tue Nov 18 10:24:11 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 18 Nov 2008 10:24:11 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-18-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2910@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2910@webmail.latis.com> Message-ID: <4922DE1B.4000705@jonkmans.com> Great sigs gentlemen, many thanks. Posting them now. Many thanks to Stillsecure as well! Matt signatures wrote: > Hi Matt, > > > > Please find 10 New Signatures below: > > > > *1. **Aj Square RSS Reader url SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Aj Square > RSS Reader url SQL Injection"; flow:established,to_server; content:"GET > "; depth:4; uricontent:"/EditUrl.php?"; nocase; uricontent:"url="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32413/; > reference:url,milw0rm.com/exploits/6856; sid:10025; rev:1;) > > > > *2. **PozScripts Classified Auctions id parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"PozScripts Classified Auctions id parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/gotourl.php?"; nocase; uricontent:"id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/6839; > reference:url,secunia.com/advisories/32373; sid:10027; rev:1;) > > > > *3. **All In One Control Panel poll_id parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"All In > One Control Panel poll_id parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/cp_polls_results.php?"; nocase; uricontent:"poll_id="; > nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/6854; > reference:url,secunia.com/advisories/32431; sid:10028; rev:1;) > > > > *4. **e107 BLOG Engine macgurublog.php uid Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"e107 BLOG > Engine macgurublog.php uid Parameter SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/macgurublog.php?"; nocase; uricontent:"uid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,29344; reference:url,milw0rm.com/exploits/6856; > sid:10029; rev:1;) > > > > *5. **SFS Ez Forum forum Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS Ez > Forum forum Parameter SQL Injection"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"/forum.php?"; nocase; > uricontent:"forum="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32397/; > reference:url,milw0rm.com/exploits/6843; sid:10030; rev:1;) > > > > *6. **DB Software Laboratory VImpX.ocx ActiveX Control Multiple > Insecure Methods * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DB Software > Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; > flow:to_client,established; content:"CLSID"; nocase; > content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; distance:0; > pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; > classtype:web-application-attack; reference:bugtraq,31907; > reference:url,milw0rm.com/exploits/6828; sid:10031; rev:1;) > > > > *7. **DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer > Overflow * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DjVu > DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; > content:"0x400000"; distance:0; content:"ImageURL"; nocase; > classtype:web-application-attack; reference:bugtraq,31987; > reference:url,milw0rm.com/exploits/6878; sid:10032; rev:1;) > > > > *8. **Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File > Overwrite * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Visagesoft > eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; > flow:to_client,established; content:"CLSID"; nocase; > content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; > content:"savePageAsBitmap"; nocase; classtype:web-application-attack; > reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; > sid:10033; rev:1;) > > > > *9. **Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote > Denial of Service * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft > DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; > flow:to_client,established; content:"CLSID"; nocase; > content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; distance:0; > content:"GetEntryPointForThread"; nocase; > classtype:web-application-attack; reference:bugtraq,31996; sid:10037; > rev:1;) > > > > *10. **SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ > BIZ PRO track.php id Parameter Remote SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/track.php?"; nocase; uricontent:"id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; distance:0; > classtype:web-application-attack; > reference:url,secunia.com/advisories/32552/; > reference:url,milw0rm.com/exploits/6910; sid:10038; rev:1;) > > > > Looking forward for your comments if any... > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 18 10:54:20 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 18 Nov 2008 10:54:20 -0500 Subject: [Emerging-Sigs] SidReporter 1.0.1 Available Message-ID: <4922E52C.9050402@jonkmans.com> A minor fix to SidReporter has been released. This was a minor change to handle an occasional perl error regarding use of an uninitialized variable. http://www.emergingthreats.net/sidreporter/sidreporter-1.0.1.tar.gz If you weren't having an issue you don't need to upgrade. Thanks to everyone that is submitting data! Generic results are available here: http://www.emergingthreats.net/index.php/sidreporter-statistics.html More detailed, and individual statistics are forthcoming. Input welcome there! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mcholste at gmail.com Tue Nov 18 14:15:14 2008 From: mcholste at gmail.com (Martin Holste) Date: Tue, 18 Nov 2008 13:15:14 -0600 Subject: [Emerging-Sigs] Detecting Windows executables Message-ID: On a related note, check out the possible evasion technique of padding the PE header 512 bytes from this rogue anti-virus download (MD5 :b1186e40473ebfe57d2738b02504eea1). 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 N 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 13:03:53 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: Ap 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last-Modif 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 Nov 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 G 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: "78ff9 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 -28000-45bf4483d 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 cc40"..Accept-Ra 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: bytes..Con 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: 163 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep-Alive: 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, max= 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 499..Connection: 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep-Alive..Con 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: appli 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x-msdownl 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 oad....MZP...... 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 ...............@ 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd 21 ...............! b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This prog 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be run 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under Win32..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 84 .......PE..L.... Or this one padded to 256 bytes (MD5: 174685c2d8e38d34dfbe522faadceed4) 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 |MZP.............| 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 |........ at .......| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................| 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..| 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus| 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W| 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 |PE..L....^B*....| Is the magic byte offset due to the packer being used, or is this a deliberate attempt to evade detection? Now here's another thought: if this comes via HTTP and you're running the HTTP preprocessor, what is your server flow depth set at? If it's not at 0, there's a good chance you're missing a lot of this. And with no stream reassembly on HTTP preprocessed packets, good luck detecting anything padded over your MTU. So, does anyone know if using the dynamic SO rules would preempt the HTTP preprocessor and mitigate this problem? --Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/035b19dd/attachment.html From brad at stillsecure.com Tue Nov 18 14:42:29 2008 From: brad at stillsecure.com (Brad Doctor) Date: Tue, 18 Nov 2008 12:42:29 -0700 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: Message-ID: More than you ever wanted to know about PECOFF: http://www.microsoft.com/whdc/system/platform/firmware/pecoff.mspx -brad On 11/18/08 12:15 PM, "Martin Holste" wrote: > On a related note, check out the possible evasion technique of padding the PE > header 512 bytes from this rogue anti-virus download (MD5 > :b1186e40473ebfe57d2738b02504eea1). > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last-Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep-Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep-Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x-msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 84 .......PE..L.... > > Or this one padded to 256 bytes (MD5: 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 |MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 |PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a deliberate > attempt to evade detection? Now here's another thought: if this comes via > HTTP and you're running the HTTP preprocessor, what is your server flow depth > set at? If it's not at 0, there's a good chance you're missing a lot of this. > And with no stream reassembly on HTTP preprocessed packets, good luck > detecting anything padded over your MTU. So, does anyone know if using the > dynamic SO rules would preempt the HTTP preprocessor and mitigate this > problem? > > --Martin > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/cf39aa25/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3482 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/cf39aa25/smime-0001.bin From emerging at emergingthreats.net Tue Nov 18 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 18 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081118210008.BD77045026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Nov 18 16:00:08 2008 [***] [+++] Added rules: [+++] 2008768 - ET POLICY Unknown Trojan P2P Initial Checkin (emerging-policy.rules) 2008769 - ET POLICY Unknown Trojan P2P Initial Checkin Response (emerging-policy.rules) 2008770 - ET POLICY Unknown Trojan P2P Data Download (emerging-policy.rules) 2008771 - ET POLICY Unknown Trojan P2P Download Request (emerging-policy.rules) 2008772 - ET POLICY Unknown Trojan P2P Request (emerging-policy.rules) 2008784 - ET TROJAN Lighty Variant or UltimateDefender POST) (emerging-virus.rules) 2008785 - ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection (emerging-web_sql_injection.rules) 2008786 - ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection (emerging-web_sql_injection.rules) 2008787 - ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection (emerging-web_sql_injection.rules) 2008788 - ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008789 - ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods (emerging-web_sql_injection.rules) 2008790 - ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow (emerging-web_sql_injection.rules) 2008791 - ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite (emerging-web_sql_injection.rules) 2008792 - ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-exploit.rules) 2008793 - ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) [///] Modified active rules: [///] 2008779 - ET CURRENT_EVENTS Unknown Keepalive up (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive down (emerging.rules) 2008781 - ET POLICY Set flow on rar file get (emerging-policy.rules) [---] Removed rules: [---] 2008593 - ET TROJAN Ultimate Defender Fake AV Checkin (emerging-virus.rules) 2008768 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin (emerging.rules) 2008769 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response (emerging.rules) 2008770 - ET CURRENT_EVENTS Unknown Trojan P2P Data Download (emerging.rules) 2008771 - ET CURRENT_EVENTS Unknown Trojan P2P Download Request (emerging.rules) 2008772 - ET CURRENT_EVENTS Unknown Trojan P2P Request (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (3): #re 60fa2ff79411dd1cb829e8a966aa86fc #moves to 7090 in samples #moved to 5622 in samples -> Added to emerging-sid-msg.map (31): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008784 || ET TROJAN Lighty Variant or UltimateDefender POST) 2008785 || ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection || url,milw0rm.com/exploits/6856 || url,secunia.com/advisories/32413/ 2008786 || ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection || url,secunia.com/advisories/32373 || url,milw0rm.com/exploits/6839 2008787 || ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection || url,secunia.com/advisories/32431 || url,milw0rm.com/exploits/6854 2008788 || ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection || url,milw0rm.com/exploits/6856 || bugtraq,29344 2008789 || ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods || url,milw0rm.com/exploits/6828 || bugtraq,31907 2008790 || ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow || url,milw0rm.com/exploits/6878 || bugtraq,31987 2008791 || ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/6875 || bugtraq,31984 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008793 || ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6910 || url,secunia.com/advisories/32552/ 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (31): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008784 || ET TROJAN Lighty Variant or UltimateDefender POST) 2008785 || ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection || url,milw0rm.com/exploits/6856 || url,secunia.com/advisories/32413/ 2008786 || ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection || url,secunia.com/advisories/32373 || url,milw0rm.com/exploits/6839 2008787 || ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection || url,secunia.com/advisories/32431 || url,milw0rm.com/exploits/6854 2008788 || ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection || url,milw0rm.com/exploits/6856 || bugtraq,29344 2008789 || ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods || url,milw0rm.com/exploits/6828 || bugtraq,31907 2008790 || ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow || url,milw0rm.com/exploits/6878 || bugtraq,31987 2008791 || ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/6875 || bugtraq,31984 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008793 || ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6910 || url,secunia.com/advisories/32552/ 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (6): 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request -> Removed from emerging-sid-msg.map.txt (6): 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request -> Removed from emerging.rules (5): #from Vienna with love #re 60fa2ff79411dd1cb829e8a966aa86fc #Unknown so far, no AV coverage, appears to be peer to peer #moves to 7090 in samples #moved to 5622 in samples From dxp2532 at gmail.com Tue Nov 18 17:18:17 2008 From: dxp2532 at gmail.com (dxp) Date: Tue, 18 Nov 2008 17:18:17 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <49218FB6.8070707@jonkmans.com> References: <1226808191.6140.8.camel@kinta> <49218FB6.8070707@jonkmans.com> Message-ID: <1227046697.6547.6.camel@kinta> Looks like the SO rule outperforms the regular rule, if I'm reading the stats correctly. Attached (to preserve formatting) are some numbers from rule profiling. - -=[ dxp ]=- 0xA3F3C6E3 On Mon, 2008-11-17 at 10:37 -0500, Matt Jonkman wrote: > Interesting, what kind of performance difference do you see with the > dynamic sig? > > Matt > > dxp wrote: > > http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html > > > > The following regular rule worked fine for me so far. If anyone is > > willing to try the dynamic (SO) rule then I'd love to hear your feedback. > > > > Dynamic (SO) Rule > > ---------------------------- > > http://www.geocities.com/dxp2532/snort_so_pe.tgz > > > > Standard Rule > > ---------------------- > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable > > download"; flow:established,from_server; content:"MZ"; content:"PE|00 > > 00|"; within:512; sid:XXXXXX; rev:1;) > > > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/889cc76a/attachment.html -------------- next part -------------- pcap w/ 1692287 packets (web proxy traffic) Num SID GID Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === === ====== ======= ====== ===== ========= ========= ============ ======== 1 19 1 8 0 0 150 18.8 0.0 18.8 0 2 2532 3 9113 0 0 121749 13.4 0.0 13.4 0 pcap w/ 10224 packets (workstation web traffic) Num SID GID Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === === ====== ======= ====== ===== ========= ========= ============ ======== 1 19 1 6 5 4 135 22.5 0.3 133.7 0 2 2532 3 74 5 4 761 10.3 0.4 11.0 0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/889cc76a/attachment.bin From mcholste at gmail.com Tue Nov 18 18:16:05 2008 From: mcholste at gmail.com (Martin Holste) Date: Tue, 18 Nov 2008 17:16:05 -0600 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <1227046697.6547.6.camel@kinta> References: <1226808191.6140.8.camel@kinta> <49218FB6.8070707@jonkmans.com> <1227046697.6547.6.camel@kinta> Message-ID: Was this on a multiprocessor machine? I find that some of the stats tend to become less meaningful on SMP boxes, at least the microsecond counts anyway. But if the stats are right, then it looks to me like the SO rules actually have a bit of a disadvantage because they check every packet, so the overall microsecs was higher, though lower per check. My favorite profiling method, though a complete hack, is to use the POSIX "time" command in front of Snort and to run a giant pcap file through two different configurations, and then look at the average of 5 or so runs of each configuration and compare the difference. It won't help for looking at individual rule performance, but it would work in this case to measure how long it takes to read a pcap without the SO rules, then again with them enabled. --Martin On Tue, Nov 18, 2008 at 4:18 PM, dxp wrote: > Looks like the SO rule outperforms the regular rule, if I'm reading the > stats correctly. > Attached (to preserve formatting) are some numbers from rule profiling. > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Mon, 2008-11-17 at 10:37 -0500, Matt Jonkman wrote: > > Interesting, what kind of performance difference do you see with the > dynamic sig? > > Matt > > dxp wrote: > > http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html > > > > The following regular rule worked fine for me so far. If anyone is > > willing to try the dynamic (SO) rule then I'd love to hear your feedback. > > > > Dynamic (SO) Rule > > ---------------------------- > > http://www.geocities.com/dxp2532/snort_so_pe.tgz > > > > Standard Rule > > ---------------------- > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable > > download"; flow:established,from_server; content:"MZ"; content:"PE|00 > > 00|"; within:512; sid:XXXXXX; rev:1;) > > > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/9a91804f/attachment-0001.html From dxp2532 at gmail.com Tue Nov 18 19:11:59 2008 From: dxp2532 at gmail.com (dxp) Date: Tue, 18 Nov 2008 19:11:59 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: Message-ID: <1227053519.6547.22.camel@kinta> Regarding PE header offsets, you made an interesting observation. I had similar concerns and did some stats on typical offsets. Processed around 8000 Windows' DLL, SYS, and EXE files and majority of them utilize offset 128 or 512. Maximum value identified was 616 and minimum was 128. All tests were on XP Sp2 from the \WINDOWS directory. On the other hand tests for malware, around 450 samples, had many binaries which used offsets typically not found in legit ones, such as: 192, 240, 176, etc... Maximum value found was 512 and minimum 12. Around %25 of samples used offsets below 128 bytes while not a single file from the Windows test had such low values. I'll update the SO rule to include these findings, would be interesting to see the results. Regarding the HTTP preprocessor and dynamic rule that's an excellent point. Like you said, perhaps someone might know and post a response. Meanwhile, I'll try some tests to bypass the preprocessor's limit and see what fires. - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > On a related note, check out the possible evasion technique of padding > the PE header 512 bytes from this rogue anti-virus download > (MD5 :b1186e40473ebfe57d2738b02504eea1). > > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 > OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 > N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 > 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: > Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 > ache..Last-Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 > Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 > G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: > "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: > bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: > 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a > 840..Keep-Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, > max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e > Keep-Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: > appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c > cation/x-msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This > prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be > run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under > Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > 84 .......PE..L.... > > > > Or this one padded to 256 bytes (MD5: > 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 | > MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This > program mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run > under W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 | > in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 | > PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a > deliberate attempt to evade detection? Now here's another thought: if > this comes via HTTP and you're running the HTTP preprocessor, what is > your server flow depth set at? If it's not at 0, there's a good > chance you're missing a lot of this. And with no stream reassembly on > HTTP preprocessed packets, good luck detecting anything padded over > your MTU. So, does anyone know if using the dynamic SO rules would > preempt the HTTP preprocessor and mitigate this problem? > > --Martin > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/11882803/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/11882803/attachment.bin From dxp2532 at gmail.com Tue Nov 18 20:16:17 2008 From: dxp2532 at gmail.com (dxp) Date: Tue, 18 Nov 2008 20:16:17 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: <1226808191.6140.8.camel@kinta> <49218FB6.8070707@jonkmans.com> <1227046697.6547.6.camel@kinta> Message-ID: <1227057377.6547.31.camel@kinta> This was done on a Core2-Duo running Linux compiled with multi-core support. So, this may fudge numbers if Snort's eval runs multi threaded. However, I've noticed that only one core (cpu) is utilized during tests. Used your suggestion to test with "time" and degradation in performance was less then one percent (used the "user" value from "time" output averaged over 5 runs each). PCAP was 700MB with 1.5 million packets. - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-11-18 at 17:16 -0600, Martin Holste wrote: > Was this on a multiprocessor machine? I find that some of the stats > tend to become less meaningful on SMP boxes, at least the microsecond > counts anyway. But if the stats are right, then it looks to me like > the SO rules actually have a bit of a disadvantage because they check > every packet, so the overall microsecs was higher, though lower per > check. My favorite profiling method, though a complete hack, is to > use the POSIX "time" command in front of Snort and to run a giant pcap > file through two different configurations, and then look at the > average of 5 or so runs of each configuration and compare the > difference. It won't help for looking at individual rule performance, > but it would work in this case to measure how long it takes to read a > pcap without the SO rules, then again with them enabled. > > --Martin > > > On Tue, Nov 18, 2008 at 4:18 PM, dxp wrote: > > Looks like the SO rule outperforms the regular rule, if I'm > reading the stats correctly. > Attached (to preserve formatting) are some numbers from rule > profiling. > > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > On Mon, 2008-11-17 at 10:37 -0500, Matt Jonkman wrote: > > Interesting, what kind of performance difference do you see with the > > dynamic sig? > > > > Matt > > > > dxp wrote: > > > http://dxp2532.blogspot.com/2008/11/detecting-packedcrypted-executables.html > > > > > > The following regular rule worked fine for me so far. If anyone is > > > willing to try the dynamic (SO) rule then I'd love to hear your feedback. > > > > > > Dynamic (SO) Rule > > > ---------------------------- > > > http://www.geocities.com/dxp2532/snort_so_pe.tgz > > > > > > Standard Rule > > > ---------------------- > > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Executable > > > download"; flow:established,from_server; content:"MZ"; content:"PE|00 > > > 00|"; within:512; sid:XXXXXX; rev:1;) > > > > > > - > > > > > > -=[ dxp ]=- > > > 0xA3F3C6E3 > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Emerging-sigs mailing list > > > Emerging-sigs at emergingthreats.net > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/72aa2cdd/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/72aa2cdd/attachment-0001.bin From dxp2532 at gmail.com Tue Nov 18 21:09:22 2008 From: dxp2532 at gmail.com (dxp) Date: Tue, 18 Nov 2008 21:09:22 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: Message-ID: <1227060562.29786.3.camel@kinta> Changed "flow_depth" from 0 to 50 and the SO rule failed to alert on executables within ports specified in the preprocessor. It appears then that the SO rules have the same properties as regular rules but with more detection flexability. - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > On a related note, check out the possible evasion technique of padding > the PE header 512 bytes from this rogue anti-virus download > (MD5 :b1186e40473ebfe57d2738b02504eea1). > > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 > OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 > N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 > 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: > Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 > ache..Last-Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 > Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 > G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: > "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: > bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: > 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a > 840..Keep-Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, > max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e > Keep-Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: > appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c > cation/x-msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This > prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be > run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under > Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > 84 .......PE..L.... > > > > Or this one padded to 256 bytes (MD5: > 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 | > MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This > program mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run > under W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 | > in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 | > PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a > deliberate attempt to evade detection? Now here's another thought: if > this comes via HTTP and you're running the HTTP preprocessor, what is > your server flow depth set at? If it's not at 0, there's a good > chance you're missing a lot of this. And with no stream reassembly on > HTTP preprocessed packets, good luck detecting anything padded over > your MTU. So, does anyone know if using the dynamic SO rules would > preempt the HTTP preprocessor and mitigate this problem? > > --Martin > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/d395d244/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/d395d244/attachment.bin From mcholste at gmail.com Tue Nov 18 22:40:31 2008 From: mcholste at gmail.com (Martin Holste) Date: Tue, 18 Nov 2008 21:40:31 -0600 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <1227060562.29786.3.camel@kinta> References: <1227060562.29786.3.camel@kinta> Message-ID: Wow, very helpful findings! Thanks for checking that out. I updated all of my executable sigs to allow for more depth between the MZ and the PE (I cranked it all the way to the MTU, though that's probably overkill based on your findings). I look forward to incorporating your SO rules when you think they're ready. It sounds like it would be worth alerting on any exe that has a PE header before 128 bytes, though I'm sure a few legit files would pop out of the woodwork. Mega bonus points for an SO rule that can alert based on the amount of entropy of the file sections! --Martin On Tue, Nov 18, 2008 at 8:09 PM, dxp wrote: > Changed "flow_depth" from 0 to 50 and the SO rule failed to alert on > executables within ports specified in the preprocessor. It appears then > that the SO rules have the same properties as regular rules but with more > detection flexability. > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > > On a related note, check out the possible evasion technique of padding the > PE header 512 bytes from this rogue anti-virus download (MD5 > :b1186e40473ebfe57d2738b02504eea1). > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 > OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last-Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep-Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep-Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x-msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 84 .......PE..L.... > > > Or this one padded to 256 bytes (MD5: 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 > |MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program > mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under > W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 > |in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 > |PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a > deliberate attempt to evade detection? Now here's another thought: if this > comes via HTTP and you're running the HTTP preprocessor, what is your server > flow depth set at? If it's not at 0, there's a good chance you're missing a > lot of this. And with no stream reassembly on HTTP preprocessed packets, > good luck detecting anything padded over your MTU. So, does anyone know if > using the dynamic SO rules would preempt the HTTP preprocessor and mitigate > this problem? > > --Martin > > _______________________________________________ > Emerging-sigs mailing listEmerging-sigs at emergingthreats.nethttp://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081118/57b138b8/attachment-0001.html From daniel.clemens at packetninjas.net Wed Nov 19 01:19:55 2008 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Wed, 19 Nov 2008 00:19:55 -0600 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: Message-ID: <2AD7AC0C-AF15-484D-8445-89A05FEE2378@packetninjas.net> On Nov 18, 2008, at 1:15 PM, Martin Holste wrote: > On a related note, check out the possible evasion technique of > padding the PE header 512 bytes from this rogue anti-virus download > (MD5 :b1186e40473ebfe57d2738b02504eea1). Arg. This isn't an evasion technique for ids. > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 > 200 OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, > 18 N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 > 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 > GMT..Server: Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last- > Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 > Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 > 10:37:29 G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: > "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: > bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: > 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep- > Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, > max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep- > Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: > appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x- > msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This > prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be > run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under > Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > 84 .......PE..L.... > This is abnormally far from the MZ. > Or this one padded to 256 bytes (MD5: > 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 | > MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This > program mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be > run under W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 | > in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 | > PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a > deliberate attempt to evade detection?' My general rule of thumb when labeling a PE executable as being bad is based on looking at either how close the PE is to MZ, or how far the PE is from MZ. In both cases this represents something that is abnormal in the PE structure which I would want to know about. I don't really care about anything generally past the normal mtu limit if it is over http in regards to PE sigs. PE should be about 254 bytes from MZ. (256 depending on how you want to look at it...) > Now here's another thought: if this comes via HTTP and you're > running the HTTP preprocessor, what is your server flow depth set > at? If it's not at 0, there's a good chance you're missing a lot of > this. And with no stream reassembly on HTTP preprocessed packets, > good luck detecting anything padded over your MTU. True that! :P > So, does anyone know if using the dynamic SO rules would preempt the > HTTP preprocessor and mitigate this problem? I looked at the .so rule a small bit, I didn't see why you there would be a need. (even if you wanted to look at section headers or other things, I just don't think its a need whatsoever). Right now the main reason to write rules for microsoft portable executables is to catch first,second, or third stage payloads. Different kits/ custom packers leave different footprints on binaries and different custom packers make the PE file look strange which make it so you can write a quick and dirty snort rule for that type of footprint. For instance, the rule I wrote below triggers on MZ and PE being within 20bytes. This is strange behavior and the structure is definitely not conforming to the structure, so I thought this may be beneficial. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN TinyPE Binary - Possibly Hostile"; flow:from_server,established; content:"MZ"; content:"PE|00 00|"; within:20; reference:url,www.phreedom.org/solar/code/tinype/;.... (I am still porting all my older content from bits.packetninjas.org to my new blog, so... sorry the pretty hexdiff pictures aren't up nor are the posts...) I know in some of the rules I have written there was some initial sloppiness, but the main guiding aspects I have been following is looking at what is normal in the PE structure, and then what is abnormal. (... and then eyeballing things along the way) and also looking for what packers have rules created for them, and which ones don't. The tools I have been using for this. 1) UltraCompare (cool visualization) 2) HexEditor 3) Downloading the binary , from a test server 4) Trolling the Sandnet, or other malware found in spam, seeing if anything is consistently strange that someone might need. 5) PE Structure information 5.1) Matt as a sounding board Another cool tool for you PE fans out there is PEFile, from Ero Carrera http://dkbza.org/pefile.html Ok , now that this post has gone on and on, I promise by the end of the week I'll have better documentation for the PE sigs that I have submitted back up on my site (sometime this week). | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "Imagination is more important than knowledge."-- Albert Einstein From cunningpike at gmail.com Wed Nov 19 02:09:02 2008 From: cunningpike at gmail.com (CunningPike) Date: Tue, 18 Nov 2008 23:09:02 -0800 Subject: [Emerging-Sigs] SidReporter 1.0.1 Available In-Reply-To: <4922E52C.9050402@jonkmans.com> References: <4922E52C.9050402@jonkmans.com> Message-ID: <1227078542.6380.11.camel@cunningpike-powerbook> Any chance of a version that runs over the sguil database? I would be prepared to assist in getting one up and running.... CP On Tue, 2008-11-18 at 10:54 -0500, Matt Jonkman wrote: > A minor fix to SidReporter has been released. This was a minor change to > handle an occasional perl error regarding use of an uninitialized variable. > > http://www.emergingthreats.net/sidreporter/sidreporter-1.0.1.tar.gz > > If you weren't having an issue you don't need to upgrade. > > Thanks to everyone that is submitting data! Generic results are > available here: > http://www.emergingthreats.net/index.php/sidreporter-statistics.html > > More detailed, and individual statistics are forthcoming. Input welcome > there! > > Matt > From signatures at stillsecure.com Wed Nov 19 07:12:35 2008 From: signatures at stillsecure.com (signatures) Date: Wed, 19 Nov 2008 05:12:35 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; sid:10033; rev:1;) 2. MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; sid:10034; rev:1;) 3. MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; sid:10035; rev:1;) 4. MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; classtype:web-application-attack; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; sid:10036; rev:1;) 5. e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lyrics_song.php?"; nocase; uricontent:"l_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32477/; reference:url,milw0rm.com/exploits/6885; sid:10039; rev:1;) 6. Chilkat Crypt ActiveX Component WriteFile Insecure Method alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; distance:0; content:"WriteFile"; nocase; classtype:web-application-attack; reference:url,secunia.com/Advisories/32513/; reference:url,/milw0rm.com/exploits/6963; sid:10041; rev:1;) 7. SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6903; sid:10042; rev:1;) 8. SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/software-description.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6915; sid:10043; rev:1;) 9. YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/autoresponderhosting/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6938; sid:10044; rev:1;) 10. YourFreeWorld Reminder Service tr.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"YourFreeWorld Reminder Service tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/reminderservice/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6943; sid:10045; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/b0159bde/attachment-0001.html From dxp2532 at gmail.com Wed Nov 19 11:30:23 2008 From: dxp2532 at gmail.com (dxp) Date: Wed, 19 Nov 2008 11:30:23 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <2AD7AC0C-AF15-484D-8445-89A05FEE2378@packetninjas.net> References: <2AD7AC0C-AF15-484D-8445-89A05FEE2378@packetninjas.net> Message-ID: <1227112224.6518.9.camel@kinta> Here are some more stats on typical offsets to PE header. This can be used to detect potentially malicious binaries if they don't fall within the legit space. Legitimate PE offsets (XP Sp2): 8582 samples from \Windows ---------------------- 128, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248, 256, 264, 272, 280, 288, 296, 304, 312, 320, 336, 344, 392, 584, 592, 600, 608, 616, 1024, 7680 %25 of tested malware contained these offsets (467 total samples) ---------------------- 12, 16, 64, 96, 124, 144, 152, 160, 512 These could be used in anomaly detection. Any suggestions how best to role it out for Snort (pcre or individual sig)? - -=[ dxp ]=- 0xA3F3C6E3 On Wed, 2008-11-19 at 00:19 -0600, Daniel Clemens wrote: > On Nov 18, 2008, at 1:15 PM, Martin Holste wrote: > > > On a related note, check out the possible evasion technique of > > padding the PE header 512 bytes from this rogue anti-virus download > > (MD5 :b1186e40473ebfe57d2738b02504eea1). > > Arg. This isn't an evasion technique for ids. > > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 > > 200 OK. > > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, > > 18 N > > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 > > 13:03:53 > > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 > > GMT..Server: Ap > > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last- > > Modif > > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 > > Nov > > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 > > 10:37:29 G > > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: > > "78ff9 > > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > > -28000-45bf4483d > > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > > cc40"..Accept-Ra > > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: > > bytes..Con > > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: > > 163 > > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep- > > Alive: > > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, > > max= > > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > > 499..Connection: > > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep- > > Alive..Con > > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: > > appli > > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x- > > msdownl > > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > > oad....MZP...... > > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > > 40 ...............@ > > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > > 21 ...............! > > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This > > prog > > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be > > run > > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under > > Win32..... > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > > 84 .......PE..L.... > > > > This is abnormally far from the MZ. > > > Or this one padded to 256 bytes (MD5: > > 174685c2d8e38d34dfbe522faadceed4) > > > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 | > > MZP.............| > > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > > |........ at .......| > > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > > |................| > > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > > |........!..L.!..| > > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This > > program mus| > > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be > > run under W| > > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 | > > in32..$7........| > > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > * > > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 | > > PE..L....^B*....| > > > > Is the magic byte offset due to the packer being used, or is this a > > deliberate attempt to evade detection?' > > My general rule of thumb when labeling a PE executable as being bad is > based on looking at either how close the PE is to MZ, or how far the > PE is from MZ. In both cases this represents something that is > abnormal in the PE structure which I would want to know about. I don't > really care about anything generally past the normal mtu limit if it > is over http in regards to PE sigs. > > PE should be about 254 bytes from MZ. (256 depending on how you want > to look at it...) > > > Now here's another thought: if this comes via HTTP and you're > > running the HTTP preprocessor, what is your server flow depth set > > at? If it's not at 0, there's a good chance you're missing a lot of > > this. And with no stream reassembly on HTTP preprocessed packets, > > good luck detecting anything padded over your MTU. > > True that! :P > > > So, does anyone know if using the dynamic SO rules would preempt the > > HTTP preprocessor and mitigate this problem? > > I looked at the .so rule a small bit, I didn't see why you there would > be a need. (even if you wanted to look at section headers or other > things, I just don't think its a need whatsoever). > > Right now the main reason to write rules for microsoft portable > executables is to catch first,second, or third stage payloads. > Different kits/ custom packers leave different footprints on binaries > and different custom packers make the PE file look strange which make > it so you can write a quick and dirty snort rule for that type of > footprint. > > For instance, the rule I wrote below triggers on MZ and PE being > within 20bytes. This is strange behavior and the structure is > definitely not conforming to the structure, so I thought this may be > beneficial. > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any > (msg:"ET TROJAN TinyPE Binary - Possibly Hostile"; > flow:from_server,established; > content:"MZ"; content:"PE|00 00|"; within:20; > reference:url,www.phreedom.org/solar/code/tinype/;.... > > (I am still porting all my older content from bits.packetninjas.org to > my new blog, so... sorry the pretty hexdiff pictures aren't up nor are > the posts...) > > I know in some of the rules I have written there was some initial > sloppiness, but the main guiding aspects I have been following is > looking at what is normal in the PE structure, and then what is > abnormal. (... and then eyeballing things along the way) and also > looking for what packers have rules created for them, and which ones > don't. > > The tools I have been using for this. > 1) UltraCompare (cool visualization) > 2) HexEditor > 3) Downloading the binary , from a test server > 4) Trolling the Sandnet, or other malware found in spam, seeing if > anything is consistently strange that someone might need. > 5) PE Structure information > 5.1) Matt as a sounding board > > Another cool tool for you PE fans out there is PEFile, from Ero > Carrera http://dkbza.org/pefile.html > > Ok , now that this post has gone on and on, I promise by the end of > the week I'll have better documentation for the PE sigs that I have > submitted back up on my site (sometime this week). > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > > "Imagination is more important than knowledge."-- Albert Einstein > > > > > > > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/cd7a99dc/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/cd7a99dc/attachment.bin From sun at vakharia.info Mon Nov 17 07:52:28 2008 From: sun at vakharia.info (=?Windows-1252?Q?=AF`=B7.=5FThe_Sun=5F.=B7=B4=AF?=) Date: Mon, 17 Nov 2008 18:22:28 +0530 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> References: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> Message-ID: Thanks Joel for your help so far. I have gone through the two links (the Snort doc link seems to be over simplified and the TechTarget link seems to be unduly complicated for me). I am not sure if I have configured Snort with the --enable-dynamic-plugin in the first place. At the moment, when I run Snort I get this: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ I assume that dynamic-plugins are enabled for me. Further I see this: 8924 Option Chains linked into 357 Chain Headers 0 Dynamic rules And still further down in the output I see this: +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2003279 type=Both tracking=src count=1 seconds=900 | gen-id=1 sig-id=2001872 type=Limit tracking=src count=1 seconds=360 | gen-id=1 sig-id=2001663 type=Limit tracking=src count=2 seconds=360 | gen-id=1 sig-id=2003276 type=Both tracking=src count=1 seconds=900 | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60 | gen-id=1 sig-id=2003257 type=Both tracking=src count=2 seconds=900 ...... After this: Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. Disabling this rule. ........ Taking the first SID: 13922 root at desktop:/etc/snort/so_rules# grep -r 13922 * Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so matches web-misc.rules:alert tcp $HOME_NET ...truncated text root at desktop:/etc/snort/so_rules/src# make ls: cannot access web-misc_*.c: No such file or directory ls: cannot access sql_*.c: No such file or directory .. .. p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in this function) make: *** [p2p_winny] Error 1 What's the next step that I need to take? Date: Thu, 13 Nov 2008 07:59:40 -0500 From: joel.esler at sourcefire.com To: sun at vakharia.info Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster CC: emerging-sigs at emergingthreats.net The rule to detect MS08-067 is a Shared Object rule. You'll need to follow the instructions here:http://www.snort.org/docs/faq/3Q06/node87.html or here:http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.htmlin order to use this rule. Joel On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? wrote: I am quite new to Snort rule updates and am looking at a simple guide to help me integrate the emergingthreats' rules into my Snort test setup. My apologies if this is not the right forum for this question, but I am unable to locate information that I am looking for on the emergingthreats.net website. I already have the rules from snort.org (VRT Certified Rules for Snort v2.8 (snortrules-snapshot-2.8.tar.gz). However, they do not seem to pick the MS08-067 exploit (which I am using as a test case). Here is what I have done so far. 1. Snort has been setup and works fine - I can detect port scans etc. without problems without any rule changes. 2. I have also downloaded rules from emergingthreats.net and extracted them to /etc/snort/rules where my the official rules have also been placed. 3. Now, I edited my snort conf file and included a few rules include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging.rules include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules And restarted snort. But that did not detect the exploit. Is there something else that I need to do? I also had setup Oinkmaster. Does that work with download of rules from emergingthreasts? Or do I have to download via cvs? Thanks. Team India gets set to thwart Australia's quest for the final frontier. Catch the action on MSN Try it now! _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs _________________________________________________________________ Searching for weekend getaways? Try Live.com http://www.live.com/?scope=video&form=MICOAL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081117/a763b099/attachment-0001.html From dxp2532 at gmail.com Wed Nov 19 13:59:16 2008 From: dxp2532 at gmail.com (dxp) Date: Wed, 19 Nov 2008 13:59:16 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: References: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> Message-ID: <1227121157.6518.12.camel@kinta> Make sure line similar to this is enabled in the Snort's config file: "dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules/" - -=[ dxp ]=- 0xA3F3C6E3 On Mon, 2008-11-17 at 18:22 +0530, ?`?._The Sun_.??? wrote: > Thanks Joel for your help so far. > I have gone through the two links (the Snort doc link seems to be over > simplified and the TechTarget link seems to be unduly complicated for > me). > I am not sure if I have configured Snort with the > --enable-dynamic-plugin in the first place. > At the moment, when I run Snort I get this: > > Loading dynamic > engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done > Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/... > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/ > > I assume that dynamic-plugins are enabled for me. > > Further I see this: > 8924 Option Chains linked into 357 Chain Headers > 0 Dynamic rules > > And still further down in the output I see this: > +-----------------------[thresholding-local]----------------------------------- > | gen-id=1 sig-id=2003279 type=Both tracking=src count=1 > seconds=900 > | gen-id=1 sig-id=2001872 type=Limit tracking=src count=1 > seconds=360 > | gen-id=1 sig-id=2001663 type=Limit tracking=src count=2 > seconds=360 > | gen-id=1 sig-id=2003276 type=Both tracking=src count=1 > seconds=900 > | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 > seconds=60 > | gen-id=1 sig-id=2003257 type=Both tracking=src count=2 > seconds=900 > ...... > > After this: > Rule application order: activation->dynamic->pass->drop->alert->log > Log directory = /var/log/snort > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > Disabling this rule. > ........ > > Taking the first SID: 13922 > root at desktop:/etc/snort/so_rules# grep -r 13922 * > Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so matches > web-misc.rules:alert tcp $HOME_NET ...truncated text > > root at desktop:/etc/snort/so_rules/src# make > ls: cannot access web-misc_*.c: No such file or directory > ls: cannot access sql_*.c: No such file or directory > .. > .. > p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in this > function) > make: *** [p2p_winny] Error 1 > > > What's the next step that I need to take? > > > > > > ______________________________________________________________________ > Date: Thu, 13 Nov 2008 07:59:40 -0500 > From: joel.esler at sourcefire.com > To: sun at vakharia.info > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > Oinkmaster > CC: emerging-sigs at emergingthreats.net > > The rule to detect MS08-067 is a Shared Object rule. You'll need to > follow the instructions here: > > http://www.snort.org/docs/faq/3Q06/node87.html > or here: > http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html > in order to use this rule. > > > Joel > > > On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? > wrote: > > I am quite new to Snort rule updates and am looking at a > simple guide to help me integrate the emergingthreats' rules > into my Snort test setup. > > My apologies if this is not the right forum for this question, > but I am unable to locate information that I am looking for on > the emergingthreats.net website. > > I already have the rules from snort.org (VRT Certified Rules > for Snort v2.8 (snortrules-snapshot-2.8.tar.gz). > However, they do not seem to pick the MS08-067 exploit (which > I am using as a test case). > > Here is what I have done so far. > 1. Snort has been setup and works fine - I can detect port > scans etc. without problems without any rule changes. > 2. I have also downloaded rules from emergingthreats.net and > extracted them to /etc/snort/rules where my the official rules > have also been placed. > > 3. Now, I edited my snort conf file and included a few rules > include $RULE_PATH/emerging.conf > include $RULE_PATH/emerging-malware.rules > include $RULE_PATH/emerging-exploit.rules > include $RULE_PATH/emerging-web.rules > include $RULE_PATH/emerging-scan.rules > include $RULE_PATH/emerging.rules > include $RULE_PATH/local.rules > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > > And restarted snort. But that did not detect the exploit. > > Is there something else that I need to do? > > I also had setup Oinkmaster. Does that work with download of > rules from emergingthreasts? Or do I have to download via cvs? > > Thanks. > > > > > ______________________________________________________________ > Team India gets set to thwart Australia's quest for the final > frontier. Catch the action on MSN Try it now! > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > > > ______________________________________________________________________ > Calling TV buffs! Get TV listings, gossip on your fave stars and > updates on hot new shows Try it now! > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/719a861a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/719a861a/attachment.bin From phatbuckett at gmail.com Wed Nov 19 14:46:15 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 19 Nov 2008 12:46:15 -0700 Subject: [Emerging-Sigs] Segfault from broken botcc rule Message-ID: <839aec700811191146o2d2d0e0eq66f1ef2696bf0c67@mail.gmail.com> # Testing snort config: +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Segmentation fault (core dumped) ----- This appears to happen due to the latest emerging-botcc.rules (e.g. http://www.emergingthreats.net/rules/emerging-botcc.rules) containing broken sid 2404020 w/o dst addresses in rule header: alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server Traffic (group 21) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; rev:1354;) Automation issue? -- Darren Spruell phatbuckett at gmail.com From frank at knobbe.us Wed Nov 19 15:55:00 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 19 Nov 2008 14:55:00 -0600 Subject: [Emerging-Sigs] Unknown Trojan 3 -> TeamViewer Message-ID: <1227128100.36200.16.camel@localhost> Greetings, I just committed a couple new sigs. The following two sigs were existing sigs based on Sandnet data: --->8--- CURRENT_Unknown_trojan3: #by Victor Julien alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"| 17 24 1B 00 00|"; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; classtype:unknown; sid:2008779; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:2;) ---8<--- These alerted on TeamViewer (http://www.teamviewer.com) keep-alive packets. I have create two new sigs to match TeamViewer, based on the above sigs. These are now in the Policy rule set: --->8--- POLICY_TeamViewer: # 2008-11-19 added by Frank Knobbe # The following two sigs were created based on the findings of SIDs 2008779 # and 2008780. That particular keep-alive matched the TeamViewer application. # The 'unknown trojan' rules are still present in case something else uses # this pattern, but will likely be removed shortly. The trojan sigs won't # alert if the rules below match. alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewier Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:misc-activity; sid:2008794; rev:1;) alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewier Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:misc-activity; sid:2008795; rev:1;) ---8<--- The existing Unknown Trojan sigs have been modified as follows: --->8--- CURRENT_Unknown_trojan3 #by Victor Julien alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"| 17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; classtype:unknown; sid:2008779; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:3;) ---8<--- That way they shouldn't fire if a TeamViewer keep-alive has been detected (based on port and payload), but still fire if the port is changed and something else is sending it. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/f7bea9a8/attachment.bin From emerging at emergingthreats.net Wed Nov 19 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 19 Nov 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081119210009.524FA4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Nov 19 16:00:09 2008 [***] [+++] Added rules: [+++] 2008794 - ET POLICY TeamViewier Keep-alive outbound (emerging-policy.rules) 2008795 - ET POLICY TeamViewier Keep-alive inbound (emerging-policy.rules) [///] Modified active rules: [///] 2008779 - ET CURRENT_EVENTS Unknown Keepalive out (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive in (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (6): # 2008-11-19 added by Frank Knobbe # The following two sigs were created based on the findings of SIDs 2008779 # and 2008780. That particular keep-alive matched the TeamViewer application. # The 'unknown trojan' rules are still present in case seomthing else uses # this pattern, but will likely be removed shortly. The trojan sigs won't # alert if the rules below match. -> Added to emerging-sid-msg.map (8): 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008794 || ET POLICY TeamViewier Keep-alive outbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2008795 || ET POLICY TeamViewier Keep-alive inbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (8): 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008794 || ET POLICY TeamViewier Keep-alive outbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2008795 || ET POLICY TeamViewier Keep-alive inbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Removed from emerging-sid-msg.map.txt (4): 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso From frank at knobbe.us Wed Nov 19 16:21:16 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 19 Nov 2008 15:21:16 -0600 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> Message-ID: <1227129676.36200.22.camel@localhost> On Wed, 2008-11-19 at 05:12 -0700, signatures wrote: > Hi Matt, > > > > Please find 10 New Signatures below: I would commit these if I knew where to put them :) The CVS tree is a bit messy in regards to ActiveX sigs. There are a ton in WEB and a ton in EXPLOIT. The file names are based on the application. Personally, I think we should change that, and like to discuss that with Matt when he gets on IRC or responds here. I'd like to suggest we roll all ActiveX exploit sigs into one file _ActiveX and list all applications in that file. I think the EXPLOIT category would be more appropriate than WEB since WEB is usually used for WEB site issues, not client issues. So my suggestion: Collapse all ActiveX exploit sigs into one file EXPLOIT/ActiveX. Effect on the rule files: All ActiveX sigs would be in -exploit.rules rather than -web.rules. Thoughts? Regards, Frank > -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/c43a836c/attachment.bin From jjohnso at cio.sc.gov Wed Nov 19 16:30:05 2008 From: jjohnso at cio.sc.gov (Jeff Johnson) Date: Wed, 19 Nov 2008 16:30:05 -0500 Subject: [Emerging-Sigs] Segfault from broken botcc rule In-Reply-To: <839aec700811191146o2d2d0e0eq66f1ef2696bf0c67@mail.gmail.com> References: <839aec700811191146o2d2d0e0eq66f1ef2696bf0c67@mail.gmail.com> Message-ID: <4924855D.5070300@cio.sc.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yep, That empty rule is killing me too.... Nov 19 03:46:08 beaufsd snort[17501]: FATAL ERROR: /etc/snort/rules/emerging-botcc.rules(59) => Empty IP used either as source IP or as destination IP in a rule. IP list: []. Nov 19 16:27:51 beaufsd snort[29435]: FATAL ERROR: /etc/snort/rules/emerging-botcc.rules(59) => Empty IP used either as source IP or as destination IP in a rule. IP list: []. - ---------------------------- Jeff Johnson Network Security Analyst Darren Spruell wrote: > # Testing snort config: > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > Segmentation fault (core dumped) > > ----- > > This appears to happen due to the latest emerging-botcc.rules (e.g. > http://www.emergingthreats.net/rules/emerging-botcc.rules) containing > broken sid 2404020 w/o dst addresses in rule header: > > alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server > Traffic (group 21) "; reference:url,www.shadowserver.org; threshold: > type limit, track > by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; > rev:1354;) > > Automation issue? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFJJIVcMpbq5P7wZwMRCjubAJ9wM5OZN0fIFSm2CIcwwPUJ9pmWFQCggd4A 0NflXY1LhrmmJzLdtG4lMyk= =BOsa -----END PGP SIGNATURE----- From r.fulton at auckland.ac.nz Wed Nov 19 17:07:43 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Thu, 20 Nov 2008 11:07:43 +1300 Subject: [Emerging-Sigs] rule documentation Message-ID: <27F81122-92A0-40E1-B92E-5A7504B63A15@auckland.ac.nz> Hi Folks As a consumer of rules one thing I would find very useful for all these url based rules is an example what the rule is looking for in the wiki. Because we are a university we have lots of folk doing "weird stuff" and using all sorts of strange applications (about 10% of our students were born in China...). SO I often find myself looking at the pcaps and the rules and trying to decide is this an FP or no. Some rules are really specific with three or more specific matches and it pretty clear the hits are for real, many others are much wider open and it is very difficult to decide if it is an FP or not. Given the difficulty of finding some of these critters on the machines themselves we are starting to simply reimage them even if we can't find anything. This is expensive so any means of eliminating FP would really help. So when folk submit rules for urls it would be greatly appreciated my me (and probably others) if they could include a example uri for the docs. Matt: is there a straight forward way for the folk managing the rule base to enter such doc when they add the rule? Russell From phatbuckett at gmail.com Wed Nov 19 17:30:41 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 19 Nov 2008 15:30:41 -0700 Subject: [Emerging-Sigs] Rules with reference oopses Message-ID: <839aec700811191430p4ab601co442ca8e7cbb91417@mail.gmail.com> Initializing rule chains... WARNING /etc/snort/rules/emerging-policy.rules(1317): invalid Reference spec 'www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sec tor/'. Ignored WARNING /etc/snort/rules/emerging-policy.rules(1318): invalid Reference spec 'www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sec tor/'. Ignored WARNING /etc/snort/rules/emerging-policy.rules(1321): invalid Reference spec 'www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sec tor/'. Ignored WARNING /etc/snort/rules/emerging-policy.rules(1322): invalid Reference spec 'www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sec tor/'. Ignored WARNING /etc/snort/rules/emerging-policy.rules(1325): invalid Reference spec 'www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sec tor/'. Ignored Looks like these are missing the url, prepend on the reference option. -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Wed Nov 19 17:32:12 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 19 Nov 2008 15:32:12 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <1227129676.36200.22.camel@localhost> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> <1227129676.36200.22.camel@localhost> Message-ID: <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> On Wed, Nov 19, 2008 at 2:21 PM, Frank Knobbe wrote: > On Wed, 2008-11-19 at 05:12 -0700, signatures wrote: >> Hi Matt, >> Please find 10 New Signatures below: > > I would commit these if I knew where to put them :) > > The CVS tree is a bit messy in regards to ActiveX sigs. There are a ton > in WEB and a ton in EXPLOIT. The file names are based on the > application. > > > So my suggestion: Collapse all ActiveX exploit sigs into one file > EXPLOIT/ActiveX. Effect on the rule files: All ActiveX sigs would be in > -exploit.rules rather than -web.rules. This is exactly the change that Sourcefire VRT made recently: (From their latest SEU) Web-ActiveX Rules: This group contains rule that were formerly in the web-client.rules group. It has been created to better manage the large number of ActiveX rules now in the VRT certified rule set. -- Darren Spruell phatbuckett at gmail.com From frank at knobbe.us Wed Nov 19 17:38:12 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 19 Nov 2008 16:38:12 -0600 Subject: [Emerging-Sigs] Rules with reference oopses In-Reply-To: <839aec700811191430p4ab601co442ca8e7cbb91417@mail.gmail.com> References: <839aec700811191430p4ab601co442ca8e7cbb91417@mail.gmail.com> Message-ID: <1227134292.36200.27.camel@localhost> On Wed, 2008-11-19 at 15:30 -0700, Darren Spruell wrote: > Looks like these are missing the url, prepend on the reference option. Fixed. Thanks Darren! -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/38333c70/attachment.bin From frank at knobbe.us Wed Nov 19 17:42:56 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 19 Nov 2008 16:42:56 -0600 Subject: [Emerging-Sigs] rule documentation In-Reply-To: <27F81122-92A0-40E1-B92E-5A7504B63A15@auckland.ac.nz> References: <27F81122-92A0-40E1-B92E-5A7504B63A15@auckland.ac.nz> Message-ID: <1227134576.36200.31.camel@localhost> On Thu, 2008-11-20 at 11:07 +1300, Russell Fulton wrote: > So when folk submit rules for urls it would be greatly appreciated my > me (and probably others) if they could include a example uri for the > docs. I think we could also use some volunteers that would like to help out by adding documentation to existing rules. Anyone interested? If so, contact Matt ;) Cheers, Frank PS: I'm guilty for not entering info into the Wiki for the sig I committed today. But I did enter a comment section into the rules file! :) -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/a22765f5/attachment.bin From jonkman at jonkmans.com Wed Nov 19 18:45:37 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 19 Nov 2008 18:45:37 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> <1227129676.36200.22.camel@localhost> <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> Message-ID: <4924A521.9080504@jonkmans.com> They're already in, but maybe we should create that sub-category for activeX. What's everyone's preference? A new ruleset file named web-activex.rules, or something similar. Or just keep them in emerging-web.rules but call them WEB_ACTIVEX? Matt Darren Spruell wrote: > On Wed, Nov 19, 2008 at 2:21 PM, Frank Knobbe wrote: >> On Wed, 2008-11-19 at 05:12 -0700, signatures wrote: >>> Hi Matt, >>> Please find 10 New Signatures below: >> I would commit these if I knew where to put them :) >> >> The CVS tree is a bit messy in regards to ActiveX sigs. There are a ton >> in WEB and a ton in EXPLOIT. The file names are based on the >> application. >> >> >> So my suggestion: Collapse all ActiveX exploit sigs into one file >> EXPLOIT/ActiveX. Effect on the rule files: All ActiveX sigs would be in >> -exploit.rules rather than -web.rules. > > This is exactly the change that Sourcefire VRT made recently: > > (From their latest SEU) > > Web-ActiveX Rules: > This group contains rule that were formerly in the web-client.rules > group. It has been created to better manage the large number of ActiveX > rules now in the VRT certified rule set. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 19 18:48:02 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 19 Nov 2008 18:48:02 -0500 Subject: [Emerging-Sigs] rule documentation In-Reply-To: <27F81122-92A0-40E1-B92E-5A7504B63A15@auckland.ac.nz> References: <27F81122-92A0-40E1-B92E-5A7504B63A15@auckland.ac.nz> Message-ID: <4924A5B2.2010905@jonkmans.com> You make a good point, and I'm very guilty of being too lazy to put in that kind of data. Takes a lot of extra time. The wiki (http://doc.emergingthreats.net) is that method for us to put in that documentation. We did the wiki for the express reason anyone can add and it'll be reviewed. I'll commit to putting up a sample url more often, especially in the cases of the spyware crud. But if there are volunteers that want to, or if you get a confirmed hit on a sig that hasn't got a sample url, please go ahead and add it!! Matt Russell Fulton wrote: > Hi Folks > > As a consumer of rules one thing I would find very useful for all > these url based rules is an example what the rule is looking for in > the wiki. > > Because we are a university we have lots of folk doing "weird stuff" > and using all sorts of strange applications (about 10% of our students > were born in China...). SO I often find myself looking at the pcaps > and the rules and trying to decide is this an FP or no. Some rules > are really specific with three or more specific matches and it pretty > clear the hits are for real, many others are much wider open and it is > very difficult to decide if it is an FP or not. > > Given the difficulty of finding some of these critters on the machines > themselves we are starting to simply reimage them even if we can't > find anything. This is expensive so any means of eliminating FP would > really help. > > So when folk submit rules for urls it would be greatly appreciated my > me (and probably others) if they could include a example uri for the > docs. > > Matt: is there a straight forward way for the folk managing the rule > base to enter such doc when they add the rule? > > Russell > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 19 18:48:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 19 Nov 2008 18:48:40 -0500 Subject: [Emerging-Sigs] Segfault from broken botcc rule In-Reply-To: <4924855D.5070300@cio.sc.gov> References: <839aec700811191146o2d2d0e0eq66f1ef2696bf0c67@mail.gmail.com> <4924855D.5070300@cio.sc.gov> Message-ID: <4924A5D8.3050901@jonkmans.com> Fixed up all, sorry for the issue. Yet a new update script flaw. All good now? Matt Jeff Johnson wrote: > > Yep, > > That empty rule is killing me too.... > > Nov 19 03:46:08 beaufsd snort[17501]: FATAL ERROR: > /etc/snort/rules/emerging-botcc.rules(59) => Empty IP used either as > source IP or as destination IP in a rule. IP list: []. > Nov 19 16:27:51 beaufsd snort[29435]: FATAL ERROR: > /etc/snort/rules/emerging-botcc.rules(59) => Empty IP used either as > source IP or as destination IP in a rule. IP list: []. > > > > > ---------------------------- > Jeff Johnson > Network Security Analyst > > > > > Darren Spruell wrote: >> # Testing snort config: >> +++++++++++++++++++++++++++++++++++++++++++++++++++ >> Initializing rule chains... >> Segmentation fault (core dumped) > >> ----- > >> This appears to happen due to the latest emerging-botcc.rules (e.g. >> http://www.emergingthreats.net/rules/emerging-botcc.rules) containing >> broken sid 2404020 w/o dst addresses in rule header: > >> alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server >> Traffic (group 21) "; reference:url,www.shadowserver.org; threshold: >> type limit, track >> by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; >> rev:1354;) > >> Automation issue? > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Wed Nov 19 18:53:43 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 19 Nov 2008 17:53:43 -0600 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <4924A521.9080504@jonkmans.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> <1227129676.36200.22.camel@localhost> <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> <4924A521.9080504@jonkmans.com> Message-ID: <1227138823.36200.40.camel@localhost> On Wed, 2008-11-19 at 18:45 -0500, Matt Jonkman wrote: > What's everyone's preference? A new ruleset file named > web-activex.rules, or something similar. Or just keep them in > emerging-web.rules but call them WEB_ACTIVEX? I wouldn't put them in emerging-web.rules since that rule file is for web servers/applications, not for clients. My vote is for EXPLOITS. -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081119/9f5f04a0/attachment.bin From jonkman at jonkmans.com Wed Nov 19 19:07:28 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 19 Nov 2008 19:07:28 -0500 Subject: [Emerging-Sigs] SidReporter 1.0.1 Available In-Reply-To: <1227078542.6380.11.camel@cunningpike-powerbook> References: <4922E52C.9050402@jonkmans.com> <1227078542.6380.11.camel@cunningpike-powerbook> Message-ID: <4924AA40.2050303@jonkmans.com> Thats definitely something we want to do. Lack of time has been the issue to date. Lets talk offline and see what we can do! Anyone else with the expertise required and a bit of time to chip in please ping us as well. Matt CunningPike wrote: > Any chance of a version that runs over the sguil database? I would be > prepared to assist in getting one up and running.... > > CP > > On Tue, 2008-11-18 at 10:54 -0500, Matt Jonkman wrote: >> A minor fix to SidReporter has been released. This was a minor change to >> handle an occasional perl error regarding use of an uninitialized variable. >> >> http://www.emergingthreats.net/sidreporter/sidreporter-1.0.1.tar.gz >> >> If you weren't having an issue you don't need to upgrade. >> >> Thanks to everyone that is submitting data! Generic results are >> available here: >> http://www.emergingthreats.net/index.php/sidreporter-statistics.html >> >> More detailed, and individual statistics are forthcoming. Input welcome >> there! >> >> Matt >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From nate+emerging at richmond-family.org Thu Nov 20 07:58:38 2008 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Thu, 20 Nov 2008 07:58:38 -0500 (EST) Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <20081119234619.94643A4050@medusa.richmond-family.org> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> <1227129676.36200.22.camel@localhost> <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> <20081119234619.94643A4050@medusa.richmond-family.org> Message-ID: <20081120125838.21306A403D@medusa.richmond-family.org> Matt Jonkman wrote: > They're already in, but maybe we should create that sub-category for > activeX. > > What's everyone's preference? A new ruleset file named > web-activex.rules, or something similar. Or just keep them in > emerging-web.rules but call them WEB_ACTIVEX? > > Matt I think a new rule set file is worse simply because it means everyone has to notice the change and include the new rule set in their snort.conf. If there is a rule set these legitimately can be added to, that would probably be easier for the user base. > > Darren Spruell wrote: >> On Wed, Nov 19, 2008 at 2:21 PM, Frank Knobbe >> wrote: >>> On Wed, 2008-11-19 at 05:12 -0700, signatures wrote: >>>> Hi Matt, >>>> Please find 10 New Signatures below: >>> I would commit these if I knew where to put them :) >>> >>> The CVS tree is a bit messy in regards to ActiveX sigs. There are >>> a ton >>> in WEB and a ton in EXPLOIT. The file names are based on the >>> application. >>> >>> >>> So my suggestion: Collapse all ActiveX exploit sigs into one file >>> EXPLOIT/ActiveX. Effect on the rule files: All ActiveX sigs would >>> be in >>> -exploit.rules rather than -web.rules. >> >> This is exactly the change that Sourcefire VRT made recently: >> >> (From their latest SEU) >> >> Web-ActiveX Rules: >> This group contains rule that were formerly in the >> web-client.rules >> group. It has been created to better manage the large number of >> ActiveX >> rules now in the VRT certified rule set. >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From phatbuckett at gmail.com Thu Nov 20 12:31:38 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 20 Nov 2008 10:31:38 -0700 Subject: [Emerging-Sigs] Segfault from broken botcc rule In-Reply-To: <4924A5D8.3050901@jonkmans.com> References: <839aec700811191146o2d2d0e0eq66f1ef2696bf0c67@mail.gmail.com> <4924855D.5070300@cio.sc.gov> <4924A5D8.3050901@jonkmans.com> Message-ID: <839aec700811200931w15f2d1l7a974a90aff06de8@mail.gmail.com> On Wed, Nov 19, 2008 at 4:48 PM, Matt Jonkman wrote: > Fixed up all, sorry for the issue. Yet a new update script flaw. > > All good now? Today's rules files looks cleaned up. Thx! -- Darren Spruell phatbuckett at gmail.com From phatbuckett at gmail.com Thu Nov 20 15:12:24 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 20 Nov 2008 13:12:24 -0700 Subject: [Emerging-Sigs] 2008405 additional info In-Reply-To: <839aec700811201208p368d3c11kfc09349b3202b9f3@mail.gmail.com> References: <839aec700811201208p368d3c11kfc09349b3202b9f3@mail.gmail.com> Message-ID: <839aec700811201212j1ea099d1ub6ff0707b315b879@mail.gmail.com> On Thu, Nov 20, 2008 at 1:08 PM, Darren Spruell wrote: > Regarding 2008405: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Obitel trojan calling home"; flow:established,to_server; > uricontent:"/gate.php?hash="; nocase; content:"|0d 0a|User-Agent\: > ie|0d 0a|"; reference:url,www.abuse.ch/?p=143; > classtype:trojan-activity; sid:2008405; rev:1;) > > I've found this piece of malware to be sending requests in a few > variations, one which I've noticed won't match on the above rule due > to UA change: And I forgot to note, another variation we've seen has been in the HTTP protocol version in use: GET /ldr/gate.php?hash=c0c7731c HTTP/1.0 GET /ldr/gate.php?hash=c0c7731c HTTP/1.1 This agent changes things around quite a bit (have seen various other changes in HTTP headers from the same host), I would presume exactly for the reason of bypassing signatures/etc. -- Darren Spruell phatbuckett at gmail.com From dxp2532 at gmail.com Thu Nov 20 15:37:18 2008 From: dxp2532 at gmail.com (dxp) Date: Thu, 20 Nov 2008 15:37:18 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: <1227060562.29786.3.camel@kinta> Message-ID: <1227213438.6518.26.camel@kinta> Here are some regular text rules for the non-legit PE offsets (sid needs to be modified): alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 12)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,12,58,relative,little; content:"PE|00 00|"; rawbytes; within:14; sid:XXXXXX12; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 16)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,16,58,relative,little; content:"PE|00 00|"; rawbytes; within:18; sid:XXXXXX16; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 64)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,64,58,relative,little; content:"PE|00 00|"; rawbytes; within:66; sid:XXXXXX64; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 96)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,96,58,relative,little; content:"PE|00 00|"; rawbytes; within:98; sid:XXXXXX96; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 124)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,124,58,relative,little; content:"PE|00 00|"; rawbytes; within:128; sid:XXXXXX124; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 144)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,144,58,relative,little; content:"PE|00 00|"; rawbytes; within:146; sid:XXXXXX144; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 152)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,152,58,relative,little; content:"PE|00 00|"; rawbytes; within:154; sid:XXXXXX152; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; sid:XXXXXX160; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; sid:XXXXXX512; rev:1;) - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-11-18 at 21:40 -0600, Martin Holste wrote: > Wow, very helpful findings! Thanks for checking that out. I updated > all of my executable sigs to allow for more depth between the MZ and > the PE (I cranked it all the way to the MTU, though that's probably > overkill based on your findings). I look forward to incorporating > your SO rules when you think they're ready. > > It sounds like it would be worth alerting on any exe that has a PE > header before 128 bytes, though I'm sure a few legit files would pop > out of the woodwork. Mega bonus points for an SO rule that can alert > based on the amount of entropy of the file sections! > > --Martin > > > On Tue, Nov 18, 2008 at 8:09 PM, dxp wrote: > > Changed "flow_depth" from 0 to 50 and the SO rule failed to > alert on executables within ports specified in the > preprocessor. It appears then that the SO rules have the same > properties as regular rules but with more detection > flexability. > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > > > > On a related note, check out the possible evasion technique > > of padding the PE header 512 bytes from this rogue > > anti-virus download (MD5 :b1186e40473ebfe57d2738b02504eea1). > > > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d > > HTTP/1.1 200 OK. > > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 > > 4e .Date: Tue, 18 N > > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov > > 2008 13:03:53 > > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 > > GMT..Server: Ap > > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 > > ache..Last-Modif > > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: > > Tue, 18 Nov > > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 > > 2008 10:37:29 G > > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 > > MT..ETag: "78ff9 > > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > > -28000-45bf4483d > > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > > cc40"..Accept-Ra > > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e > > nges: bytes..Con > > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 > > tent-Length: 163 > > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a > > 840..Keep-Alive: > > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d > > timeout=5, max= > > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > > 499..Connection: > > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e > > Keep-Alive..Con > > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 > > tent-Type: appli > > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c > > cation/x-msdownl > > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > > oad....MZP...... > > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > > 40 ...............@ > > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > > 21 ...............! > > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f > > 67 ..L.!..This prog > > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram > > must be run > > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 > > under Win32..... > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > > 84 .......PE..L.... > > > > > > > > Or this one padded to 256 bytes (MD5: > > 174685c2d8e38d34dfbe522faadceed4) > > > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 > > |MZP.............| > > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > > |........ at .......| > > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > > |................| > > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > > |........!..L.!..| > > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 > > |This program mus| > > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 > > |t be run under W| > > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 > > |in32..$7........| > > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > * > > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 > > |PE..L....^B*....| > > > > Is the magic byte offset due to the packer being used, or is > > this a deliberate attempt to evade detection? Now here's > > another thought: if this comes via HTTP and you're running > > the HTTP preprocessor, what is your server flow depth set > > at? If it's not at 0, there's a good chance you're missing > > a lot of this. And with no stream reassembly on HTTP > > preprocessed packets, good luck detecting anything padded > > over your MTU. So, does anyone know if using the dynamic SO > > rules would preempt the HTTP preprocessor and mitigate this > > problem? > > > > --Martin > > > > _______________________________________________ > > Emerging-sigs mailing list > > > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081120/f3b1a706/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081120/f3b1a706/attachment-0001.bin From emerging at emergingthreats.net Thu Nov 20 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 20 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081120210008.6D0E44502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Nov 20 16:00:08 2008 [***] [///] Modified active rules: [///] 2008768 - ET POLICY Unknown Trojan P2P Initial Checkin (emerging-policy.rules) 2008769 - ET POLICY Unknown Trojan P2P Initial Checkin Response (emerging-policy.rules) 2008770 - ET POLICY Unknown Trojan P2P Data Download (emerging-policy.rules) 2008771 - ET POLICY Unknown Trojan P2P Download Request (emerging-policy.rules) 2008772 - ET POLICY Unknown Trojan P2P Request (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): # The 'unknown trojan' rules are still present in case something else uses -> Added to emerging-sid-msg.map (11): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (11): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-policy.rules (1): # The 'unknown trojan' rules are still present in case seomthing else uses -> Removed from emerging-sid-msg.map (7): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (7): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From mcholste at gmail.com Thu Nov 20 16:30:59 2008 From: mcholste at gmail.com (Martin Holste) Date: Thu, 20 Nov 2008 15:30:59 -0600 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: <1227213438.6518.26.camel@kinta> References: <1227060562.29786.3.camel@kinta> <1227213438.6518.26.camel@kinta> Message-ID: Nice work! I think you get most of the mega bonus points. How about this for optimization, though: Have the standard MZ/PE00 content checker for generic executable set a flowbit, and then have these all require that flowbit to be set? I did a simlar thing with a UPX sig, and that seemed to work pretty well. Am I wrong, or would that help with load reduction? On Thu, Nov 20, 2008 at 2:37 PM, dxp wrote: > Here are some regular text rules for the non-legit PE offsets (sid needs > to be modified): > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 12)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,12,58,relative,little; content:"PE|00 00|"; > rawbytes; within:14; sid:XXXXXX12; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 16)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,16,58,relative,little; content:"PE|00 00|"; > rawbytes; within:18; sid:XXXXXX16; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 64)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,64,58,relative,little; content:"PE|00 00|"; > rawbytes; within:66; sid:XXXXXX64; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 96)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,96,58,relative,little; content:"PE|00 00|"; > rawbytes; within:98; sid:XXXXXX96; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 124)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,124,58,relative,little; content:"PE|00 00|"; > rawbytes; within:128; sid:XXXXXX124; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 144)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,144,58,relative,little; content:"PE|00 00|"; > rawbytes; within:146; sid:XXXXXX144; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 152)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,152,58,relative,little; content:"PE|00 00|"; > rawbytes; within:154; sid:XXXXXX152; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; > rawbytes; within:162; sid:XXXXXX160; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious > Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; > rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; > rawbytes; within:514; sid:XXXXXX512; rev:1;) > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Tue, 2008-11-18 at 21:40 -0600, Martin Holste wrote: > > Wow, very helpful findings! Thanks for checking that out. I updated all > of my executable sigs to allow for more depth between the MZ and the PE (I > cranked it all the way to the MTU, though that's probably overkill based on > your findings). I look forward to incorporating your SO rules when you > think they're ready. > > It sounds like it would be worth alerting on any exe that has a PE header > before 128 bytes, though I'm sure a few legit files would pop out of the > woodwork. Mega bonus points for an SO rule that can alert based on the > amount of entropy of the file sections! > > --Martin > > On Tue, Nov 18, 2008 at 8:09 PM, dxp wrote: > > Changed "flow_depth" from 0 to 50 and the SO rule failed to alert on > executables within ports specified in the preprocessor. It appears then > that the SO rules have the same properties as regular rules but with more > detection flexability. > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > > > On a related note, check out the possible evasion technique of padding > the PE header 512 bytes from this rogue anti-virus download (MD5 > :b1186e40473ebfe57d2738b02504eea1). > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 4e .Date: Tue, 18 N > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov 2008 13:03:53 > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 GMT..Server: Ap > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 ache..Last-Modif > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: Tue, 18 Nov > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 2008 10:37:29 G > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 MT..ETag: "78ff9 > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 -28000-45bf4483d > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 cc40"..Accept-Ra > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e nges: bytes..Con > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 tent-Length: 163 > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 840..Keep-Alive: > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d timeout=5, max= > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 499..Connection: > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e Keep-Alive..Con > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent-Type: appli > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c cation/x-msdownl > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 oad....MZP...... > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 ...............@ > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd 21 ...............! > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 ..L.!..This prog > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram must be run > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 under Win32..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 84 .......PE..L.... > > > > Or this one padded to 256 bytes (MD5: 174685c2d8e38d34dfbe522faadceed4) > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 > |MZP.............| > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > |........ at .......| > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > |................| > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > |........!..L.!..| > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program > mus| > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under > W| > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 > |in32..$7........| > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > * > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 > |PE..L....^B*....| > > Is the magic byte offset due to the packer being used, or is this a > deliberate attempt to evade detection? Now here's another thought: if this > comes via HTTP and you're running the HTTP preprocessor, what is your server > flow depth set at? If it's not at 0, there's a good chance you're missing a > lot of this. And with no stream reassembly on HTTP preprocessed packets, > good luck detecting anything padded over your MTU. So, does anyone know if > using the dynamic SO rules would preempt the HTTP preprocessor and mitigate > this problem? > > --Martin > > _______________________________________________ > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081120/7d932496/attachment-0001.html From jscheidell at secnap.net Thu Nov 20 16:56:57 2008 From: jscheidell at secnap.net (Jon Scheidell) Date: Thu, 20 Nov 2008 16:56:57 -0500 Subject: [Emerging-Sigs] Possible revision to SID 2003020 (TLS/SSL app on non standard port) Message-ID: Current: emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:7;) Does not exclude for some well known services, the FP I?m seeing in particular is SMTP over TLS so maybe something like: $HOME_NET !25 to start with since I?m not seeing allot (none off the top of my head) of FP?s on https or other encrypted traffic. Similar rules, but that are not triggering are SID?s 2003002-2003021, I don?t know if it makes sense to make these ?more accurate? also if they are not triggering false positives in this case though. -- Jon Scheidell >|SECNAP Network Security _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081120/f1695a14/attachment.html From emerging at emergingthreats.net Fri Nov 21 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 21 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081121210008.364034502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Nov 21 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (6): 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Sat Nov 22 06:16:18 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 22 Nov 2008 06:16:18 -0500 Subject: [Emerging-Sigs] Possible revision to SID 2003020 (TLS/SSL app on non standard port) In-Reply-To: References: Message-ID: <4927EA02.2040200@jonkmans.com> Hey john, There are a set of sigs intended to exclude known stuff, check here: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port?rev=1.3 If you're getting hits on port 25 though something's up. You're not tracking flow right or something. They should all be to_server 1024: which ought to exclude any port 25 stuff. Are you on current snort/stream5? Matt Jon Scheidell wrote: > Current: > emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET > 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual > Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; > content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds > 120, track by_src; classtype:unusual-client-port-connection; > sid:2003020; rev:7;) > > Does not exclude for some well known services, the FP I?m seeing in > particular is SMTP over TLS so maybe something like: > $HOME_NET !25 to start with since I?m not seeing allot (none off the top > of my head) of FP?s on https or other encrypted traffic. > > Similar rules, but that are not triggering are SID?s 2003002-2003021, I > don?t know if it makes sense to make these ?more accurate? also if they > are not triggering false positives in this case though. > > > -- > Jon Scheidell >>|SECNAP Network Security > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.spammertrap.com > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Nov 22 06:21:33 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 22 Nov 2008 06:21:33 -0500 Subject: [Emerging-Sigs] 2008405 additional info In-Reply-To: <839aec700811201212j1ea099d1ub6ff0707b315b879@mail.gmail.com> References: <839aec700811201208p368d3c11kfc09349b3202b9f3@mail.gmail.com> <839aec700811201212j1ea099d1ub6ff0707b315b879@mail.gmail.com> Message-ID: <4927EB3D.3090505@jonkmans.com> I'm seeing many like this, random paths but always gate.php=hash and an 8 digit hash, hex charset. But all ie as a user agent. What kind of UAs were you seeing? Matt Darren Spruell wrote: > On Thu, Nov 20, 2008 at 1:08 PM, Darren Spruell wrote: >> Regarding 2008405: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Obitel trojan calling home"; flow:established,to_server; >> uricontent:"/gate.php?hash="; nocase; content:"|0d 0a|User-Agent\: >> ie|0d 0a|"; reference:url,www.abuse.ch/?p=143; >> classtype:trojan-activity; sid:2008405; rev:1;) >> >> I've found this piece of malware to be sending requests in a few >> variations, one which I've noticed won't match on the above rule due >> to UA change: > > And I forgot to note, another variation we've seen has been in the > HTTP protocol version in use: > > GET /ldr/gate.php?hash=c0c7731c HTTP/1.0 > GET /ldr/gate.php?hash=c0c7731c HTTP/1.1 > > This agent changes things around quite a bit (have seen various other > changes in HTTP headers from the same host), I would presume exactly > for the reason of bypassing signatures/etc. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sat Nov 22 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 22 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081122210008.E00914502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 22 16:00:08 2008 [***] [+++] Added rules: [+++] 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Added to emerging-rbn.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Added to emerging-sid-msg.map (100): 2406045 || ET RBN Known Russian Business Network Monitored Domains (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406046 || ET RBN Known Russian Business Network Monitored Domains (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406047 || ET RBN Known Russian Business Network Monitored Domains (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406048 || ET RBN Known Russian Business Network Monitored Domains (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406049 || ET RBN Known Russian Business Network Monitored Domains (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406050 || ET RBN Known Russian Business Network Monitored Domains (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406051 || ET RBN Known Russian Business Network Monitored Domains (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406052 || ET RBN Known Russian Business Network Monitored Domains (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406053 || ET RBN Known Russian Business Network Monitored Domains (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406054 || ET RBN Known Russian Business Network Monitored Domains (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406055 || ET RBN Known Russian Business Network Monitored Domains (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406056 || ET RBN Known Russian Business Network Monitored Domains (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406057 || ET RBN Known Russian Business Network Monitored Domains (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406058 || ET RBN Known Russian Business Network Monitored Domains (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406059 || ET RBN Known Russian Business Network Monitored Domains (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406060 || ET RBN Known Russian Business Network Monitored Domains (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406061 || ET RBN Known Russian Business Network Monitored Domains (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406062 || ET RBN Known Russian Business Network Monitored Domains (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406063 || ET RBN Known Russian Business Network Monitored Domains (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406064 || ET RBN Known Russian Business Network Monitored Domains (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406065 || ET RBN Known Russian Business Network Monitored Domains (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406066 || ET RBN Known Russian Business Network Monitored Domains (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406067 || ET RBN Known Russian Business Network Monitored Domains (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406068 || ET RBN Known Russian Business Network Monitored Domains (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406069 || ET RBN Known Russian Business Network Monitored Domains (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406070 || ET RBN Known Russian Business Network Monitored Domains (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406071 || ET RBN Known Russian Business Network Monitored Domains (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406072 || ET RBN Known Russian Business Network Monitored Domains (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406073 || ET RBN Known Russian Business Network Monitored Domains (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406074 || ET RBN Known Russian Business Network Monitored Domains (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406075 || ET RBN Known Russian Business Network Monitored Domains (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406076 || ET RBN Known Russian Business Network Monitored Domains (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406077 || ET RBN Known Russian Business Network Monitored Domains (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406078 || ET RBN Known Russian Business Network Monitored Domains (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406079 || ET RBN Known Russian Business Network Monitored Domains (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406080 || ET RBN Known Russian Business Network Monitored Domains (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406081 || ET RBN Known Russian Business Network Monitored Domains (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406082 || ET RBN Known Russian Business Network Monitored Domains (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406083 || ET RBN Known Russian Business Network Monitored Domains (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406084 || ET RBN Known Russian Business Network Monitored Domains (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406085 || ET RBN Known Russian Business Network Monitored Domains (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406086 || ET RBN Known Russian Business Network Monitored Domains (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406087 || ET RBN Known Russian Business Network Monitored Domains (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406088 || ET RBN Known Russian Business Network Monitored Domains (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406089 || ET RBN Known Russian Business Network Monitored Domains (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407045 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407046 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407047 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407048 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407049 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407050 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407051 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407052 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407053 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407054 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407055 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407056 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407057 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407058 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407059 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407060 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407061 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407062 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407063 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407064 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407065 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407066 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407067 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407068 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407069 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407070 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407071 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407072 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407073 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407074 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407075 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407076 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407077 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407078 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407079 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407080 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407081 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407082 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407083 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407084 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407085 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407086 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407087 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407088 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407089 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (100): 2406045 || ET RBN Known Russian Business Network Monitored Domains (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406046 || ET RBN Known Russian Business Network Monitored Domains (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406047 || ET RBN Known Russian Business Network Monitored Domains (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406048 || ET RBN Known Russian Business Network Monitored Domains (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406049 || ET RBN Known Russian Business Network Monitored Domains (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406050 || ET RBN Known Russian Business Network Monitored Domains (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406051 || ET RBN Known Russian Business Network Monitored Domains (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406052 || ET RBN Known Russian Business Network Monitored Domains (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406053 || ET RBN Known Russian Business Network Monitored Domains (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406054 || ET RBN Known Russian Business Network Monitored Domains (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406055 || ET RBN Known Russian Business Network Monitored Domains (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406056 || ET RBN Known Russian Business Network Monitored Domains (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406057 || ET RBN Known Russian Business Network Monitored Domains (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406058 || ET RBN Known Russian Business Network Monitored Domains (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406059 || ET RBN Known Russian Business Network Monitored Domains (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406060 || ET RBN Known Russian Business Network Monitored Domains (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406061 || ET RBN Known Russian Business Network Monitored Domains (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406062 || ET RBN Known Russian Business Network Monitored Domains (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406063 || ET RBN Known Russian Business Network Monitored Domains (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406064 || ET RBN Known Russian Business Network Monitored Domains (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406065 || ET RBN Known Russian Business Network Monitored Domains (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406066 || ET RBN Known Russian Business Network Monitored Domains (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406067 || ET RBN Known Russian Business Network Monitored Domains (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406068 || ET RBN Known Russian Business Network Monitored Domains (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406069 || ET RBN Known Russian Business Network Monitored Domains (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406070 || ET RBN Known Russian Business Network Monitored Domains (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406071 || ET RBN Known Russian Business Network Monitored Domains (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406072 || ET RBN Known Russian Business Network Monitored Domains (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406073 || ET RBN Known Russian Business Network Monitored Domains (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406074 || ET RBN Known Russian Business Network Monitored Domains (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406075 || ET RBN Known Russian Business Network Monitored Domains (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406076 || ET RBN Known Russian Business Network Monitored Domains (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406077 || ET RBN Known Russian Business Network Monitored Domains (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406078 || ET RBN Known Russian Business Network Monitored Domains (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406079 || ET RBN Known Russian Business Network Monitored Domains (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406080 || ET RBN Known Russian Business Network Monitored Domains (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406081 || ET RBN Known Russian Business Network Monitored Domains (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406082 || ET RBN Known Russian Business Network Monitored Domains (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406083 || ET RBN Known Russian Business Network Monitored Domains (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406084 || ET RBN Known Russian Business Network Monitored Domains (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406085 || ET RBN Known Russian Business Network Monitored Domains (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406086 || ET RBN Known Russian Business Network Monitored Domains (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406087 || ET RBN Known Russian Business Network Monitored Domains (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406088 || ET RBN Known Russian Business Network Monitored Domains (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406089 || ET RBN Known Russian Business Network Monitored Domains (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407045 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407046 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407047 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407048 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407049 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407050 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407051 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407052 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407053 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407054 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407055 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407056 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407057 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407058 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407059 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407060 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407061 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407062 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407063 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407064 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407065 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407066 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407067 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407068 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407069 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407070 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407071 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407072 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407073 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407074 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407075 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407076 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407077 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407078 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407079 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407080 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407081 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407082 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407083 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407084 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407085 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407086 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407087 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407088 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407089 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Removed from emerging-rbn.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 From emerging at emergingthreats.net Sat Nov 22 18:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 22 Nov 2008 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081122230009.4E1144502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 22 18:00:09 2008 [***] [+++] Added rules: [+++] 2008768 - ET POLICY Unknown Trojan P2P Initial Checkin (emerging-policy.rules) 2008769 - ET POLICY Unknown Trojan P2P Initial Checkin Response (emerging-policy.rules) 2008770 - ET POLICY Unknown Trojan P2P Data Download (emerging-policy.rules) 2008771 - ET POLICY Unknown Trojan P2P Download Request (emerging-policy.rules) 2008772 - ET POLICY Unknown Trojan P2P Request (emerging-policy.rules) 2008784 - ET TROJAN Lighty Variant or UltimateDefender POST) (emerging-virus.rules) 2008785 - ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection (emerging-web_sql_injection.rules) 2008786 - ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection (emerging-web_sql_injection.rules) 2008787 - ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection (emerging-web_sql_injection.rules) 2008788 - ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection (emerging-web_sql_injection.rules) 2008789 - ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods (emerging-web_sql_injection.rules) 2008790 - ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow (emerging-web_sql_injection.rules) 2008791 - ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite (emerging-web_sql_injection.rules) 2008792 - ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-exploit.rules) 2008793 - ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008794 - ET POLICY TeamViewier Keep-alive outbound (emerging-policy.rules) 2008795 - ET POLICY TeamViewier Keep-alive inbound (emerging-policy.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules) 2002751 - ET POLICY Reserved IP Space Traffic - Bogon Nets 3 (emerging-policy.rules) 2008779 - ET CURRENT_EVENTS Unknown Keepalive out (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive in (emerging.rules) 2008781 - ET POLICY Set flow on rar file get (emerging-policy.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008593 - ET TROJAN Ultimate Defender Fake AV Checkin (emerging-virus.rules) 2008768 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin (emerging.rules) 2008769 - ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response (emerging.rules) 2008770 - ET CURRENT_EVENTS Unknown Trojan P2P Data Download (emerging.rules) 2008771 - ET CURRENT_EVENTS Unknown Trojan P2P Download Request (emerging.rules) 2008772 - ET CURRENT_EVENTS Unknown Trojan P2P Request (emerging.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1366 # Generated 2008-11-22 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1366 # Generated 2008-11-22 00:03:02 EDT -> Added to emerging-policy.rules (9): #re 60fa2ff79411dd1cb829e8a966aa86fc #moves to 7090 in samples #moved to 5622 in samples # 2008-11-19 added by Frank Knobbe # The following two sigs were created based on the findings of SIDs 2008779 # and 2008780. That particular keep-alive matched the TeamViewer application. # The 'unknown trojan' rules are still present in case something else uses # this pattern, but will likely be removed shortly. The trojan sigs won't # alert if the rules below match. -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Added to emerging-rbn.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Added to emerging-sid-msg.map (151): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008784 || ET TROJAN Lighty Variant or UltimateDefender POST) 2008785 || ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection || url,milw0rm.com/exploits/6856 || url,secunia.com/advisories/32413/ 2008786 || ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection || url,secunia.com/advisories/32373 || url,milw0rm.com/exploits/6839 2008787 || ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection || url,secunia.com/advisories/32431 || url,milw0rm.com/exploits/6854 2008788 || ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection || url,milw0rm.com/exploits/6856 || bugtraq,29344 2008789 || ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods || url,milw0rm.com/exploits/6828 || bugtraq,31907 2008790 || ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow || url,milw0rm.com/exploits/6878 || bugtraq,31987 2008791 || ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/6875 || bugtraq,31984 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008793 || ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6910 || url,secunia.com/advisories/32552/ 2008794 || ET POLICY TeamViewier Keep-alive outbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2008795 || ET POLICY TeamViewier Keep-alive inbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2406045 || ET RBN Known Russian Business Network Monitored Domains (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406046 || ET RBN Known Russian Business Network Monitored Domains (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406047 || ET RBN Known Russian Business Network Monitored Domains (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406048 || ET RBN Known Russian Business Network Monitored Domains (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406049 || ET RBN Known Russian Business Network Monitored Domains (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406050 || ET RBN Known Russian Business Network Monitored Domains (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406051 || ET RBN Known Russian Business Network Monitored Domains (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406052 || ET RBN Known Russian Business Network Monitored Domains (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406053 || ET RBN Known Russian Business Network Monitored Domains (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406054 || ET RBN Known Russian Business Network Monitored Domains (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406055 || ET RBN Known Russian Business Network Monitored Domains (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406056 || ET RBN Known Russian Business Network Monitored Domains (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406057 || ET RBN Known Russian Business Network Monitored Domains (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406058 || ET RBN Known Russian Business Network Monitored Domains (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406059 || ET RBN Known Russian Business Network Monitored Domains (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406060 || ET RBN Known Russian Business Network Monitored Domains (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406061 || ET RBN Known Russian Business Network Monitored Domains (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406062 || ET RBN Known Russian Business Network Monitored Domains (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406063 || ET RBN Known Russian Business Network Monitored Domains (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406064 || ET RBN Known Russian Business Network Monitored Domains (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406065 || ET RBN Known Russian Business Network Monitored Domains (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406066 || ET RBN Known Russian Business Network Monitored Domains (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406067 || ET RBN Known Russian Business Network Monitored Domains (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406068 || ET RBN Known Russian Business Network Monitored Domains (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406069 || ET RBN Known Russian Business Network Monitored Domains (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406070 || ET RBN Known Russian Business Network Monitored Domains (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406071 || ET RBN Known Russian Business Network Monitored Domains (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406072 || ET RBN Known Russian Business Network Monitored Domains (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406073 || ET RBN Known Russian Business Network Monitored Domains (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406074 || ET RBN Known Russian Business Network Monitored Domains (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406075 || ET RBN Known Russian Business Network Monitored Domains (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406076 || ET RBN Known Russian Business Network Monitored Domains (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406077 || ET RBN Known Russian Business Network Monitored Domains (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406078 || ET RBN Known Russian Business Network Monitored Domains (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406079 || ET RBN Known Russian Business Network Monitored Domains (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406080 || ET RBN Known Russian Business Network Monitored Domains (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406081 || ET RBN Known Russian Business Network Monitored Domains (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406082 || ET RBN Known Russian Business Network Monitored Domains (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406083 || ET RBN Known Russian Business Network Monitored Domains (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406084 || ET RBN Known Russian Business Network Monitored Domains (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406085 || ET RBN Known Russian Business Network Monitored Domains (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406086 || ET RBN Known Russian Business Network Monitored Domains (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406087 || ET RBN Known Russian Business Network Monitored Domains (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406088 || ET RBN Known Russian Business Network Monitored Domains (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406089 || ET RBN Known Russian Business Network Monitored Domains (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407045 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407046 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407047 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407048 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407049 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407050 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407051 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407052 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407053 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407054 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407055 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407056 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407057 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407058 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407059 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407060 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407061 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407062 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407063 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407064 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407065 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407066 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407067 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407068 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407069 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407070 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407071 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407072 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407073 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407074 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407075 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407076 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407077 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407078 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407079 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407080 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407081 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407082 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407083 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407084 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407085 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407086 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407087 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407088 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407089 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (151): 2008768 || ET POLICY Unknown Trojan P2P Initial Checkin || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008769 || ET POLICY Unknown Trojan P2P Initial Checkin Response || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008770 || ET POLICY Unknown Trojan P2P Data Download || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008771 || ET POLICY Unknown Trojan P2P Download Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008772 || ET POLICY Unknown Trojan P2P Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008784 || ET TROJAN Lighty Variant or UltimateDefender POST) 2008785 || ET WEB_SPECIFIC Aj Square RSS Reader url SQL Injection || url,milw0rm.com/exploits/6856 || url,secunia.com/advisories/32413/ 2008786 || ET WEB_SPECIFIC PozScripts Classified Auctions id parameter SQL Injection || url,secunia.com/advisories/32373 || url,milw0rm.com/exploits/6839 2008787 || ET WEB_SPECIFIC All In One Control Panel poll_id parameter SQL Injection || url,secunia.com/advisories/32431 || url,milw0rm.com/exploits/6854 2008788 || ET WEB_SPECIFIC e107 BLOG Engine macgurublog.php uid Parameter SQL Injection || url,milw0rm.com/exploits/6856 || bugtraq,29344 2008789 || ET WEB_SPECIFIC DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods || url,milw0rm.com/exploits/6828 || bugtraq,31907 2008790 || ET WEB_SCPECIFIC DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow || url,milw0rm.com/exploits/6878 || bugtraq,31987 2008791 || ET WEB_SPECIFIC Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/6875 || bugtraq,31984 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008793 || ET WEB_SPECIFIC SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection || url,milw0rm.com/exploits/6910 || url,secunia.com/advisories/32552/ 2008794 || ET POLICY TeamViewier Keep-alive outbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2008795 || ET POLICY TeamViewier Keep-alive inbound || url,en.wikipedia.org/wiki/TeamViewer || url,www.teamviewer.com 2406045 || ET RBN Known Russian Business Network Monitored Domains (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406046 || ET RBN Known Russian Business Network Monitored Domains (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406047 || ET RBN Known Russian Business Network Monitored Domains (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406048 || ET RBN Known Russian Business Network Monitored Domains (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406049 || ET RBN Known Russian Business Network Monitored Domains (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406050 || ET RBN Known Russian Business Network Monitored Domains (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406051 || ET RBN Known Russian Business Network Monitored Domains (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406052 || ET RBN Known Russian Business Network Monitored Domains (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406053 || ET RBN Known Russian Business Network Monitored Domains (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406054 || ET RBN Known Russian Business Network Monitored Domains (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406055 || ET RBN Known Russian Business Network Monitored Domains (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406056 || ET RBN Known Russian Business Network Monitored Domains (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406057 || ET RBN Known Russian Business Network Monitored Domains (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406058 || ET RBN Known Russian Business Network Monitored Domains (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406059 || ET RBN Known Russian Business Network Monitored Domains (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406060 || ET RBN Known Russian Business Network Monitored Domains (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406061 || ET RBN Known Russian Business Network Monitored Domains (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406062 || ET RBN Known Russian Business Network Monitored Domains (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406063 || ET RBN Known Russian Business Network Monitored Domains (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406064 || ET RBN Known Russian Business Network Monitored Domains (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406065 || ET RBN Known Russian Business Network Monitored Domains (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406066 || ET RBN Known Russian Business Network Monitored Domains (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406067 || ET RBN Known Russian Business Network Monitored Domains (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406068 || ET RBN Known Russian Business Network Monitored Domains (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406069 || ET RBN Known Russian Business Network Monitored Domains (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406070 || ET RBN Known Russian Business Network Monitored Domains (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406071 || ET RBN Known Russian Business Network Monitored Domains (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406072 || ET RBN Known Russian Business Network Monitored Domains (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406073 || ET RBN Known Russian Business Network Monitored Domains (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406074 || ET RBN Known Russian Business Network Monitored Domains (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406075 || ET RBN Known Russian Business Network Monitored Domains (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406076 || ET RBN Known Russian Business Network Monitored Domains (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406077 || ET RBN Known Russian Business Network Monitored Domains (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406078 || ET RBN Known Russian Business Network Monitored Domains (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406079 || ET RBN Known Russian Business Network Monitored Domains (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406080 || ET RBN Known Russian Business Network Monitored Domains (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406081 || ET RBN Known Russian Business Network Monitored Domains (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406082 || ET RBN Known Russian Business Network Monitored Domains (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406083 || ET RBN Known Russian Business Network Monitored Domains (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406084 || ET RBN Known Russian Business Network Monitored Domains (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406085 || ET RBN Known Russian Business Network Monitored Domains (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406086 || ET RBN Known Russian Business Network Monitored Domains (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406087 || ET RBN Known Russian Business Network Monitored Domains (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406088 || ET RBN Known Russian Business Network Monitored Domains (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406089 || ET RBN Known Russian Business Network Monitored Domains (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407045 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407046 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407047 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407048 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407049 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407050 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407051 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407052 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407053 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407054 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407055 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407056 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407057 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407058 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407059 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407060 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407061 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407062 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407063 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407064 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407065 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407066 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407067 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407068 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407069 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407070 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407071 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407072 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407073 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407074 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407075 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407076 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407077 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407078 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407079 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407080 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407081 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407082 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407083 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407084 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407085 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407086 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407087 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407088 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407089 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1359 # Generated 2008-11-15 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1359 # Generated 2008-11-15 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Removed from emerging-rbn.rules (2): # VERSION 82 # Updated 2008-11-06 09:42:34 -> Removed from emerging-sid-msg.map (10): 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Removed from emerging-sid-msg.map.txt (10): 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008768 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin 2008769 || ET CURRENT_EVENTS Unknown Trojan P2P Initial Checkin Response 2008770 || ET CURRENT_EVENTS Unknown Trojan P2P Data Download 2008771 || ET CURRENT_EVENTS Unknown Trojan P2P Download Request 2008772 || ET CURRENT_EVENTS Unknown Trojan P2P Request 2008779 || ET CURRENT_EVENTS Unknown Keepalive up 2008780 || ET CURRENT_EVENTS Unknown Keepalive down 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Removed from emerging.rules (5): #from Vienna with love #re 60fa2ff79411dd1cb829e8a966aa86fc #Unknown so far, no AV coverage, appears to be peer to peer #moves to 7090 in samples #moved to 5622 in samples From r.fulton at auckland.ac.nz Sun Nov 23 15:34:27 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Mon, 24 Nov 2008 09:34:27 +1300 Subject: [Emerging-Sigs] FP for "Wordpress wp-login.php redirect_to credentials stealing attempt" Message-ID: <2DDEBA3E-0CEA-4DA2-A5B7-7E7B122D46A9@auckland.ac.nz> Various crawlers seem to trigger 2003508 Time Window for this screen: Sun Nov 23 09:20:13 2008 to Mon Nov 24 08:23:02 2008 SID CID Timestamp Signature IP Src IP Dst Proto Length 6 23480449 2008-11-23 09:20:13 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 66.249.70.216 crawl-66-249-70-216.googlebot.com 130.216.239.16 nabokovversesandversions.ac.nz 6 346 6 23480581 2008-11-23 10:33:27 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 67.195.37.115 llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz 6 378 6 23480682 2008-11-23 11:44:09 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 67.195.37.115 llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz 6 378 6 23480710 2008-11-23 12:02:29 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.7 crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 350 6 23480726 2008-11-23 12:14:55 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.7 crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 351 6 23480980 2008-11-23 15:17:14 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 67.195.37.115 llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz 6 609 6 23481045 2008-11-23 15:41:41 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 72.30.81.184 llf531207.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz 6 393 6 23481393 2008-11-23 16:54:13 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 67.195.37.115 llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz 6 359 6 23483721 2008-11-24 01:46:56 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.6 crawl-15.cuill.com 130.216.64.63 isomteaching6.isom.auckland.ac.nz 6 360 6 23483786 2008-11-24 02:33:30 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.6 crawl-15.cuill.com 130.216.64.63 isomteaching6.isom.auckland.ac.nz 6 360 6 23484211 2008-11-24 06:36:30 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.6 crawl-15.cuill.com 130.216.64.63 isomteaching6.isom.auckland.ac.nz 6 363 6 23484413 2008-11-24 08:23:02 ET WEB_SPECIFIC Wordpress wp- login.php redirect_to credentials stealing attempt 208.36.144.6 crawl-15.cuill.com 130.216.64.63 isomteaching6.isom.auckland.ac.nz 6 360 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4125 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081124/832452f0/smime.bin From emerging at emergingthreats.net Sun Nov 23 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 23 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081123210008.52A284502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Nov 23 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Sun Nov 23 15:43:23 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 23 Nov 2008 15:43:23 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-19-2008 In-Reply-To: <20081120125838.21306A403D@medusa.richmond-family.org> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2911@webmail.latis.com> <1227129676.36200.22.camel@localhost> <839aec700811191432l1027e84sd60d96f70d4b6a98@mail.gmail.com> <20081119234619.94643A4050@medusa.richmond-family.org> <20081120125838.21306A403D@medusa.richmond-family.org> Message-ID: <4929C06B.7050908@jonkmans.com> I agree there. I really dislike starting new rulesets. I do like things organized though. But for now I think this is a minor differentiation, lets go with a WEB_ACTIVEX subcategory within WEB. And I'll move all of the other activex rules over to there. They're spread out a lot at the moment. Matt Nathaniel Richmond wrote: > Matt Jonkman wrote: >> They're already in, but maybe we should create that sub-category for >> activeX. >> >> What's everyone's preference? A new ruleset file named >> web-activex.rules, or something similar. Or just keep them in >> emerging-web.rules but call them WEB_ACTIVEX? >> >> Matt > > I think a new rule set file is worse simply because it means > everyone has to notice the change and include the new rule set in > their snort.conf. If there is a rule set these legitimately can be > added to, that would probably be easier for the user base. > >> Darren Spruell wrote: >>> On Wed, Nov 19, 2008 at 2:21 PM, Frank Knobbe >>> wrote: >>>> On Wed, 2008-11-19 at 05:12 -0700, signatures wrote: >>>>> Hi Matt, >>>>> Please find 10 New Signatures below: >>>> I would commit these if I knew where to put them :) >>>> >>>> The CVS tree is a bit messy in regards to ActiveX sigs. There are >>>> a ton >>>> in WEB and a ton in EXPLOIT. The file names are based on the >>>> application. >>>> >>>> >>>> So my suggestion: Collapse all ActiveX exploit sigs into one file >>>> EXPLOIT/ActiveX. Effect on the rule files: All ActiveX sigs would >>>> be in >>>> -exploit.rules rather than -web.rules. >>> This is exactly the change that Sourcefire VRT made recently: >>> >>> (From their latest SEU) >>> >>> Web-ActiveX Rules: >>> This group contains rule that were formerly in the >>> web-client.rules >>> group. It has been created to better manage the large number of >>> ActiveX >>> rules now in the VRT certified rule set. >>> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Nov 24 09:01:57 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 09:01:57 -0500 Subject: [Emerging-Sigs] FP for "Wordpress wp-login.php redirect_to credentials stealing attempt" In-Reply-To: <2DDEBA3E-0CEA-4DA2-A5B7-7E7B122D46A9@auckland.ac.nz> References: <2DDEBA3E-0CEA-4DA2-A5B7-7E7B122D46A9@auckland.ac.nz> Message-ID: <492AB3D5.9050002@jonkmans.com> What kind of URI's are in those? The sig is looking for a wp-login.php and a redirect to an ftp or http url. Ought not to happen naturally. Maybe bad links cached and the bots are trying to index them? Matt Russell Fulton wrote: > Various crawlers seem to trigger 2003508 > > > Time Window for this screen: Sun Nov 23 09:20:13 2008 to Mon Nov > 24 08:23:02 2008 > SID CID Timestamp Signature IP Src IP Dst Proto Length > 6 23480449 2008-11-23 09:20:13 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 66.249.70.216 > crawl-66-249-70-216.googlebot.com 130.216.239.16 > nabokovversesandversions.ac.nz 6 346 > 6 23480581 2008-11-23 10:33:27 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 67.195.37.115 > llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz > 6 378 > 6 23480682 2008-11-23 11:44:09 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 67.195.37.115 > llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz > 6 378 > 6 23480710 2008-11-23 12:02:29 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.7 > crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 350 > 6 23480726 2008-11-23 12:14:55 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.7 > crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 351 > 6 23480980 2008-11-23 15:17:14 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 67.195.37.115 > llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz > 6 609 > 6 23481045 2008-11-23 15:41:41 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 72.30.81.184 > llf531207.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz > 6 393 > 6 23481393 2008-11-23 16:54:13 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 67.195.37.115 > llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz > 6 359 > 6 23483721 2008-11-24 01:46:56 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.6 > crawl-15.cuill.com 130.216.64.63 > isomteaching6.isom.auckland.ac.nz 6 360 > 6 23483786 2008-11-24 02:33:30 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.6 > crawl-15.cuill.com 130.216.64.63 > isomteaching6.isom.auckland.ac.nz 6 360 > 6 23484211 2008-11-24 06:36:30 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.6 > crawl-15.cuill.com 130.216.64.63 > isomteaching6.isom.auckland.ac.nz 6 363 > 6 23484413 2008-11-24 08:23:02 ET WEB_SPECIFIC Wordpress > wp-login.php redirect_to credentials stealing attempt 208.36.144.6 > crawl-15.cuill.com 130.216.64.63 > isomteaching6.isom.auckland.ac.nz 6 360 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From lists at inliniac.net Mon Nov 24 09:08:30 2008 From: lists at inliniac.net (Victor Julien) Date: Mon, 24 Nov 2008 15:08:30 +0100 Subject: [Emerging-Sigs] FP for "Wordpress wp-login.php redirect_to credentials stealing attempt" In-Reply-To: <492AB3D5.9050002@jonkmans.com> References: <2DDEBA3E-0CEA-4DA2-A5B7-7E7B122D46A9@auckland.ac.nz> <492AB3D5.9050002@jonkmans.com> Message-ID: <492AB55E.7040403@inliniac.net> Matt Jonkman wrote: > What kind of URI's are in those? The sig is looking for a wp-login.php > and a redirect to an ftp or http url. Ought not to happen naturally. > I think in recent wordpress versions it is... ran into this issue with the ModSecurity rule as well. See http://www.inliniac.net/blog/2008/07/16/wordpress-version-26-modsecurity.html Cheers, Victor > Maybe bad links cached and the bots are trying to index them? > > Matt > > Russell Fulton wrote: > >> Various crawlers seem to trigger 2003508 >> >> >> Time Window for this screen: Sun Nov 23 09:20:13 2008 to Mon Nov >> 24 08:23:02 2008 >> SID CID Timestamp Signature IP Src IP Dst Proto Length >> 6 23480449 2008-11-23 09:20:13 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 66.249.70.216 >> crawl-66-249-70-216.googlebot.com 130.216.239.16 >> nabokovversesandversions.ac.nz 6 346 >> 6 23480581 2008-11-23 10:33:27 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >> 6 378 >> 6 23480682 2008-11-23 11:44:09 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >> 6 378 >> 6 23480710 2008-11-23 12:02:29 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.7 >> crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 350 >> 6 23480726 2008-11-23 12:14:55 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.7 >> crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 351 >> 6 23480980 2008-11-23 15:17:14 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >> 6 609 >> 6 23481045 2008-11-23 15:41:41 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 72.30.81.184 >> llf531207.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >> 6 393 >> 6 23481393 2008-11-23 16:54:13 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >> 6 359 >> 6 23483721 2008-11-24 01:46:56 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >> crawl-15.cuill.com 130.216.64.63 >> isomteaching6.isom.auckland.ac.nz 6 360 >> 6 23483786 2008-11-24 02:33:30 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >> crawl-15.cuill.com 130.216.64.63 >> isomteaching6.isom.auckland.ac.nz 6 360 >> 6 23484211 2008-11-24 06:36:30 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >> crawl-15.cuill.com 130.216.64.63 >> isomteaching6.isom.auckland.ac.nz 6 363 >> 6 23484413 2008-11-24 08:23:02 ET WEB_SPECIFIC Wordpress >> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >> crawl-15.cuill.com 130.216.64.63 >> isomteaching6.isom.auckland.ac.nz 6 360 >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From jonkman at jonkmans.com Mon Nov 24 09:14:58 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 09:14:58 -0500 Subject: [Emerging-Sigs] FP for "Wordpress wp-login.php redirect_to credentials stealing attempt" In-Reply-To: <492AB55E.7040403@inliniac.net> References: <2DDEBA3E-0CEA-4DA2-A5B7-7E7B122D46A9@auckland.ac.nz> <492AB3D5.9050002@jonkmans.com> <492AB55E.7040403@inliniac.net> Message-ID: <492AB6E2.1020304@jonkmans.com> So is this even a credible threat anymore? Should we drop the sig? Matt Victor Julien wrote: > Matt Jonkman wrote: >> What kind of URI's are in those? The sig is looking for a wp-login.php >> and a redirect to an ftp or http url. Ought not to happen naturally. >> > I think in recent wordpress versions it is... ran into this issue with > the ModSecurity rule as well. See > http://www.inliniac.net/blog/2008/07/16/wordpress-version-26-modsecurity.html > > Cheers, > Victor > > >> Maybe bad links cached and the bots are trying to index them? >> >> Matt >> >> Russell Fulton wrote: >> >>> Various crawlers seem to trigger 2003508 >>> >>> >>> Time Window for this screen: Sun Nov 23 09:20:13 2008 to Mon Nov >>> 24 08:23:02 2008 >>> SID CID Timestamp Signature IP Src IP Dst Proto Length >>> 6 23480449 2008-11-23 09:20:13 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 66.249.70.216 >>> crawl-66-249-70-216.googlebot.com 130.216.239.16 >>> nabokovversesandversions.ac.nz 6 346 >>> 6 23480581 2008-11-23 10:33:27 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >>> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >>> 6 378 >>> 6 23480682 2008-11-23 11:44:09 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >>> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >>> 6 378 >>> 6 23480710 2008-11-23 12:02:29 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.7 >>> crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 350 >>> 6 23480726 2008-11-23 12:14:55 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.7 >>> crawl-16.cuill.com 130.216.33.67 bioinf.cs.auckland.ac.nz 6 351 >>> 6 23480980 2008-11-23 15:17:14 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >>> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >>> 6 609 >>> 6 23481045 2008-11-23 15:41:41 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 72.30.81.184 >>> llf531207.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >>> 6 393 >>> 6 23481393 2008-11-23 16:54:13 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 67.195.37.115 >>> llf320028.crawl.yahoo.net 130.216.33.67 bioinf.cs.auckland.ac.nz >>> 6 359 >>> 6 23483721 2008-11-24 01:46:56 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >>> crawl-15.cuill.com 130.216.64.63 >>> isomteaching6.isom.auckland.ac.nz 6 360 >>> 6 23483786 2008-11-24 02:33:30 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >>> crawl-15.cuill.com 130.216.64.63 >>> isomteaching6.isom.auckland.ac.nz 6 360 >>> 6 23484211 2008-11-24 06:36:30 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >>> crawl-15.cuill.com 130.216.64.63 >>> isomteaching6.isom.auckland.ac.nz 6 363 >>> 6 23484413 2008-11-24 08:23:02 ET WEB_SPECIFIC Wordpress >>> wp-login.php redirect_to credentials stealing attempt 208.36.144.6 >>> crawl-15.cuill.com 130.216.64.63 >>> isomteaching6.isom.auckland.ac.nz 6 360 >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From chris.misztur at yahoo.com Mon Nov 24 09:28:42 2008 From: chris.misztur at yahoo.com (chris mr) Date: Mon, 24 Nov 2008 06:28:42 -0800 (PST) Subject: [Emerging-Sigs] SidReporter 1.0.1 Available References: Message-ID: <616711.85444.qm@web63702.mail.re1.yahoo.com> I am still getting the 'Use of uninitialized value in numeric ne (!=)" at line 404.? However, the database errors went away. Thanks > On Tue, 2008-11-18 at 10:54 -0500, Matt Jonkman wrote: >> A minor fix to SidReporter has been released. This was a minor change to >> handle an occasional perl error regarding use of an uninitialized variable. >> >> http://www.emergingthreats.net/sidreporter/sidreporter-1.0.1.tar.gz >> >> If you weren't having an issue you don't need to upgrade. >> >> Thanks to everyone that is submitting data! Generic results are >> available here: >> http://www.emergingthreats.net/index.php/sidreporter-statistics.html >> >> More detailed, and individual statistics are forthcoming. Input welcome >> there! >> >> Matt >> > From chris.misztur at yahoo.com Mon Nov 24 09:30:33 2008 From: chris.misztur at yahoo.com (chris mr) Date: Mon, 24 Nov 2008 06:30:33 -0800 (PST) Subject: [Emerging-Sigs] Statistics Message-ID: <420371.71790.qm@web63708.mail.re1.yahoo.com> Matt, Can you include a '# of?snort machines?sampled' somewhere in your stats? Chrsi From jonkman at jonkmans.com Mon Nov 24 13:07:48 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 13:07:48 -0500 Subject: [Emerging-Sigs] Statistics In-Reply-To: <420371.71790.qm@web63708.mail.re1.yahoo.com> References: <420371.71790.qm@web63708.mail.re1.yahoo.com> Message-ID: <492AED74.5010707@jonkmans.com> It's low at the moment, low enough that the numbers aren't completely statistically sound. As you can see by the occasional swings. http://www.emergingthreats.net/index.php/sidreporter-statistics.html I'll work that in, but at the moment building out the individual return data for submitters. Will have a beta of that out to them soon. Everyone that's not submitting yet, please take a minute and install sidreporter for your site. It's very much appreciated!! How are the existing stats for everyone? I'm learning a lot. What other views of the data might help? Matt chris mr wrote: > Matt, > > Can you include a '# of snort machines sampled' somewhere in your stats? > > Chrsi > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From chris.misztur at yahoo.com Mon Nov 24 14:25:42 2008 From: chris.misztur at yahoo.com (chris mr) Date: Mon, 24 Nov 2008 11:25:42 -0800 (PST) Subject: [Emerging-Sigs] Preserving Rule Exclusion Message-ID: <956211.27905.qm@web63708.mail.re1.yahoo.com> I have commented out a couple rules in policy.rules and I am noticing that when the rules are updated, the previously commented rules become active again. How can I preserve the rule exclusion/suppression across rule updates? From jonkman at jonkmans.com Mon Nov 24 14:29:00 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 14:29:00 -0500 Subject: [Emerging-Sigs] Preserving Rule Exclusion In-Reply-To: <956211.27905.qm@web63708.mail.re1.yahoo.com> References: <956211.27905.qm@web63708.mail.re1.yahoo.com> Message-ID: <492B007C.2000802@jonkmans.com> http://oinkmaster.sourceforge.net/ Oinkmaster is your friend!!! Use it to do the changes across updates. It's a very powerful tool, you'll find many uses for it. :) Matt chris mr wrote: > I have commented out a couple rules in policy.rules and I am noticing that when the rules are updated, the previously commented rules become active again. How can I preserve the rule exclusion/suppression across rule updates? > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From chris.misztur at yahoo.com Mon Nov 24 15:16:17 2008 From: chris.misztur at yahoo.com (chris mr) Date: Mon, 24 Nov 2008 12:16:17 -0800 (PST) Subject: [Emerging-Sigs] Preserving Rule Exclusion References: <956211.27905.qm@web63708.mail.re1.yahoo.com> <492B007C.2000802@jonkmans.com> Message-ID: <840642.59537.qm@web63707.mail.re1.yahoo.com> I do use oinkmaster and the ET POLICY TOR* rules were turned back on. oinkmaster.pl -u http://www.emergingthreats.net/rules/emerging.rules.tar.gz -o /etc/snort/rules/et/ create-sidmap.pl /etc/snort/rules/ /etc/snort/rules/et/ > /etc/snort/sid-msg.map ----- Original Message ---- From: Matt Jonkman To: chris mr Cc: emerging-sigs at emergingthreats.net Sent: Monday, November 24, 2008 1:29:00 PM Subject: Re: [Emerging-Sigs] Preserving Rule Exclusion http://oinkmaster.sourceforge.net/ Oinkmaster is your friend!!! Use it to do the changes across updates. It's a very powerful tool, you'll find many uses for it. :) Matt chris mr wrote: > I have commented out a couple rules in policy.rules and I am noticing that when the rules are updated, the previously commented rules become active again. How can I preserve the rule exclusion/suppression across rule updates? > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Nov 24 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 24 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081124210008.2EAA545026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Nov 24 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Mon Nov 24 22:05:38 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 22:05:38 -0500 Subject: [Emerging-Sigs] Preserving Rule Exclusion In-Reply-To: <840642.59537.qm@web63707.mail.re1.yahoo.com> References: <956211.27905.qm@web63708.mail.re1.yahoo.com> <492B007C.2000802@jonkmans.com> <840642.59537.qm@web63707.mail.re1.yahoo.com> Message-ID: <492B6B82.2050105@jonkmans.com> In your config file for oinkmaster you need to tell it to disable the rules you want to remain disabled. Any change you make directly to the rules files will be overwritten. Are you making the changes via oink? Matt chris mr wrote: > I do use oinkmaster and the ET POLICY TOR* rules were turned back on. > > oinkmaster.pl -u http://www.emergingthreats.net/rules/emerging.rules.tar.gz -o /etc/snort/rules/et/ > create-sidmap.pl /etc/snort/rules/ /etc/snort/rules/et/ > /etc/snort/sid-msg.map > > > > > ----- Original Message ---- > From: Matt Jonkman > To: chris mr > Cc: emerging-sigs at emergingthreats.net > Sent: Monday, November 24, 2008 1:29:00 PM > Subject: Re: [Emerging-Sigs] Preserving Rule Exclusion > > http://oinkmaster.sourceforge.net/ > > Oinkmaster is your friend!!! > > Use it to do the changes across updates. It's a very powerful tool, > you'll find many uses for it. :) > > Matt > > chris mr wrote: >> I have commented out a couple rules in policy.rules and I am noticing that when the rules are updated, the previously commented rules become active again. How can I preserve the rule exclusion/suppression across rule updates? >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 25 09:50:11 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 25 Nov 2008 09:50:11 -0500 Subject: [Emerging-Sigs] Mac DNS Changer Message-ID: <492C10A3.3090107@jonkmans.com> #new mac dns changer trojan. Not a lot of detail yet, but this will catch the USalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; flow:established,to_server; uricontent:"cgi-bin/generator.pl"; content:"|0d 0a|User-Agent\: "; content:"\;typeofrun\;7777\;"; distance:3; within:30; classtype:trojan-activity; sid:2008796; rev:1;) More info as it comes around. This sig is pretty specific, so keeping it in current events for now. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Nov 25 09:52:46 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 25 Nov 2008 09:52:46 -0500 Subject: [Emerging-Sigs] Mac DNS Changer In-Reply-To: <492C10A3.3090107@jonkmans.com> References: <492C10A3.3090107@jonkmans.com> Message-ID: <492C113E.30206@jonkmans.com> A bit more readable, sorry: #new mac dns changer trojan. Not a lot of detail yet, but this will catch the UA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; flow:established,to_server; uricontent:"cgi-bin/generator.pl"; content:"|0d 0a|User-Agent\: "; content:"\;typeofrun\;7777\;"; distance:3; within:30; classtype:trojan-activity; sid:2008796; rev:1;) Matt Jonkman wrote: > #new mac dns changer trojan. Not a lot of detail yet, but this will > catch the USalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; > flow:established,to_server; uricontent:"cgi-bin/generator.pl"; > content:"|0d 0a|User-Agent\: "; content:"\;typeofrun\;7777\;"; > distance:3; within:30; classtype:trojan-activity; sid:2008796; rev:1;) > > More info as it comes around. This sig is pretty specific, so keeping it > in current events for now. > > Matt > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From chris.misztur at yahoo.com Tue Nov 25 11:59:01 2008 From: chris.misztur at yahoo.com (chris mr) Date: Tue, 25 Nov 2008 08:59:01 -0800 (PST) Subject: [Emerging-Sigs] Preserving Rule Exclusion References: <956211.27905.qm@web63708.mail.re1.yahoo.com> <492B007C.2000802@jonkmans.com> <840642.59537.qm@web63707.mail.re1.yahoo.com> <492B6B82.2050105@jonkmans.com> Message-ID: <631338.38944.qm@web63707.mail.re1.yahoo.com> I see. I just need to use DISABLESID X in my oinkmaster.conf. I am making changes via oink. ----- Original Message ---- From: Matt Jonkman To: chris mr Cc: emerging-sigs at emergingthreats.net Sent: Monday, November 24, 2008 9:05:38 PM Subject: Re: [Emerging-Sigs] Preserving Rule Exclusion In your config file for oinkmaster you need to tell it to disable the rules you want to remain disabled. Any change you make directly to the rules files will be overwritten. Are you making the changes via oink? Matt chris mr wrote: > I do use oinkmaster and the ET POLICY TOR* rules were turned back on. > > oinkmaster.pl -u http://www.emergingthreats.net/rules/emerging.rules.tar.gz -o /etc/snort/rules/et/ > create-sidmap.pl /etc/snort/rules/ /etc/snort/rules/et/ > /etc/snort/sid-msg.map > > > > > ----- Original Message ---- > From: Matt Jonkman > To: chris mr > Cc: emerging-sigs at emergingthreats.net > Sent: Monday, November 24, 2008 1:29:00 PM > Subject: Re: [Emerging-Sigs] Preserving Rule Exclusion > > http://oinkmaster.sourceforge.net/ > > Oinkmaster is your friend!!! > > Use it to do the changes across updates. It's a very powerful tool, > you'll find many uses for it. :) > > Matt > > chris mr wrote: >> I have commented out a couple rules in policy.rules and I am noticing that when the rules are updated, the previously commented rules become active again. How can I preserve the rule exclusion/suppression across rule updates? >> >> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jdell at activeworx.com Tue Nov 25 12:12:00 2008 From: jdell at activeworx.com (Jeff Dell) Date: Tue, 25 Nov 2008 12:12:00 -0500 Subject: [Emerging-Sigs] Statistics In-Reply-To: <492AED74.5010707@jonkmans.com> References: <420371.71790.qm@web63708.mail.re1.yahoo.com> <492AED74.5010707@jonkmans.com> Message-ID: <009101c94f20$ee221a90$ca664fb0$@com> Another feature that would be nice is to ask people in sid reporter to tell us where each sensor is geographically, then when they send in the events it will put that information in the database and then you can build a geomap. It would be interesting to see if certain locations around the globe get specific attacks while others do not.. It is also an interesting piece to look at. While I am at it.. it would be nice to drill down on the history of the individual rule and not just what the rule means. Something like a graph of the last 30 days of activity for that rule would be nice. Cheers, Jeff -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt Jonkman Sent: Monday, November 24, 2008 1:08 PM To: chris mr Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Statistics It's low at the moment, low enough that the numbers aren't completely statistically sound. As you can see by the occasional swings. http://www.emergingthreats.net/index.php/sidreporter-statistics.html I'll work that in, but at the moment building out the individual return data for submitters. Will have a beta of that out to them soon. Everyone that's not submitting yet, please take a minute and install sidreporter for your site. It's very much appreciated!! How are the existing stats for everyone? I'm learning a lot. What other views of the data might help? Matt chris mr wrote: > Matt, > > Can you include a '# of snort machines sampled' somewhere in your stats? > > Chrsi > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From staneyre at bol.com.br Tue Nov 25 12:17:48 2008 From: staneyre at bol.com.br (staneyre) Date: Tue, 25 Nov 2008 15:17:48 -0200 Subject: [Emerging-Sigs] Rule to identify anonymous access via software Gpass Message-ID: <492c333cdd703_634d155555587eb42492@winter29.tmail> An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081125/2e9d6b6f/attachment.html From emerging at emergingthreats.net Tue Nov 25 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 25 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081125210008.7D2AD45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Nov 25 16:00:08 2008 [***] [+++] Added rules: [+++] 2002171 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) (emerging-web.rules) 2002172 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) (emerging-web.rules) 2002173 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) (emerging-web.rules) 2002174 - ET WEB_ACTIVEX CLSID Pattern Matched (emerging-web.rules) 2002308 - ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) (emerging-web.rules) 2002491 - ET WEB_ACTIVEX COM Object MS05-052 (group 1) (emerging-web.rules) 2002492 - ET WEB_ACTIVEX COM Object MS05-052 (group 2) (emerging-web.rules) 2002493 - ET WEB_ACTIVEX COM Object MS05-052 (group 3) (emerging-web.rules) 2002674 - ET WEB_ACTIVEX Sony DRM Reporting 2 (emerging-web.rules) 2002675 - ET WEB_ACTIVEX Sony DRM Reporting 1 (emerging-web.rules) 2002679 - ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt (emerging-web.rules) 2002680 - ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID (emerging-web.rules) 2002724 - ET WEB_ACTIVEX MciWndx ActiveX Control (emerging-web.rules) 2002725 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 (emerging-web.rules) 2002861 - ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects (emerging-web.rules) 2002971 - ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption (emerging-web.rules) 2003077 - ET WEB_ACTIVEX COM Object MS06-042 (group 1) (emerging-web.rules) 2003078 - ET WEB_ACTIVEX COM Object MS06-042 (group 2) (emerging-web.rules) 2003079 - ET WEB_ACTIVEX COM Object MS06-042 (group 3) (emerging-web.rules) 2003080 - ET WEB_ACTIVEX COM Object MS06-042 (group 4) (emerging-web.rules) 2003102 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID (emerging-web.rules) 2003103 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object (emerging-web.rules) 2003104 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID (emerging-web.rules) 2003105 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (emerging-web.rules) 2003158 - ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (emerging-web.rules) 2003159 - ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID (emerging-web.rules) 2003160 - ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID (emerging-web.rules) 2003161 - ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID (emerging-web.rules) 2003162 - ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (emerging-web.rules) 2003163 - ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID (emerging-web.rules) 2003164 - ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID (emerging-web.rules) 2003165 - ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID (emerging-web.rules) 2003166 - ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID (emerging-web.rules) 2003328 - ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow (emerging-web.rules) 2003514 - ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (emerging-web.rules) 2007850 - ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-web.rules) 2007907 - ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-web.rules) 2007931 - ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (emerging-web.rules) 2007932 - ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (emerging-web.rules) 2008099 - ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite (emerging-web.rules) 2008607 - ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS (emerging-web.rules) 2008612 - ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-web.rules) 2008613 - ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-web.rules) 2008618 - ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-web.rules) 2008619 - ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-web.rules) 2008620 - ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-web.rules) 2008621 - ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS (emerging-web.rules) 2008678 - ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-web.rules) 2008683 - ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-web.rules) 2008792 - ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-web.rules) 2008796 - ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected (emerging.rules) 2008797 - ET MALWARE Suspicious User-Agent (miip) (emerging-malware.rules) 2008798 - ET MALWARE Zenosearch Malware Checkin HTTP POST (2) (emerging-malware.rules) [///] Modified active rules: [///] 2007705 - ET WEB Neosploit 1.5.x URL Loader (emerging-web.rules) 2007878 - ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow (emerging-web.rules) 2007998 - ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution (emerging-web.rules) 2008062 - ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion (emerging-web.rules) 2008126 - ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method (emerging-web.rules) 2008127 - ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods (emerging-web.rules) 2008128 - ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit (emerging-web.rules) 2008129 - ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite (emerging-web.rules) 2008173 - ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability (emerging-web.rules) 2008225 - ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit (emerging-web.rules) 2008226 - ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit (emerging-web.rules) 2008227 - ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit (emerging-web.rules) 2008405 - ET TROJAN Obitel trojan calling home (emerging-virus.rules) 2008783 - ET POLICY Possible Trojan File Download - Rar Requested but not received (emerging-policy.rules) [---] Removed rules: [---] 2002171 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) (emerging-exploit.rules) 2002172 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) (emerging-exploit.rules) 2002173 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) (emerging-exploit.rules) 2002174 - ET EXPLOIT CLSID Pattern Matched (emerging-exploit.rules) 2002308 - ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) (emerging-exploit.rules) 2002491 - ET EXPLOIT COM Object MS05-052 (group 1) (emerging-exploit.rules) 2002492 - ET EXPLOIT COM Object MS05-052 (group 2) (emerging-exploit.rules) 2002493 - ET EXPLOIT COM Object MS05-052 (group 3) (emerging-exploit.rules) 2002674 - ET MALWARE Sony DRM Reporting 2 (emerging-malware.rules) 2002675 - ET MALWARE Sony DRM Reporting 1 (emerging-malware.rules) 2002679 - ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt (emerging-malware.rules) 2002680 - ET MALWARE Sony DRM - Uninstaller CLSID (emerging-malware.rules) 2002724 - ET EXPLOIT MciWndx ActiveX Control (emerging-exploit.rules) 2002725 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 (emerging-exploit.rules) 2002861 - ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects (emerging-exploit.rules) 2002971 - ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption (emerging-exploit.rules) 2003077 - ET EXPLOIT COM Object MS06-042 (group 1) (emerging-exploit.rules) 2003078 - ET EXPLOIT COM Object MS06-042 (group 2) (emerging-exploit.rules) 2003079 - ET EXPLOIT COM Object MS06-042 (group 3) (emerging-exploit.rules) 2003080 - ET EXPLOIT COM Object MS06-042 (group 4) (emerging-exploit.rules) 2003102 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID (emerging-exploit.rules) 2003103 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object (emerging-exploit.rules) 2003104 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID (emerging-exploit.rules) 2003105 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (emerging-exploit.rules) 2003158 - ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (emerging-exploit.rules) 2003159 - ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID (emerging-exploit.rules) 2003160 - ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID (emerging-exploit.rules) 2003161 - ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID (emerging-exploit.rules) 2003162 - ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (emerging-exploit.rules) 2003163 - ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID (emerging-exploit.rules) 2003164 - ET EXPLOIT Microsoft Business Object Factory object call CSLID (emerging-exploit.rules) 2003165 - ET EXPLOIT Microsoft Outlook Data Object object call CSLID (emerging-exploit.rules) 2003166 - ET EXPLOIT Microsoft Outlook.Application object call CSLID (emerging-exploit.rules) 2003328 - ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow (emerging-exploit.rules) 2003514 - ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (emerging-exploit.rules) 2007818 - ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules) 2007819 - ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules) 2007850 - ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-exploit.rules) 2007907 - ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-exploit.rules) 2007931 - ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (emerging-exploit.rules) 2007932 - ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (emerging-exploit.rules) 2008099 - ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite (emerging-exploit.rules) 2008607 - ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS (emerging-exploit.rules) 2008612 - ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-exploit.rules) 2008613 - ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-exploit.rules) 2008618 - ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-dos.rules) 2008619 - ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-exploit.rules) 2008620 - ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-exploit.rules) 2008621 - ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS (emerging-exploit.rules) 2008678 - ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-exploit.rules) 2008683 - ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-exploit.rules) 2008792 - ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (66): 2002171 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET WEB_ACTIVEX CLSID Pattern Matched 2002308 || ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET WEB_ACTIVEX COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET WEB_ACTIVEX COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET WEB_ACTIVEX COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET WEB_ACTIVEX Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET WEB_ACTIVEX Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET WEB_ACTIVEX MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET WEB_ACTIVEX COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET WEB_ACTIVEX COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET WEB_ACTIVEX COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET WEB_ACTIVEX COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID 2003160 || ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID 2003164 || ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID 2003165 || ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID 2003166 || ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID 2003328 || ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007850 || ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007878 || ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007907 || ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008678 || ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008797 || ET MALWARE Suspicious User-Agent (miip) 2008798 || ET MALWARE Zenosearch Malware Checkin HTTP POST (2) 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (66): 2002171 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET WEB_ACTIVEX CLSID Pattern Matched 2002308 || ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET WEB_ACTIVEX COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET WEB_ACTIVEX COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET WEB_ACTIVEX COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET WEB_ACTIVEX Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET WEB_ACTIVEX Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET WEB_ACTIVEX MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET WEB_ACTIVEX COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET WEB_ACTIVEX COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET WEB_ACTIVEX COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET WEB_ACTIVEX COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID 2003160 || ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID 2003164 || ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID 2003165 || ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID 2003166 || ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID 2003328 || ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007850 || ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007878 || ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007907 || ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008678 || ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008797 || ET MALWARE Suspicious User-Agent (miip) 2008798 || ET MALWARE Zenosearch Malware Checkin HTTP POST (2) 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-web.rules (16): #by Chandan S at Stillsecure #by stillsecure # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 # Submitted 2006-11-01 by Frank Knobbe # steven at securityzone #By Blake Harstein at Demarc #These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the # clsid flowbits set above. #By Blake Harstein of Demarc #By Blake Hartstein from Demarc #by shirkdog and Blake hartstein #by stillsecure #Blake Hartstein #By Michael Ligh #by Stillsecure (www.stillsecure.com) -> Added to emerging.rules (1): #new mac dns changer trojan. Not a lot of detail yet, but this will catch the UA [---] Removed non-rule lines: [---] -> Removed from emerging-dos.rules (1): #by Stillsecure (stillsecure.com) -> Removed from emerging-exploit.rules (21): #by Stillsecure #by Chandan S at Stillsecure #by Stillsecure #by Stillsecure #by stillsecure # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 # Submitted 2006-11-01 by Frank Knobbe # steven at securityzone #by Stillsecure (stillsecure.com) #By Blake Harstein at Demarc #These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the # clsid flowbits set above. #By Blake Harstein of Demarc #By Blake Hartstein from Demarc #by shirkdog and Blake hartstein #by stillsecure #Blake Hartstein #by Stillsecure #by Akash Mahajan of stillsecure #by Stillsecure (www.stillsecure.com) -> Removed from emerging-malware.rules (2): #By Michael Ligh #by Blake Hartstein -> Removed from emerging-sid-msg.map (63): 2002171 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET EXPLOIT CLSID Pattern Matched 2002308 || ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET EXPLOIT COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET EXPLOIT COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET EXPLOIT COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET MALWARE Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET MALWARE Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET MALWARE Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET EXPLOIT MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET EXPLOIT COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET EXPLOIT COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET EXPLOIT COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET EXPLOIT COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID 2003160 || ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID 2003164 || ET EXPLOIT Microsoft Business Object Factory object call CSLID 2003165 || ET EXPLOIT Microsoft Outlook Data Object object call CSLID 2003166 || ET EXPLOIT Microsoft Outlook.Application object call CSLID 2003328 || ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540 2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493 2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007878 || ET WEB Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 -> Removed from emerging-sid-msg.map.txt (63): 2002171 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET EXPLOIT CLSID Pattern Matched 2002308 || ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET EXPLOIT COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET EXPLOIT COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET EXPLOIT COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET MALWARE Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET MALWARE Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET MALWARE Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET EXPLOIT MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET EXPLOIT COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET EXPLOIT COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET EXPLOIT COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET EXPLOIT COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID 2003160 || ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID 2003164 || ET EXPLOIT Microsoft Business Object Factory object call CSLID 2003165 || ET EXPLOIT Microsoft Outlook Data Object object call CSLID 2003166 || ET EXPLOIT Microsoft Outlook.Application object call CSLID 2003328 || ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540 2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493 2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007878 || ET WEB Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 -> Removed from emerging-web.rules (1): #by Chandan S of StillSecure From r.fulton at auckland.ac.nz Tue Nov 25 18:56:55 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Wed, 26 Nov 2008 12:56:55 +1300 Subject: [Emerging-Sigs] information on "ET TROJAN Generic Password Stealer User Agent Detected , sid:2003635" Message-ID: I am seeing a trickle of machine that repeatedly trigger this signature, e.g.: GET /xmfx/mg11.txt HTTP/1.1..User-Agent: RookIE/1.0..Host: h hgg3.com.... but when admins visit the systems they fail to find anything. In one case they reimaged the machine and the traffic was back within a day. Google just turned up references to Bleeding/Emerging threats, sigh... any useful information greatly appreciated and I promise I'll add it to the wiki! Russell PS norton rates hhgg3.com as "safe". -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4125 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081126/91962fe8/smime.bin From philipp at bescht.de Tue Nov 25 19:23:34 2008 From: philipp at bescht.de (Philipp Bescht) Date: Wed, 26 Nov 2008 01:23:34 +0100 Subject: [Emerging-Sigs] information on "ET TROJAN Generic Password Stealer User Agent Detected , sid:2003635" In-Reply-To: References: Message-ID: <20081126012334.5ddb06d4@desktop.philnet> Hi Russel, I remember this part of the URI /xmfx/ from hosts like www.microsoftmg.com. In this case an iframe was loaded from a javascript on www.fpskorea.com, pointing to: hxxp://222.122.138.92/index.htm which served an MDAC exploit, downloading: hxxp://222.122.138.92/UU.exe (md5sum 965583b539fb59b643c7bdd83e269a7e) after execution, it downloaded: hxxp://www.microsoftmg.com/xxc/ddr.rar (md5sum 648feff7d9cea5e331251dce9cdffc24) hxxp://www.mgmicrosoft.com/xmfx/help1.rar (md5sum 522707b9255de5d662e2349576f5214b) hxxp://www.mgmicrosoft.com/xmfx/help.rar (md5sum 648feff7d9cea5e331251dce9cdffc24) When looking at the ip address of hhgg3.com (221.1.204.243), we see that mgmicrosoft.com is among the hosts resolving to it (http://www.bfk.de/bfk_dnslogger.html?query=221.1.204.243). So, to make a long story short, you better consider everything from there 'malicious' :) Regarding the reoccurring infection after replaying an image, I can think of the following possible situations: - the machines MBR is infected, - the image is faulty, - another host on the network is infecting it (ie via arp-poisoning), - something else :D Well, I hope that information helps a little :) Regards, Philipp On Wed, 26 Nov 2008 12:56:55 +1300 Russell Fulton wrote: > I am seeing a trickle of machine that repeatedly trigger this > signature, e.g.: > > GET /xmfx/mg11.txt HTTP/1.1..User-Agent: RookIE/1.0..Host: h > hgg3.com.... > > but when admins visit the systems they fail to find anything. In > one case they reimaged the machine and the traffic was back within a > day. > > Google just turned up references to Bleeding/Emerging threats, sigh... > > any useful information greatly appreciated and I promise I'll add it > to the wiki! > > Russell > > PS norton rates hhgg3.com as "safe". > > > From sun at vakharia.info Wed Nov 26 07:18:49 2008 From: sun at vakharia.info (=?Windows-1252?Q?=AF`=B7.=5FThe_Sun=5F.=B7=B4=AF?=) Date: Wed, 26 Nov 2008 17:48:49 +0530 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: <1227121157.6518.12.camel@kinta> References: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> <1227121157.6518.12.camel@kinta> Message-ID: Thank you for helping me out. I uncommented a couple of lines from my snort.conf. Here is the snippet from the file: # Load all dynamic preprocessors from the install path # (same as command line option --dynamic-preprocessor-lib-dir) # dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # # Load a specific dynamic preprocessor library from the install path # (same as command line option --dynamic-preprocessor-lib) # # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so # # Load a dynamic engine from the install path # (same as command line option --dynamic-engine-lib) # dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # # Load all dynamic rules libraries from the install path # (same as command line option --dynamic-detection-lib-dir) # dynamicdetection directory /usr/local/lib/snort_dynamicrule/ # # Load a specific dynamic rule library from the install path # (same as command line option --dynamic-detection-lib) # # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so # Now, when I ran snort, I got this: -------------------------------------------------------------------------------------------------------- Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrule/... Warning: Directory /usr/local/lib/snort_dynamicrule/ does not exist! Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrule/ Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ -------------------------------------------------------------------------------------------------------- Further down I get -------------------------------------------------------------------------------------------------------- 8924 Snort rules read 8924 detection rules 0 decoder rules 0 preprocessor rules 8924 Option Chains linked into 357 Chain Headers 0 Dynamic rules Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 10126, GID: 3 not registered properly. Disabling this rule. -------------------------------------------------------------------------------------------------------- Looked like it didn't work so far. Since I got a warning (see above) "/usr/local/lib/snort_dynamicrule/ does not exist!", I went back to edit my snort.conf with the following: dynamicdetection directory /usr/local/lib/snort_dynamicrules/ (notice the "s" at the end). Here is what I get after running snort again -------------------------------------------------------------------------------------------------------- Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules/... Loading dynamic detection library /usr/local/lib/snort_dynamicrules//lib_sfdynamic_example_rule.so... done Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules/ Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ ERROR: Dynamic detection lib /usr/local/lib/snort_dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort_dynamicengine/libsf_engine.so 1.9. The dynamic detection lib is compiled with an older version of the dynamic engine. -------------------------------------------------------------------------------------------------------- Any ideas on what I should be doing next? Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster From: dxp2532 at gmail.com To: sun at vakharia.info CC: joel.esler at sourcefire.com; emerging-sigs at emergingthreats.net Date: Wed, 19 Nov 2008 13:59:16 -0500 Make sure line similar to this is enabled in the Snort's config file: "dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules/" - -=[ dxp ]=- 0xA3F3C6E3 On Mon, 2008-11-17 at 18:22 +0530, ?`?._The Sun_.??? wrote: Thanks Joel for your help so far. I have gone through the two links (the Snort doc link seems to be over simplified and the TechTarget link seems to be unduly complicated for me). I am not sure if I have configured Snort with the --enable-dynamic-plugin in the first place. At the moment, when I run Snort I get this: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ I assume that dynamic-plugins are enabled for me. Further I see this: 8924 Option Chains linked into 357 Chain Headers 0 Dynamic rules And still further down in the output I see this: +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2003279 type=Both tracking=src count=1 seconds=900 | gen-id=1 sig-id=2001872 type=Limit tracking=src count=1 seconds=360 | gen-id=1 sig-id=2001663 type=Limit tracking=src count=2 seconds=360 | gen-id=1 sig-id=2003276 type=Both tracking=src count=1 seconds=900 | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60 | gen-id=1 sig-id=2003257 type=Both tracking=src count=2 seconds=900 ...... After this: Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. Disabling this rule. ........ Taking the first SID: 13922 root at desktop:/etc/snort/so_rules# grep -r 13922 * Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so matches web-misc.rules:alert tcp $HOME_NET ...truncated text root at desktop:/etc/snort/so_rules/src# make ls: cannot access web-misc_*.c: No such file or directory ls: cannot access sql_*.c: No such file or directory .. .. p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in this function) make: *** [p2p_winny] Error 1 What's the next step that I need to take? Date: Thu, 13 Nov 2008 07:59:40 -0500 From: joel.esler at sourcefire.com To: sun at vakharia.info Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster CC: emerging-sigs at emergingthreats.net The rule to detect MS08-067 is a Shared Object rule. You'll need to follow the instructions here: http://www.snort.org/docs/faq/3Q06/node87.html or here: http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html in order to use this rule. Joel On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? wrote: I am quite new to Snort rule updates and am looking at a simple guide to help me integrate the emergingthreats' rules into my Snort test setup. My apologies if this is not the right forum for this question, but I am unable to locate information that I am looking for on the emergingthreats.net website. I already have the rules from snort.org (VRT Certified Rules for Snort v2.8 (snortrules-snapshot-2.8.tar.gz). However, they do not seem to pick the MS08-067 exploit (which I am using as a test case). Here is what I have done so far. 1. Snort has been setup and works fine - I can detect port scans etc. without problems without any rule changes. 2. I have also downloaded rules from emergingthreats.net and extracted them to /etc/snort/rules where my the official rules have also been placed. 3. Now, I edited my snort conf file and included a few rules include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging.rules include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules And restarted snort. But that did not detect the exploit. Is there something else that I need to do? I also had setup Oinkmaster. Does that work with download of rules from emergingthreasts? Or do I have to download via cvs? Thanks. Team India gets set to thwart Australia's quest for the final frontier. Catch the action on MSN Try it now! _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Calling TV buffs! Get TV listings, gossip on your fave stars and updates on hot new shows Try it now! _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs _________________________________________________________________ Searching for weekend getaways? Try Live.com http://www.live.com/?scope=video&form=MICOAL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081126/02f5b93b/attachment-0001.html From joel.esler at sourcefire.com Wed Nov 26 08:48:12 2008 From: joel.esler at sourcefire.com (Joel Esler) Date: Wed, 26 Nov 2008 08:48:12 -0500 Subject: [Emerging-Sigs] Snort rules, EmergingThreats rules and Oinkmaster In-Reply-To: References: <314cf0830811130459k2867fb6ep42983be2dd9376a@mail.gmail.com> <1227121157.6518.12.camel@kinta> Message-ID: <52C42CD3-9613-494A-AA08-9D60E26AF5B2@sourcefire.com> Are you running the current version of Snort? Joel On Nov 26, 2008, at 7:18 AM, ?`?._The Sun_.??? wrote: > Thank you for helping me out. > > I uncommented a couple of lines from my snort.conf. Here is the > snippet from the file: > > # Load all dynamic preprocessors from the install path > # (same as command line option --dynamic-preprocessor-lib-dir) > # > dynamicpreprocessor directory /usr/local/lib/ > snort_dynamicpreprocessor/ > # > # Load a specific dynamic preprocessor library from the install path > # (same as command line option --dynamic-preprocessor-lib) > # > # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/ > libdynamicexample.so > # > # Load a dynamic engine from the install path > # (same as command line option --dynamic-engine-lib) > # > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so > # > # Load all dynamic rules libraries from the install path > # (same as command line option --dynamic-detection-lib-dir) > # > dynamicdetection directory /usr/local/lib/snort_dynamicrule/ > # > # Load a specific dynamic rule library from the install path > # (same as command line option --dynamic-detection-lib) > # > # dynamicdetection file /usr/local/lib/snort_dynamicrule/ > libdynamicexamplerule.so > # > > Now, when I ran snort, I got this: > -------------------------------------------------------------------------------------------------------- > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > libsf_engine.so... done > Loading all dynamic detection libs from /usr/local/lib/ > snort_dynamicrule/... > Warning: Directory /usr/local/lib/snort_dynamicrule/ does not exist! > Finished Loading all dynamic detection libs from /usr/local/lib/ > snort_dynamicrule/ > Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/... > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > Finished Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/ > -------------------------------------------------------------------------------------------------------- > > Further down I get > -------------------------------------------------------------------------------------------------------- > 8924 Snort rules read > 8924 detection rules > 0 decoder rules > 0 preprocessor rules > 8924 Option Chains linked into 357 Chain Headers > 0 Dynamic rules > > > Rule application order: activation->dynamic->pass->drop->alert->log > Log directory = /var/log/snort > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 10126, GID: 3 not registered properly. > Disabling this rule. > -------------------------------------------------------------------------------------------------------- > > Looked like it didn't work so far. > > Since I got a warning (see above) "/usr/local/lib/snort_dynamicrule/ > does not exist!", I went back to edit my snort.conf with the > following: > dynamicdetection directory /usr/local/lib/snort_dynamicrules/ > (notice the "s" at the end). > > Here is what I get after running snort again > -------------------------------------------------------------------------------------------------------- > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > libsf_engine.so... done > Loading all dynamic detection libs from /usr/local/lib/ > snort_dynamicrules/... > Loading dynamic detection library /usr/local/lib/ > snort_dynamicrules//lib_sfdynamic_example_rule.so... done > Finished Loading all dynamic detection libs from /usr/local/lib/ > snort_dynamicrules/ > Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/... > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > Finished Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/ > ERROR: Dynamic detection lib /usr/local/lib/snort_dynamicrules// > lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current > dynamic engine library /usr/local/lib/snort_dynamicengine/ > libsf_engine.so 1.9. > The dynamic detection lib is compiled with an older version of the > dynamic engine. > -------------------------------------------------------------------------------------------------------- > > > Any ideas on what I should be doing next? > > > > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > Oinkmaster > From: dxp2532 at gmail.com > To: sun at vakharia.info > CC: joel.esler at sourcefire.com; emerging-sigs at emergingthreats.net > Date: Wed, 19 Nov 2008 13:59:16 -0500 > > Make sure line similar to this is enabled in the Snort's config file: > "dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules/" > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > On Mon, 2008-11-17 at 18:22 +0530, ?`?._The Sun_.??? wrote: > Thanks Joel for your help so far. > I have gone through the two links (the Snort doc link seems to be > over simplified and the TechTarget link seems to be unduly > complicated for me). > I am not sure if I have configured Snort with the --enable-dynamic- > plugin in the first place. > At the moment, when I run Snort I get this: > > Loading dynamic engine /usr/local/lib/snort_dynamicengine/ > libsf_engine.so... done > Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/... > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... > done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dns_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssl_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_smtp_preproc.so... done > Loading dynamic preprocessor library /usr/local/lib/ > snort_dynamicpreprocessor//libsf_ssh_preproc.so... done > Finished Loading all dynamic preprocessor libs from /usr/local/lib/ > snort_dynamicpreprocessor/ > > I assume that dynamic-plugins are enabled for me. > > Further I see this: > 8924 Option Chains linked into 357 Chain Headers > 0 Dynamic rules > > And still further down in the output I see this: > +-----------------------[thresholding- > local]----------------------------------- > | gen-id=1 sig-id=2003279 type=Both tracking=src > count=1 seconds=900 > | gen-id=1 sig-id=2001872 type=Limit tracking=src > count=1 seconds=360 > | gen-id=1 sig-id=2001663 type=Limit tracking=src > count=2 seconds=360 > | gen-id=1 sig-id=2003276 type=Both tracking=src > count=1 seconds=900 > | gen-id=1 sig-id=2002911 type=Threshold tracking=src > count=5 seconds=60 > | gen-id=1 sig-id=2003257 type=Both tracking=src > count=2 seconds=900 > ...... > > After this: > Rule application order: activation->dynamic->pass->drop->alert->log > Log directory = /var/log/snort > Encoded Rule Plugin SID: 13922, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13476, GID: 3 not registered properly. > Disabling this rule. > Encoded Rule Plugin SID: 13308, GID: 3 not registered properly. > Disabling this rule. > ........ > > Taking the first SID: 13922 > root at desktop:/etc/snort/so_rules# grep -r 13922 * > Binary file precompiled/Ubuntu-8.04/x86-64/2.8.3/web-misc.so matches > web-misc.rules:alert tcp $HOME_NET ...truncated text > > root at desktop:/etc/snort/so_rules/src# make > ls: cannot access web-misc_*.c: No such file or directory > ls: cannot access sql_*.c: No such file or directory > .. > .. > p2p_winny.c:151: error: ?RULE_MATCH? undeclared (first use in this > function) > make: *** [p2p_winny] Error 1 > > > What's the next step that I need to take? > > > > > > Date: Thu, 13 Nov 2008 07:59:40 -0500 > From: joel.esler at sourcefire.com > To: sun at vakharia.info > Subject: Re: [Emerging-Sigs] Snort rules, EmergingThreats rules and > Oinkmaster > CC: emerging-sigs at emergingthreats.net > > The rule to detect MS08-067 is a Shared Object rule. You'll need to > follow the instructions here: > http://www.snort.org/docs/faq/3Q06/node87.html > or here: > http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html > in order to use this rule. > > > Joel > > On Tue, Nov 11, 2008 at 8:59 AM, ?`?._The Sun_.??? > wrote: > I am quite new to Snort rule updates and am looking at a simple > guide to help me integrate the emergingthreats' rules into my Snort > test setup. > > My apologies if this is not the right forum for this question, but I > am unable to locate information that I am looking for on the > emergingthreats.net website. > > I already have the rules from snort.org (VRT Certified Rules for > Snort v2.8 (snortrules-snapshot-2.8.tar.gz). > However, they do not seem to pick the MS08-067 exploit (which I am > using as a test case). > > Here is what I have done so far. > 1. Snort has been setup and works fine - I can detect port scans > etc. without problems without any rule changes. > 2. I have also downloaded rules from emergingthreats.net and > extracted them to /etc/snort/rules where my the official rules have > also been placed. > > 3. Now, I edited my snort conf file and included a few rules > include $RULE_PATH/emerging.conf > include $RULE_PATH/emerging-malware.rules > include $RULE_PATH/emerging-exploit.rules > include $RULE_PATH/emerging-web.rules > include $RULE_PATH/emerging-scan.rules > include $RULE_PATH/emerging.rules > include $RULE_PATH/local.rules > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > > And restarted snort. But that did not detect the exploit. > > Is there something else that I need to do? > > I also had setup Oinkmaster. Does that work with download of rules > from emergingthreasts? Or do I have to download via cvs? > > Thanks. > > > > > Team India gets set to thwart Australia's quest for the final > frontier. Catch the action on MSNTry it now! > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > Calling TV buffs! Get TV listings, gossip on your fave stars and > updates on hot new shows Try it now! > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Calling TV buffs! Get TV listings, gossip on your fave stars and > updates on hot new shows Try it now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081126/b1f33c81/attachment-0001.html From jonkman at jonkmans.com Wed Nov 26 09:07:28 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 26 Nov 2008 09:07:28 -0500 Subject: [Emerging-Sigs] Russian based worm exploiting MS08-067 Message-ID: <492D5820.6060301@jonkmans.com> Great reasearch from Daniel Clemens and Mcafee: http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/ http://www.packetninjas.net/?p=73 Daniel has put up a signature that ought to be reliable. It's in CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple weeks if so. As far as we know the existing sigs for the actual MS08-067 will catch the exploit attempts internally. Some activity seems related to ushealthmart.com. This domain has been known bad for a very long time, and I've personally reported it to GoDaddy where it's registered several times months ago on other trojans. No response unfortunately. Thanks GoDaddy! Making the world a safer place... for someone. Happy de-worming!! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Nov 26 10:25:50 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 26 Nov 2008 10:25:50 -0500 Subject: [Emerging-Sigs] information on "ET TROJAN Generic Password Stealer User Agent Detected , sid:2003635" In-Reply-To: <20081126012334.5ddb06d4@desktop.philnet> References: <20081126012334.5ddb06d4@desktop.philnet> Message-ID: <492D6A7E.5020901@jonkmans.com> Agree there. Good info Phillip. My thinking, anything that is deep enough to alter the US on an http request, but not detected by AV tools means you're in deep. Start thinking reimage... Save yourself a lot of time. Matt Philipp Bescht wrote: > Hi Russel, > > I remember this part of the URI /xmfx/ from hosts > like www.microsoftmg.com. In this case an iframe was loaded from a > javascript on www.fpskorea.com, pointing to: > hxxp://222.122.138.92/index.htm > which served an MDAC exploit, downloading: > hxxp://222.122.138.92/UU.exe (md5sum 965583b539fb59b643c7bdd83e269a7e) > > after execution, it downloaded: > hxxp://www.microsoftmg.com/xxc/ddr.rar (md5sum > 648feff7d9cea5e331251dce9cdffc24) > hxxp://www.mgmicrosoft.com/xmfx/help1.rar (md5sum > 522707b9255de5d662e2349576f5214b) > hxxp://www.mgmicrosoft.com/xmfx/help.rar (md5sum > 648feff7d9cea5e331251dce9cdffc24) > > When looking at the ip address of hhgg3.com (221.1.204.243), we see > that mgmicrosoft.com is among the hosts resolving to it > (http://www.bfk.de/bfk_dnslogger.html?query=221.1.204.243). > > So, to make a long story short, you better consider everything from > there 'malicious' :) > > Regarding the reoccurring infection after replaying an image, I can > think of the following possible situations: > - the machines MBR is infected, > - the image is faulty, > - another host on the network is infecting it (ie via arp-poisoning), > - something else :D > > Well, I hope that information helps a little :) > > Regards, > Philipp > > > On Wed, 26 Nov 2008 12:56:55 +1300 > Russell Fulton wrote: > >> I am seeing a trickle of machine that repeatedly trigger this >> signature, e.g.: >> >> GET /xmfx/mg11.txt HTTP/1.1..User-Agent: RookIE/1.0..Host: h >> hgg3.com.... >> >> but when admins visit the systems they fail to find anything. In >> one case they reimaged the machine and the traffic was back within a >> day. >> >> Google just turned up references to Bleeding/Emerging threats, sigh... >> >> any useful information greatly appreciated and I promise I'll add it >> to the wiki! >> >> Russell >> >> PS norton rates hhgg3.com as "safe". >> >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Nov 26 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 26 Nov 2008 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081126210009.1CCAB45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Nov 26 16:00:09 2008 [***] [+++] Added rules: [+++] 2003231 - ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (emerging-web.rules) 2003232 - ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (emerging-web.rules) 2003233 - ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (emerging-web.rules) 2003234 - ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (emerging-web.rules) 2007852 - ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit (emerging-web.rules) 2007853 - ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability (emerging-web.rules) 2007904 - ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2008673 - ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-web.rules) 2008799 - ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download (emerging.rules) [---] Removed rules: [---] 2003231 - ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (emerging-exploit.rules) 2003232 - ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (emerging-exploit.rules) 2003233 - ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (emerging-exploit.rules) 2003234 - ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (emerging-exploit.rules) 2007852 - ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit (emerging-exploit.rules) 2007853 - ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability (emerging-exploit.rules) 2007903 - ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2007904 - ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2007905 - ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (9): 2003231 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2007852 || ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007904 || ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008673 || ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download -> Added to emerging-sid-msg.map.txt (9): 2003231 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2007852 || ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007904 || ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008673 || ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download -> Added to emerging-web.rules (3): #Updated by Christian Siefert 2/5/07 #Updated by Christian Siefert, 2/5/07 #by Veerendra at secpod -> Added to emerging.rules (1): #research by Daniel Clemens and mcafee [---] Removed non-rule lines: [---] -> Removed from emerging-exploit.rules (4): #by Akash Mahajan at stillsecure #Updated by Christian Siefert 2/5/07 #Updated by Christian Siefert, 2/5/07 #by Veerendra at secpod -> Removed from emerging-sid-msg.map (10): 2003231 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 -> Removed from emerging-sid-msg.map.txt (10): 2003231 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 From emerging at emergingthreats.net Thu Nov 27 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 27 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081127210008.5D5714502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Nov 27 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From r.fulton at auckland.ac.nz Thu Nov 27 17:54:03 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Fri, 28 Nov 2008 11:54:03 +1300 Subject: [Emerging-Sigs] Mac DNS Changer In-Reply-To: <492C10A3.3090107@jonkmans.com> References: <492C10A3.3090107@jonkmans.com> Message-ID: On 26/11/2008, at 3:50 AM, Matt Jonkman wrote: > #new mac dns changer trojan. Not a lot of detail yet, but this will > catch the USalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; > flow:established,to_server; uricontent:"cgi-bin/generator.pl"; > content:"|0d 0a|User-Agent\: "; content:"\;typeofrun\;7777\;"; > distance:3; within:30; classtype:trojan-activity; sid:2008796; rev:1;) > > More info as it comes around. This sig is pretty specific, so > keeping it > in current events for now. Matt What do you mean by "current events"? Yeah, I know I have not been paying attention lately, sigh... I can't find a current-events rule file. Russell -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4125 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081128/303857ac/smime-0001.bin From jonkman at jonkmans.com Thu Nov 27 19:37:30 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 27 Nov 2008 19:37:30 -0500 Subject: [Emerging-Sigs] Mac DNS Changer In-Reply-To: References: <492C10A3.3090107@jonkmans.com> Message-ID: <492F3D4A.5010108@jonkmans.com> Current events is the 'temporary' rule place. They land in emerging.rules. I review those every week or so and drop the irrelevant stuff. Good place for high load but temporarily important stuff. Matt Russell Fulton wrote: > > On 26/11/2008, at 3:50 AM, Matt Jonkman wrote: > >> #new mac dns changer trojan. Not a lot of detail yet, but this will >> catch the USalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; >> flow:established,to_server; uricontent:"cgi-bin/generator.pl"; >> content:"|0d 0a|User-Agent\: "; content:"\;typeofrun\;7777\;"; >> distance:3; within:30; classtype:trojan-activity; sid:2008796; rev:1;) >> >> More info as it comes around. This sig is pretty specific, so keeping it >> in current events for now. > > > Matt > > What do you mean by "current events"? Yeah, I know I have not been > paying attention lately, sigh... > > I can't find a current-events rule file. > > Russell -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From signatures at stillsecure.com Fri Nov 28 01:36:51 2008 From: signatures at stillsecure.com (signatures) Date: Thu, 27 Nov 2008 23:36:51 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Nov-28-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2913@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classifiedsblaster/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6944; sid:10046; rev:1;) 2. TBmnetCMS index.php content Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TBmnetCMS index.php content Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"content="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32462/; reference:url,milw0rm.com/exploits/6973; sid:10046; rev:1;) 3. Tours Manager cityview.php cityid Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Tours Manager cityview.php cityid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cityview.php?"; nocase; uricontent:"cityid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32503/; reference:url,milw0rm.com/exploits/6988; sid:10047; rev:1;) 4. Joomla Pro Desk Component include_file Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_pro_desk"; nocase; uricontent:"include_file="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32523/; reference:url,milw0rm.com/exploits/6980; sid:10048; rev:1;) 5. Pre Podcast Portal tour.php id SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pre Podcast Portal tour.php id SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Tour.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32563/; reference:url,milw0rm.com/exploits/6997; sid:10049; rev:1;) 6. Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/visualizza.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; sid:10050; rev:1;) 7. Way Of The Warrior crea.php plancia Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; sid:10051; rev:1;) 8. Way Of The Warrior crea.php plancia Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; sid:10052; rev:1;) 9. TurnkeyForms Business Survey Pro id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TurnkeyForms Business Survey Pro id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/survey_results_text.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32561/;reference:url,milw0rm.com/exploits/7029; sid:2009115; rev:1;) 10. Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32568/; reference:url,milw0rm.com/exploits/7027; sid:10050; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081127/12dea62c/attachment-0001.html From emerging at emergingthreats.net Sat Nov 29 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 29 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081129210008.434C34501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 29 16:00:08 2008 [***] [+++] Added rules: [+++] 2008800 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 (emerging.rules) 2008801 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2008690 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) (emerging-exploit.rules) 2008691 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) (emerging-exploit.rules) 2008692 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) (emerging-exploit.rules) 2008693 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) (emerging-exploit.rules) 2008694 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) (emerging-exploit.rules) 2008695 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) (emerging-exploit.rules) 2008696 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) (emerging-exploit.rules) 2008697 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) (emerging-exploit.rules) 2008698 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) (emerging-exploit.rules) 2008699 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) (emerging-exploit.rules) 2008700 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (emerging-exploit.rules) 2008701 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) (emerging-exploit.rules) 2008702 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) (emerging-exploit.rules) 2008703 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) (emerging-exploit.rules) 2008704 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) (emerging-exploit.rules) 2008705 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) (emerging-exploit.rules) 2008706 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) (emerging-exploit.rules) 2008707 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) (emerging-exploit.rules) 2008708 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) (emerging-exploit.rules) 2008709 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) (emerging-exploit.rules) 2008710 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) (emerging-exploit.rules) 2008711 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) (emerging-exploit.rules) 2008712 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) (emerging-exploit.rules) 2008713 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) (emerging-exploit.rules) 2008714 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) (emerging-exploit.rules) 2008715 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) (emerging-exploit.rules) 2008716 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) (emerging-exploit.rules) 2008717 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) (emerging-exploit.rules) 2008718 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) (emerging-exploit.rules) 2008719 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) (emerging-exploit.rules) 2008720 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) (emerging-exploit.rules) 2008721 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) (emerging-exploit.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Added to emerging-rbn.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Added to emerging-sid-msg.map (32): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2406090 || ET RBN Known Russian Business Network Monitored Domains (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406091 || ET RBN Known Russian Business Network Monitored Domains (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406092 || ET RBN Known Russian Business Network Monitored Domains (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406093 || ET RBN Known Russian Business Network Monitored Domains (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406094 || ET RBN Known Russian Business Network Monitored Domains (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406095 || ET RBN Known Russian Business Network Monitored Domains (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406096 || ET RBN Known Russian Business Network Monitored Domains (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406097 || ET RBN Known Russian Business Network Monitored Domains (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406098 || ET RBN Known Russian Business Network Monitored Domains (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406099 || ET RBN Known Russian Business Network Monitored Domains (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406100 || ET RBN Known Russian Business Network Monitored Domains (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406101 || ET RBN Known Russian Business Network Monitored Domains (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406102 || ET RBN Known Russian Business Network Monitored Domains (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406103 || ET RBN Known Russian Business Network Monitored Domains (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406104 || ET RBN Known Russian Business Network Monitored Domains (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407090 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407091 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407092 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407093 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407094 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407095 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407096 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407097 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407098 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407099 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407100 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407101 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407102 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407103 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407104 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (32): 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2406090 || ET RBN Known Russian Business Network Monitored Domains (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406091 || ET RBN Known Russian Business Network Monitored Domains (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406092 || ET RBN Known Russian Business Network Monitored Domains (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406093 || ET RBN Known Russian Business Network Monitored Domains (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406094 || ET RBN Known Russian Business Network Monitored Domains (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406095 || ET RBN Known Russian Business Network Monitored Domains (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406096 || ET RBN Known Russian Business Network Monitored Domains (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406097 || ET RBN Known Russian Business Network Monitored Domains (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406098 || ET RBN Known Russian Business Network Monitored Domains (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406099 || ET RBN Known Russian Business Network Monitored Domains (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406100 || ET RBN Known Russian Business Network Monitored Domains (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406101 || ET RBN Known Russian Business Network Monitored Domains (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406102 || ET RBN Known Russian Business Network Monitored Domains (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406103 || ET RBN Known Russian Business Network Monitored Domains (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406104 || ET RBN Known Russian Business Network Monitored Domains (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407090 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407091 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407092 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407093 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407094 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407095 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407096 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407097 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407098 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407099 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407100 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407101 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407102 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407103 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407104 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging.rules (1): #by Kevin Ross [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Removed from emerging-rbn.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 From emerging at emergingthreats.net Sat Nov 29 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 29 Nov 2008 18:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081129230008.46FF24501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Nov 29 18:00:08 2008 [***] [+++] Added rules: [+++] 2002171 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) (emerging-web.rules) 2002172 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) (emerging-web.rules) 2002173 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) (emerging-web.rules) 2002174 - ET WEB_ACTIVEX CLSID Pattern Matched (emerging-web.rules) 2002308 - ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) (emerging-web.rules) 2002491 - ET WEB_ACTIVEX COM Object MS05-052 (group 1) (emerging-web.rules) 2002492 - ET WEB_ACTIVEX COM Object MS05-052 (group 2) (emerging-web.rules) 2002493 - ET WEB_ACTIVEX COM Object MS05-052 (group 3) (emerging-web.rules) 2002674 - ET WEB_ACTIVEX Sony DRM Reporting 2 (emerging-web.rules) 2002675 - ET WEB_ACTIVEX Sony DRM Reporting 1 (emerging-web.rules) 2002679 - ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt (emerging-web.rules) 2002680 - ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID (emerging-web.rules) 2002724 - ET WEB_ACTIVEX MciWndx ActiveX Control (emerging-web.rules) 2002725 - ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 (emerging-web.rules) 2002861 - ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects (emerging-web.rules) 2002971 - ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption (emerging-web.rules) 2003077 - ET WEB_ACTIVEX COM Object MS06-042 (group 1) (emerging-web.rules) 2003078 - ET WEB_ACTIVEX COM Object MS06-042 (group 2) (emerging-web.rules) 2003079 - ET WEB_ACTIVEX COM Object MS06-042 (group 3) (emerging-web.rules) 2003080 - ET WEB_ACTIVEX COM Object MS06-042 (group 4) (emerging-web.rules) 2003102 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID (emerging-web.rules) 2003103 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object (emerging-web.rules) 2003104 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID (emerging-web.rules) 2003105 - ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (emerging-web.rules) 2003158 - ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (emerging-web.rules) 2003159 - ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID (emerging-web.rules) 2003160 - ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID (emerging-web.rules) 2003161 - ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID (emerging-web.rules) 2003162 - ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (emerging-web.rules) 2003163 - ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID (emerging-web.rules) 2003164 - ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID (emerging-web.rules) 2003165 - ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID (emerging-web.rules) 2003166 - ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID (emerging-web.rules) 2003231 - ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (emerging-web.rules) 2003232 - ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (emerging-web.rules) 2003233 - ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (emerging-web.rules) 2003234 - ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (emerging-web.rules) 2003328 - ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow (emerging-web.rules) 2003514 - ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (emerging-web.rules) 2007850 - ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-web.rules) 2007852 - ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit (emerging-web.rules) 2007853 - ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability (emerging-web.rules) 2007904 - ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-web.rules) 2007907 - ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-web.rules) 2007931 - ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (emerging-web.rules) 2007932 - ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (emerging-web.rules) 2008099 - ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite (emerging-web.rules) 2008607 - ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS (emerging-web.rules) 2008612 - ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-web.rules) 2008613 - ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-web.rules) 2008618 - ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-web.rules) 2008619 - ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-web.rules) 2008620 - ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-web.rules) 2008621 - ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS (emerging-web.rules) 2008673 - ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-web.rules) 2008678 - ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-web.rules) 2008683 - ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-web.rules) 2008792 - ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-web.rules) 2008796 - ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected (emerging.rules) 2008797 - ET MALWARE Suspicious User-Agent (miip) (emerging-malware.rules) 2008798 - ET MALWARE Zenosearch Malware Checkin HTTP POST (2) (emerging-malware.rules) 2008799 - ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download (emerging.rules) 2008800 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 (emerging.rules) 2008801 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2007705 - ET WEB Neosploit 1.5.x URL Loader (emerging-web.rules) 2007878 - ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow (emerging-web.rules) 2007998 - ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution (emerging-web.rules) 2008062 - ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion (emerging-web.rules) 2008126 - ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method (emerging-web.rules) 2008127 - ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods (emerging-web.rules) 2008128 - ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit (emerging-web.rules) 2008129 - ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite (emerging-web.rules) 2008173 - ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability (emerging-web.rules) 2008225 - ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit (emerging-web.rules) 2008226 - ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit (emerging-web.rules) 2008227 - ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit (emerging-web.rules) 2008405 - ET TROJAN Obitel trojan calling home (emerging-virus.rules) 2008690 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) (emerging-exploit.rules) 2008691 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) (emerging-exploit.rules) 2008692 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) (emerging-exploit.rules) 2008693 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) (emerging-exploit.rules) 2008694 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) (emerging-exploit.rules) 2008695 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) (emerging-exploit.rules) 2008696 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) (emerging-exploit.rules) 2008697 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) (emerging-exploit.rules) 2008698 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) (emerging-exploit.rules) 2008699 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) (emerging-exploit.rules) 2008700 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (emerging-exploit.rules) 2008701 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) (emerging-exploit.rules) 2008702 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) (emerging-exploit.rules) 2008703 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) (emerging-exploit.rules) 2008704 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) (emerging-exploit.rules) 2008705 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) (emerging-exploit.rules) 2008706 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) (emerging-exploit.rules) 2008707 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) (emerging-exploit.rules) 2008708 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) (emerging-exploit.rules) 2008709 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) (emerging-exploit.rules) 2008710 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) (emerging-exploit.rules) 2008711 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) (emerging-exploit.rules) 2008712 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) (emerging-exploit.rules) 2008713 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) (emerging-exploit.rules) 2008714 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) (emerging-exploit.rules) 2008715 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) (emerging-exploit.rules) 2008716 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) (emerging-exploit.rules) 2008717 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) (emerging-exploit.rules) 2008718 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) (emerging-exploit.rules) 2008719 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) (emerging-exploit.rules) 2008720 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) (emerging-exploit.rules) 2008721 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) (emerging-exploit.rules) 2008783 - ET POLICY Possible Trojan File Download - Rar Requested but not received (emerging-policy.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2002171 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) (emerging-exploit.rules) 2002172 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) (emerging-exploit.rules) 2002173 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) (emerging-exploit.rules) 2002174 - ET EXPLOIT CLSID Pattern Matched (emerging-exploit.rules) 2002308 - ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) (emerging-exploit.rules) 2002491 - ET EXPLOIT COM Object MS05-052 (group 1) (emerging-exploit.rules) 2002492 - ET EXPLOIT COM Object MS05-052 (group 2) (emerging-exploit.rules) 2002493 - ET EXPLOIT COM Object MS05-052 (group 3) (emerging-exploit.rules) 2002674 - ET MALWARE Sony DRM Reporting 2 (emerging-malware.rules) 2002675 - ET MALWARE Sony DRM Reporting 1 (emerging-malware.rules) 2002679 - ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt (emerging-malware.rules) 2002680 - ET MALWARE Sony DRM - Uninstaller CLSID (emerging-malware.rules) 2002724 - ET EXPLOIT MciWndx ActiveX Control (emerging-exploit.rules) 2002725 - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 (emerging-exploit.rules) 2002861 - ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects (emerging-exploit.rules) 2002971 - ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption (emerging-exploit.rules) 2003077 - ET EXPLOIT COM Object MS06-042 (group 1) (emerging-exploit.rules) 2003078 - ET EXPLOIT COM Object MS06-042 (group 2) (emerging-exploit.rules) 2003079 - ET EXPLOIT COM Object MS06-042 (group 3) (emerging-exploit.rules) 2003080 - ET EXPLOIT COM Object MS06-042 (group 4) (emerging-exploit.rules) 2003102 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID (emerging-exploit.rules) 2003103 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object (emerging-exploit.rules) 2003104 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID (emerging-exploit.rules) 2003105 - ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (emerging-exploit.rules) 2003158 - ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (emerging-exploit.rules) 2003159 - ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID (emerging-exploit.rules) 2003160 - ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID (emerging-exploit.rules) 2003161 - ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID (emerging-exploit.rules) 2003162 - ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (emerging-exploit.rules) 2003163 - ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID (emerging-exploit.rules) 2003164 - ET EXPLOIT Microsoft Business Object Factory object call CSLID (emerging-exploit.rules) 2003165 - ET EXPLOIT Microsoft Outlook Data Object object call CSLID (emerging-exploit.rules) 2003166 - ET EXPLOIT Microsoft Outlook.Application object call CSLID (emerging-exploit.rules) 2003231 - ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (emerging-exploit.rules) 2003232 - ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (emerging-exploit.rules) 2003233 - ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (emerging-exploit.rules) 2003234 - ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (emerging-exploit.rules) 2003328 - ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow (emerging-exploit.rules) 2003514 - ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (emerging-exploit.rules) 2007818 - ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules) 2007819 - ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules) 2007850 - ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (emerging-exploit.rules) 2007852 - ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit (emerging-exploit.rules) 2007853 - ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability (emerging-exploit.rules) 2007903 - ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2007904 - ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2007905 - ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (emerging-exploit.rules) 2007907 - ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF (emerging-exploit.rules) 2007931 - ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (emerging-exploit.rules) 2007932 - ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (emerging-exploit.rules) 2008099 - ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite (emerging-exploit.rules) 2008607 - ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS (emerging-exploit.rules) 2008612 - ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-exploit.rules) 2008613 - ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-exploit.rules) 2008618 - ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-dos.rules) 2008619 - ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-exploit.rules) 2008620 - ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-exploit.rules) 2008621 - ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS (emerging-exploit.rules) 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) 2008678 - ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-exploit.rules) 2008683 - ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-exploit.rules) 2008792 - ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1373 # Generated 2008-11-29 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1373 # Generated 2008-11-29 00:03:02 EDT -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Added to emerging-rbn.rules (2): # VERSION 84 # Updated 2008-11-29 08:34:23 -> Added to emerging-sid-msg.map (115): 2002171 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET WEB_ACTIVEX CLSID Pattern Matched 2002308 || ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET WEB_ACTIVEX COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET WEB_ACTIVEX COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET WEB_ACTIVEX COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET WEB_ACTIVEX Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET WEB_ACTIVEX Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET WEB_ACTIVEX MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET WEB_ACTIVEX COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET WEB_ACTIVEX COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET WEB_ACTIVEX COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET WEB_ACTIVEX COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID 2003160 || ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID 2003164 || ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID 2003165 || ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID 2003166 || ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID 2003231 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2003328 || ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007850 || ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007852 || ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007878 || ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007904 || ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007907 || ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008673 || ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008678 || ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008797 || ET MALWARE Suspicious User-Agent (miip) 2008798 || ET MALWARE Zenosearch Malware Checkin HTTP POST (2) 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2406090 || ET RBN Known Russian Business Network Monitored Domains (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406091 || ET RBN Known Russian Business Network Monitored Domains (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406092 || ET RBN Known Russian Business Network Monitored Domains (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406093 || ET RBN Known Russian Business Network Monitored Domains (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406094 || ET RBN Known Russian Business Network Monitored Domains (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406095 || ET RBN Known Russian Business Network Monitored Domains (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406096 || ET RBN Known Russian Business Network Monitored Domains (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406097 || ET RBN Known Russian Business Network Monitored Domains (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406098 || ET RBN Known Russian Business Network Monitored Domains (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406099 || ET RBN Known Russian Business Network Monitored Domains (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406100 || ET RBN Known Russian Business Network Monitored Domains (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406101 || ET RBN Known Russian Business Network Monitored Domains (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406102 || ET RBN Known Russian Business Network Monitored Domains (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406103 || ET RBN Known Russian Business Network Monitored Domains (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406104 || ET RBN Known Russian Business Network Monitored Domains (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407090 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407091 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407092 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407093 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407094 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407095 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407096 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407097 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407098 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407099 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407100 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407101 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407102 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407103 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407104 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (115): 2002171 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET WEB_ACTIVEX CLSID Pattern Matched 2002308 || ET WEB_ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET WEB_ACTIVEX COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET WEB_ACTIVEX COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET WEB_ACTIVEX COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET WEB_ACTIVEX Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET WEB_ACTIVEX Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET WEB_ACTIVEX Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET WEB_ACTIVEX Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET WEB_ACTIVEX MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET WEB_ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET WEB_ACTIVEX Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET WEB_ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET WEB_ACTIVEX COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET WEB_ACTIVEX COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET WEB_ACTIVEX COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET WEB_ACTIVEX COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET WEB_ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET WEB_ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET WEB_ACTIVEX Microsoft VsmIDE.DTE object call CSLID 2003160 || ET WEB_ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET WEB_ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET WEB_ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET WEB_ACTIVEX Microsoft VsaIDE.DTE object call CSLID 2003164 || ET WEB_ACTIVEX Microsoft Business Object Factory object call CSLID 2003165 || ET WEB_ACTIVEX Microsoft Outlook Data Object object call CSLID 2003166 || ET WEB_ACTIVEX Microsoft Outlook.Application object call CSLID 2003231 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET WEB_ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET WEB_ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2003328 || ET WEB_ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET WEB_ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007850 || ET WEB_ACTIVEX Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007852 || ET WEB_ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET WEB_ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007878 || ET WEB_ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007904 || ET WEB_ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007907 || ET WEB_ACTIVEX Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET WEB_ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET WEB_ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB_ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB_ACTIVEX Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET WEB_ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB_ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB_ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB_ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB_ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB_ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB_ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB_ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB_ACTIVEX Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET WEB_ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET WEB_ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET WEB_ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET WEB_ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET WEB_ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET WEB_ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET WEB_ACTIVEX Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008673 || ET WEB_ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008678 || ET WEB_ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET WEB_ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET WEB_ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008797 || ET MALWARE Suspicious User-Agent (miip) 2008798 || ET MALWARE Zenosearch Malware Checkin HTTP POST (2) 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008800 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2406090 || ET RBN Known Russian Business Network Monitored Domains (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406091 || ET RBN Known Russian Business Network Monitored Domains (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406092 || ET RBN Known Russian Business Network Monitored Domains (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406093 || ET RBN Known Russian Business Network Monitored Domains (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406094 || ET RBN Known Russian Business Network Monitored Domains (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406095 || ET RBN Known Russian Business Network Monitored Domains (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406096 || ET RBN Known Russian Business Network Monitored Domains (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406097 || ET RBN Known Russian Business Network Monitored Domains (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406098 || ET RBN Known Russian Business Network Monitored Domains (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406099 || ET RBN Known Russian Business Network Monitored Domains (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406100 || ET RBN Known Russian Business Network Monitored Domains (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406101 || ET RBN Known Russian Business Network Monitored Domains (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406102 || ET RBN Known Russian Business Network Monitored Domains (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406103 || ET RBN Known Russian Business Network Monitored Domains (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406104 || ET RBN Known Russian Business Network Monitored Domains (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407090 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407091 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407092 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407093 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407094 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407095 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407096 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407097 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407098 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407099 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407100 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407101 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407102 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407103 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407104 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-web.rules (19): #by Chandan S at Stillsecure #by stillsecure # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 # Submitted 2006-11-01 by Frank Knobbe # steven at securityzone #Updated by Christian Siefert 2/5/07 #Updated by Christian Siefert, 2/5/07 #By Blake Harstein at Demarc #These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the # clsid flowbits set above. #By Blake Harstein of Demarc #By Blake Hartstein from Demarc #by shirkdog and Blake hartstein #by stillsecure #by Veerendra at secpod #Blake Hartstein #By Michael Ligh #by Stillsecure (www.stillsecure.com) -> Added to emerging.rules (3): #by Kevin Ross #research by Daniel Clemens and mcafee #new mac dns changer trojan. Not a lot of detail yet, but this will catch the UA [---] Removed non-rule lines: [---] -> Removed from emerging-dos.rules (1): #by Stillsecure (stillsecure.com) -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1366 # Generated 2008-11-22 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1366 # Generated 2008-11-22 00:03:02 EDT -> Removed from emerging-exploit.rules (25): #by Stillsecure #by Chandan S at Stillsecure #by Stillsecure #by Akash Mahajan at stillsecure #by Stillsecure #by stillsecure # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 # Submitted 2006-11-01 by Frank Knobbe #Updated by Christian Siefert 2/5/07 #Updated by Christian Siefert, 2/5/07 # steven at securityzone #by Stillsecure (stillsecure.com) #By Blake Harstein at Demarc #These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the # clsid flowbits set above. #By Blake Harstein of Demarc #By Blake Hartstein from Demarc #by shirkdog and Blake hartstein #by stillsecure #by Veerendra at secpod #Blake Hartstein #by Stillsecure #by Akash Mahajan of stillsecure #by Stillsecure (www.stillsecure.com) -> Removed from emerging-malware.rules (2): #By Michael Ligh #by Blake Hartstein -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Removed from emerging-rbn.rules (2): # VERSION 83 # Updated 2008-11-22 06:38:27 -> Removed from emerging-sid-msg.map (73): 2002171 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET EXPLOIT CLSID Pattern Matched 2002308 || ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET EXPLOIT COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET EXPLOIT COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET EXPLOIT COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET MALWARE Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET MALWARE Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET MALWARE Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET EXPLOIT MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET EXPLOIT COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET EXPLOIT COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET EXPLOIT COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET EXPLOIT COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID 2003160 || ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID 2003164 || ET EXPLOIT Microsoft Business Object Factory object call CSLID 2003165 || ET EXPLOIT Microsoft Outlook Data Object object call CSLID 2003166 || ET EXPLOIT Microsoft Outlook.Application object call CSLID 2003231 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2003328 || ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540 2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493 2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007878 || ET WEB Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 -> Removed from emerging-sid-msg.map.txt (73): 2002171 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002172 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002173 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || cve,2005-1990 2002174 || ET EXPLOIT CLSID Pattern Matched 2002308 || ET EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php 2002491 || ET EXPLOIT COM Object MS05-052 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002492 || ET EXPLOIT COM Object MS05-052 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002493 || ET EXPLOIT COM Object MS05-052 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || cve,2005-2127 2002674 || ET MALWARE Sony DRM Reporting 2 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002675 || ET MALWARE Sony DRM Reporting 1 || url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html 2002679 || ET MALWARE Sony DRM Related - CodeSupport ActiveX Attempt || url,www.hack.fi/~muzzy/sony-drm/ || url,www.frsirt.com/english/advisories/2005/2454 2002680 || ET MALWARE Sony DRM - Uninstaller CLSID || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,www.frsirt.com/english/advisories/2005/2493 || url,www.freedom-to-tinker.com/?p=931 2002724 || ET EXPLOIT MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx 2002725 || ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || cve,2005-2831 2002861 || ET EXPLOIT Danim.dll and Dxtmsft.dll COM Objects || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || cve,2006-1186 2002971 || ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || bugtraq,18328 || cve,2006-1303 2003077 || ET EXPLOIT COM Object MS06-042 (group 1) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003078 || ET EXPLOIT COM Object MS06-042 (group 2) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003079 || ET EXPLOIT COM Object MS06-042 (group 3) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003080 || ET EXPLOIT COM Object MS06-042 (group 4) || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || cve,2006-3638 2003102 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003104 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003105 || ET EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || cve,2006-4777 || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 2003158 || ET EXPLOIT Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || cve,2006-4704 || url,secunia.com/advisories/22603 || url,www.securityfocus.com/bid/20843 2003159 || ET EXPLOIT Microsoft VsmIDE.DTE object call CSLID 2003160 || ET EXPLOIT Microsoft DExplore.AppObj.8.0 object call CSLID 2003161 || ET EXPLOIT Microsoft VisualStudio.DTE.8.0 object call CSLID 2003162 || ET EXPLOIT Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID 2003163 || ET EXPLOIT Microsoft VsaIDE.DTE object call CSLID 2003164 || ET EXPLOIT Microsoft Business Object Factory object call CSLID 2003165 || ET EXPLOIT Microsoft Outlook Data Object object call CSLID 2003166 || ET EXPLOIT Microsoft Outlook.Application object call CSLID 2003231 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || ET EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || ET EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2003328 || ET WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || url,secunia.com/advisories/23475/ || cve,2007-0018 2003514 || ET EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540 2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493 2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438 2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982 2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981 2007878 || ET WEB Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || url,www.milw0rm.com/exploits/5110 || cve,CVE-2008-0778 || bugtraq,27769 2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010 2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190 2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877 2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205 2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838 2008062 || ET WEB Univeral HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 2008099 || ET EXPLOIT ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || url,www.milw0rm.com/exploits/5338 || bugtraq,28546 2008126 || ET WEB IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 2008127 || ET WEB Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods || url,www.milw0rm.com/exploits/5395 || cve,CVE-2007-3883 || bugtraq,24959 2008128 || ET WEB Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || url,www.milw0rm.com/exploits/5398 || bugtraq,28662 2008129 || ET WEB LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || cve,CVE-2008-1605 || bugtraq,28442 || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html 2008173 || ET WEB PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820 2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008792 || ET EXPLOIT Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 -> Removed from emerging-web.rules (1): #by Chandan S of StillSecure From phatbuckett at gmail.com Sun Nov 30 11:39:24 2008 From: phatbuckett at gmail.com (Darren Spruell) Date: Sun, 30 Nov 2008 09:39:24 -0700 Subject: [Emerging-Sigs] Russian based worm exploiting MS08-067 In-Reply-To: <492D5820.6060301@jonkmans.com> References: <492D5820.6060301@jonkmans.com> Message-ID: <839aec700811300839r838af32i9bb46ae84b37f084@mail.gmail.com> On Wed, Nov 26, 2008 at 7:07 AM, Matt Jonkman wrote: > Great reasearch from Daniel Clemens and Mcafee: > > http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/ > > http://www.packetninjas.net/?p=73 > > Daniel has put up a signature that ought to be reliable. It's in > CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple > weeks if so. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008"; flow:to_server,established; uricontent:"/search?q=%d&aq=7"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; sid:2008801; rev:1;) The 'q' parameter in the above string I believe is expanded into a number in the actual request (not a literal %d). It indicates exploit attempts or similar in the reports I've seen. -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Sun Nov 30 13:08:00 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 30 Nov 2008 13:08:00 -0500 Subject: [Emerging-Sigs] Russian based worm exploiting MS08-067 In-Reply-To: <839aec700811300839r838af32i9bb46ae84b37f084@mail.gmail.com> References: <492D5820.6060301@jonkmans.com> <839aec700811300839r838af32i9bb46ae84b37f084@mail.gmail.com> Message-ID: <4932D680.3030905@jonkmans.com> Cool. I'll just remove that and separate them into 2 matches. Thanks Darren! Matt Darren Spruell wrote: > On Wed, Nov 26, 2008 at 7:07 AM, Matt Jonkman wrote: >> Great reasearch from Daniel Clemens and Mcafee: >> >> http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/ >> >> http://www.packetninjas.net/?p=73 >> >> Daniel has put up a signature that ought to be reliable. It's in >> CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple >> weeks if so. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates > 25/11-01/12 2008"; flow:to_server,established; > uricontent:"/search?q=%d&aq=7"; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; > sid:2008801; rev:1;) > > The 'q' parameter in the above string I believe is expanded into a > number in the actual request (not a literal %d). It indicates exploit > attempts or similar in the reports I've seen. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sun Nov 30 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 30 Nov 2008 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081130210008.82E0845026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Nov 30 16:00:08 2008 [***] [+++] Added rules: [+++] 2008802 - ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008804 - ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [///] Modified active rules: [///] 2008800 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From 1st December 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (7): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2500082 || ET COMPROMISED Known Compromised or Hostile Host Traffic (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500083 || ET COMPROMISED Known Compromised or Hostile Host Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510082 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (83) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510083 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (84) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts