From william.metcalf at gmail.com Sun Feb 1 19:07:44 2009 From: william.metcalf at gmail.com (Will Metcalf) Date: Sun, 1 Feb 2009 18:07:44 -0600 Subject: [Emerging-Sigs] just in case anybody cares ;-)... Message-ID: Jonkman was nice enough to host a CentoOS5 rpm repo for me. I have created a set of i686 kernel rpms that have been patched to include PF_RING and ipset. I did not backport libpcap to the version included with CentOS5 so you will have to recompile your libpcap based tools if you decide to use the pf_ring/libpcap based stuff for the 0.9.7 version in the repo. I also have included rpms for the latest apache etc so I suggest if you use a file to throw into /etc/yum.repos.d/ you use the include/exclude stuff options so that you only pull the items that you need/want. There are quite a few other useful tools that have been recomipled to use libpfring. To use ipset you will have to remove your existing iptables version and replace it with the one in the repo. link to the repo.. http://www.emergingthreats.net/emergingrepo/ I have also modified the script created by Joshua Gimer for updating the fw rules using ipset which you can download here. http://doc.emergingthreats.net/pub/Main/EmergingFirewallRules/emerging-ipset-update.pl.txt link to blog post which doesn't contain anymore info than what is listed here. http://node5.blogspot.com/2009/02/pfringipset-rpms-for-centos5.html Regards, Will From signatures at stillsecure.com Mon Feb 2 06:07:45 2009 From: signatures at stillsecure.com (signatures) Date: Mon, 2 Feb 2009 04:07:45 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Feb-02-2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2922@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP PHP-Daily add_postit.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Daily add_postit.php id Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/add_postit.php?"; nocase; uricontent:"mode=rep"; nocase; uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32408; reference:url,milw0rm.com/exploits/6833; sid:2008588; rev:1;) 2. WEB-PHP PHP-Daily delete.php id Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Daily delete.php id Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/delete.php?"; nocase; uricontent:"mode=postit"; nocase; uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;reference:url,secunia.com/Advisories/32/32408; reference:url,milw0rm.com/exploits/6833; sid:2008589; rev:1;) 3. WEB-PHP PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/members.php?"; nocase; uricontent:"sortby="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33156; reference:url,milw0rm.com/exploits/7697; sid:2008270; rev:1;) 4. WEB-PHP iGaming CMS previews.php browse parameter SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP iGaming CMS previews.php browse parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/previews.php?"; nocase; uricontent:"browse="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; sid:2008272; rev:1;) 5. WEB-PHP iGaming CMS reviews.php browse parameter SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP iGaming CMS reviews.php browse parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/reviews.php?"; nocase; uricontent:"browse="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; sid:2008273; rev:1;) 6. WEB-PHP phpSkelSite TplSuffix parameter local file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpSkelSite TplSuffix parameter local file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/login.tpl.php?"; nocase; uricontent:"TplSuffix="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33092; sid:2008249; rev:1;) 7. WEB-PHP phpSkelSite theme parameter remote file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpSkelSite theme parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/login.tpl.php?"; nocase; uricontent:"theme="; nocase; pcre:"/theme=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,33092; sid:2008250; rev:1;) 8. WEB-PHP PNphpBB2 admin_words.php ModName parameter Local File inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PNphpBB2 admin_words.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_words.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33103; sid:2008251; rev:1;) 9. WEB-PHP PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_groups_reapir.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33103; sid:2008252; rev:1;) 10. WEB-PHP PNphpBB2 admin_smilies.php ModName parameter Local File inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PNphpBB2 admin_smilies.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_smilies.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33103; sid:2008253; rev:1;) Looking forward for your comments, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090202/a7222f76/attachment.html From gclai at draytek.com Tue Feb 3 04:37:06 2009 From: gclai at draytek.com (Jackie Lai) Date: Tue, 3 Feb 2009 17:37:06 +0800 Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes References: <20090124230009.4C2A34502B@goliath.jonkmans.com> Message-ID: original sig: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28$27IsIntegratedSecurityOnly"; distance:2; classtype:attempted-recon; reference:url,sqlninja.sourceforge.net/index.html; sid:2009042; rev:1;) I thinl the content "...%28$27IsIntegratedSecurityOnly" should be "...%28%27..." :-) It's a typo! ======================== Jackie Lai, CISSP mailto: gclai [at] draytek [dot] com ======================== ----- Original Message ----- 寄件者: 收件者: ; 傳送日期: 2009年1月25日 上午 07:00 主旨: [Emerging-Sigs] Emerging Threats Weekly Signature Changes > > [***] Results from Oinkmaster started Sat Jan 24 18:00:09 2009 [***] > > [+++] Added rules: [+++] > > 2009025 - ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) > (emerging-virus.rules) > 2009026 - ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) > (emerging-virus.rules) > 2009027 - ET MALWARE Suspicious User Agent (FileDownloader) > (emerging-malware.rules) > 2009028 - ET MALWARE 404 Response with an EXE Attached - Likely Malware > Drop (emerging-policy.rules) > 2009029 - ET WEB SQL Injection Attempt (Agent NV32ts) (emerging-web.rules) > 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos > (emerging.rules) > 2009031 - ET TROJAN Possible Armitage Loader Request > (emerging-virus.rules) > 2009032 - ET TROJAN Armitage Exploit Request (emerging-virus.rules) > 2009033 - ET POLICY Suspicious Executable (PE under 128) > (emerging-policy.rules) > 2009034 - ET POLICY Suspicious Executable (PE offset 160) > (emerging-policy.rules) > 2009035 - ET POLICY Suspicious Executable (PE offset 512) > (emerging-policy.rules) > 2009036 - ET TROJAN Armitage Loader Check-in (emerging-virus.rules) > 2009037 - ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) > (emerging-virus.rules) > 2009038 - ET SCAN SQLNinja MSSQL Version Scan (emerging-scan.rules) > 2009039 - ET SCAN SQLNinja MSSQL XPCmdShell Scan (emerging-scan.rules) > 2009040 - ET SCAN SQLNinja MSSQL User Scan (emerging-scan.rules) > 2009041 - ET SCAN SQLNinja MSSQL Database User Rights Scan > (emerging-scan.rules) > 2009042 - ET SCAN SQLNinja MSSQL Authentication Mode Scan > (emerging-scan.rules) > 2009043 - ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using > sp_configure (emerging-scan.rules) > 2009044 - ET SCAN SQLNinja Attempt To Create xp_cmdshell Session > (emerging-scan.rules) > 2009045 - ET WEB_SPECIFIC cfagcms right.php title Parameter SQL Injection > (emerging-web_sql_injection.rules) > 2009046 - ET WEB_ACTIVEX Chilkat Socket Activex Remote Arbitrary File > Overwrite 1 (emerging-web.rules) > 2009047 - ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get > Method Buffer Overflow (emerging-web.rules) > 2009048 - ET WEB_SPECIFIC Sepcity Lawyer Portal deptdisplay.asp ID > parameter SQL Injection (emerging-web_sql_injection.rules) > 2009049 - ET WEB_SPECIFIC RealtyListings type.asp iType Parameter SQL > Injection (emerging-web_sql_injection.rules) > 2009050 - ET WEB_SPECIFIC RealtyListings detail.asp iPro Parameter SQL > Injection (emerging-web_sql_injection.rules) > 2009051 - ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH > parameter Remote File Inclusion (emerging-web_sql_injection.rules) > 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) > (emerging-botcc.rules) > 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) > (emerging-rbn.rules) > 2407213 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (214) (emerging-rbn-BLOCK.rules) > > > [///] Modified active rules: [///] > > 2002887 - ET EXPLOIT SYS get_domain_index_tables Access > (emerging-exploit.rules) > 2003937 - ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data > (emerging-virus.rules) > 2008665 - ET TROJAN Zbot/Zeus or Related Infection Checkin > (emerging-virus.rules) > 2009021 - ET MALWARE Suspicious User Agent (IE_6.0) > (emerging-malware.rules) > 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting > (emerging.rules) > 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) > 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE > (emerging-drop-BLOCK.rules) > 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) > 2403000 - ET DROP Dshield Block Listed Source - BLOCKING > (emerging-dshield-BLOCK.rules) > 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) > (emerging-botcc.rules) > 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) > (emerging-botcc.rules) > 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) > (emerging-botcc.rules) > 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) > (emerging-botcc.rules) > 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) > (emerging-botcc.rules) > 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) > (emerging-botcc.rules) > 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) > (emerging-botcc.rules) > 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) > (emerging-botcc.rules) > 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) > (emerging-botcc.rules) > 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) > (emerging-botcc.rules) > 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) > (emerging-botcc.rules) > 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) > (emerging-botcc.rules) > 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) > (emerging-botcc.rules) > 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) > (emerging-botcc.rules) > 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) > (emerging-botcc.rules) > 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) > (emerging-botcc.rules) > 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) > (emerging-botcc.rules) > 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) > (emerging-botcc.rules) > 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) > (emerging-botcc.rules) > 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) > 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) > (emerging-rbn.rules) > 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) > (emerging-rbn.rules) > 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) > (emerging-rbn.rules) > 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) > (emerging-rbn.rules) > 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) > (emerging-rbn.rules) > 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) > (emerging-rbn.rules) > 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) > (emerging-rbn.rules) > 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) > (emerging-rbn.rules) > 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) > (emerging-rbn.rules) > 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) > (emerging-rbn.rules) > 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) > (emerging-rbn.rules) > 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) > (emerging-rbn.rules) > 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) > (emerging-rbn.rules) > 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) > (emerging-rbn.rules) > 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) > (emerging-rbn.rules) > 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) > (emerging-rbn.rules) > 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) > (emerging-rbn.rules) > 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) > (emerging-rbn.rules) > 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) > (emerging-rbn.rules) > 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) > (emerging-rbn.rules) > 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) > (emerging-rbn.rules) > 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) > (emerging-rbn.rules) > 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) > (emerging-rbn.rules) > 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) > (emerging-rbn.rules) > 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) > (emerging-rbn.rules) > 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) > (emerging-rbn.rules) > 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) > (emerging-rbn.rules) > 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) > (emerging-rbn.rules) > 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) > (emerging-rbn.rules) > 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) > (emerging-rbn.rules) > 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) > (emerging-rbn.rules) > 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) > (emerging-rbn.rules) > 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) > (emerging-rbn.rules) > 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) > (emerging-rbn.rules) > 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) > (emerging-rbn.rules) > 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) > (emerging-rbn.rules) > 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) > (emerging-rbn.rules) > 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) > (emerging-rbn.rules) > 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) > (emerging-rbn.rules) > 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) > (emerging-rbn.rules) > 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) > (emerging-rbn.rules) > 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) > (emerging-rbn.rules) > 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) > (emerging-rbn.rules) > 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) > (emerging-rbn.rules) > 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) > (emerging-rbn.rules) > 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) > (emerging-rbn.rules) > 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) > (emerging-rbn.rules) > 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) > (emerging-rbn.rules) > 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) > (emerging-rbn.rules) > 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) > (emerging-rbn.rules) > 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) > (emerging-rbn.rules) > 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) > (emerging-rbn.rules) > 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) > (emerging-rbn.rules) > 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) > (emerging-rbn.rules) > 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) > (emerging-rbn.rules) > 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) > (emerging-rbn.rules) > 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) > (emerging-rbn.rules) > 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) > (emerging-rbn.rules) > 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) > (emerging-rbn.rules) > 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) > (emerging-rbn.rules) > 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) > (emerging-rbn.rules) > 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) > (emerging-rbn.rules) > 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) > (emerging-rbn.rules) > 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) > (emerging-rbn.rules) > 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) > (emerging-rbn.rules) > 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) > (emerging-rbn.rules) > 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) > (emerging-rbn.rules) > 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) > (emerging-rbn.rules) > 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) > (emerging-rbn.rules) > 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) > (emerging-rbn.rules) > 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) > (emerging-rbn.rules) > 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) > (emerging-rbn.rules) > 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) > (emerging-rbn.rules) > 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) > (emerging-rbn.rules) > 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) > (emerging-rbn.rules) > 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) > (emerging-rbn.rules) > 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) > (emerging-rbn.rules) > 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) > (emerging-rbn.rules) > 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) > (emerging-rbn.rules) > 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) > (emerging-rbn.rules) > 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) > (emerging-rbn.rules) > 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) > (emerging-rbn.rules) > 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) > (emerging-rbn.rules) > 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) > (emerging-rbn.rules) > 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) > (emerging-rbn.rules) > 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) > (emerging-rbn.rules) > 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) > (emerging-rbn.rules) > 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) > (emerging-rbn.rules) > 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) > (emerging-rbn.rules) > 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) > (emerging-rbn.rules) > 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) > (emerging-rbn.rules) > 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) > (emerging-rbn.rules) > 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) > (emerging-rbn.rules) > 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) > (emerging-rbn.rules) > 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) > (emerging-rbn.rules) > 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) > (emerging-rbn.rules) > 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) > (emerging-rbn.rules) > 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) > (emerging-rbn.rules) > 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) > (emerging-rbn.rules) > 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) > (emerging-rbn.rules) > 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) > (emerging-rbn.rules) > 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) > (emerging-rbn.rules) > 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) > (emerging-rbn.rules) > 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) > (emerging-rbn.rules) > 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) > (emerging-rbn.rules) > 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) > (emerging-rbn.rules) > 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) > (emerging-rbn.rules) > 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) > (emerging-rbn.rules) > 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) > (emerging-rbn.rules) > 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) > (emerging-rbn.rules) > 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) > (emerging-rbn.rules) > 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) > (emerging-rbn.rules) > 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) > (emerging-rbn.rules) > 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) > (emerging-rbn.rules) > 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) > (emerging-rbn.rules) > 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) > (emerging-rbn.rules) > 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) > (emerging-rbn.rules) > 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) > (emerging-rbn.rules) > 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) > (emerging-rbn.rules) > 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) > (emerging-rbn.rules) > 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) > (emerging-rbn.rules) > 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) > (emerging-rbn.rules) > 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) > (emerging-rbn.rules) > 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) > (emerging-rbn.rules) > 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) > (emerging-rbn.rules) > 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) > (emerging-rbn.rules) > 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) > (emerging-rbn.rules) > 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) > (emerging-rbn.rules) > 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) > (emerging-rbn.rules) > 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) > (emerging-rbn.rules) > 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) > (emerging-rbn.rules) > 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) > (emerging-rbn.rules) > 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) > (emerging-rbn.rules) > 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) > (emerging-rbn.rules) > 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) > (emerging-rbn.rules) > 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) > (emerging-rbn.rules) > 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) > (emerging-rbn.rules) > 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) > (emerging-rbn.rules) > 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) > (emerging-rbn.rules) > 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) > (emerging-rbn.rules) > 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) > (emerging-rbn.rules) > 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) > (emerging-rbn.rules) > 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) > (emerging-rbn.rules) > 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) > (emerging-rbn.rules) > 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) > (emerging-rbn.rules) > 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) > (emerging-rbn.rules) > 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) > (emerging-rbn.rules) > 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) > (emerging-rbn.rules) > 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) > (emerging-rbn.rules) > 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) > (emerging-rbn.rules) > 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) > (emerging-rbn.rules) > 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) > (emerging-rbn.rules) > 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) > (emerging-rbn.rules) > 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) > (emerging-rbn.rules) > 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) > (emerging-rbn.rules) > 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) > (emerging-rbn.rules) > 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) > (emerging-rbn.rules) > 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) > (emerging-rbn.rules) > 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) > (emerging-rbn.rules) > 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) > (emerging-rbn.rules) > 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) > (emerging-rbn.rules) > 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) > (emerging-rbn.rules) > 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) > (emerging-rbn.rules) > 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) > (emerging-rbn.rules) > 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) > (emerging-rbn.rules) > 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) > (emerging-rbn.rules) > 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) > (emerging-rbn.rules) > 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) > (emerging-rbn.rules) > 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) > (emerging-rbn.rules) > 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) > (emerging-rbn.rules) > 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) > (emerging-rbn.rules) > 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) > (emerging-rbn.rules) > 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) > (emerging-rbn.rules) > 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) > (emerging-rbn.rules) > 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) > (emerging-rbn.rules) > 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) > (emerging-rbn.rules) > 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) > (emerging-rbn.rules) > 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) > (emerging-rbn.rules) > 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) > (emerging-rbn.rules) > 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) > (emerging-rbn.rules) > 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) > (emerging-rbn.rules) > 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) > (emerging-rbn.rules) > 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) > (emerging-rbn.rules) > 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) > (emerging-rbn.rules) > 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) > (emerging-rbn.rules) > 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) > (emerging-rbn.rules) > 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) > (emerging-rbn.rules) > 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) > (emerging-rbn.rules) > 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) > (emerging-rbn.rules) > 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) > (emerging-rbn.rules) > 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) > (emerging-rbn.rules) > 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) > (emerging-rbn.rules) > 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) > (emerging-rbn.rules) > 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) > (emerging-rbn.rules) > 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) > (emerging-rbn.rules) > 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) > (emerging-rbn.rules) > 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) > (emerging-rbn.rules) > 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) > (emerging-rbn.rules) > 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) > (emerging-rbn.rules) > 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) > (emerging-rbn.rules) > 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) > (emerging-rbn.rules) > 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) > (emerging-rbn.rules) > 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) > (emerging-rbn.rules) > 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) > (emerging-rbn.rules) > 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) > (emerging-rbn.rules) > 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) > (emerging-rbn.rules) > 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) > (emerging-rbn.rules) > 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) > (emerging-rbn.rules) > 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) > (emerging-rbn.rules) > 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) > (emerging-rbn.rules) > 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) > (emerging-rbn.rules) > 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) > (emerging-rbn.rules) > 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) > (emerging-rbn.rules) > 2407000 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (1) (emerging-rbn-BLOCK.rules) > 2407001 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (2) (emerging-rbn-BLOCK.rules) > 2407002 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (3) (emerging-rbn-BLOCK.rules) > 2407003 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (4) (emerging-rbn-BLOCK.rules) > 2407004 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (5) (emerging-rbn-BLOCK.rules) > 2407005 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (6) (emerging-rbn-BLOCK.rules) > 2407006 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (7) (emerging-rbn-BLOCK.rules) > 2407007 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (8) (emerging-rbn-BLOCK.rules) > 2407008 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (9) (emerging-rbn-BLOCK.rules) > 2407009 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (10) (emerging-rbn-BLOCK.rules) > 2407010 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (11) (emerging-rbn-BLOCK.rules) > 2407011 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (12) (emerging-rbn-BLOCK.rules) > 2407012 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (13) (emerging-rbn-BLOCK.rules) > 2407013 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (14) (emerging-rbn-BLOCK.rules) > 2407014 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (15) (emerging-rbn-BLOCK.rules) > 2407015 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (16) (emerging-rbn-BLOCK.rules) > 2407016 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (17) (emerging-rbn-BLOCK.rules) > 2407017 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (18) (emerging-rbn-BLOCK.rules) > 2407018 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (19) (emerging-rbn-BLOCK.rules) > 2407019 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (20) (emerging-rbn-BLOCK.rules) > 2407020 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (21) (emerging-rbn-BLOCK.rules) > 2407021 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (22) (emerging-rbn-BLOCK.rules) > 2407022 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (23) (emerging-rbn-BLOCK.rules) > 2407023 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (24) (emerging-rbn-BLOCK.rules) > 2407024 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (25) (emerging-rbn-BLOCK.rules) > 2407025 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (26) (emerging-rbn-BLOCK.rules) > 2407026 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (27) (emerging-rbn-BLOCK.rules) > 2407027 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (28) (emerging-rbn-BLOCK.rules) > 2407028 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (29) (emerging-rbn-BLOCK.rules) > 2407029 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (30) (emerging-rbn-BLOCK.rules) > 2407030 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (31) (emerging-rbn-BLOCK.rules) > 2407031 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (32) (emerging-rbn-BLOCK.rules) > 2407032 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (33) (emerging-rbn-BLOCK.rules) > 2407033 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (34) (emerging-rbn-BLOCK.rules) > 2407034 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (35) (emerging-rbn-BLOCK.rules) > 2407035 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (36) (emerging-rbn-BLOCK.rules) > 2407036 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (37) (emerging-rbn-BLOCK.rules) > 2407037 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (38) (emerging-rbn-BLOCK.rules) > 2407038 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (39) (emerging-rbn-BLOCK.rules) > 2407039 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (40) (emerging-rbn-BLOCK.rules) > 2407040 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (41) (emerging-rbn-BLOCK.rules) > 2407041 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (42) (emerging-rbn-BLOCK.rules) > 2407042 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (43) (emerging-rbn-BLOCK.rules) > 2407043 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (44) (emerging-rbn-BLOCK.rules) > 2407044 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (45) (emerging-rbn-BLOCK.rules) > 2407045 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (46) (emerging-rbn-BLOCK.rules) > 2407046 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (47) (emerging-rbn-BLOCK.rules) > 2407047 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (48) (emerging-rbn-BLOCK.rules) > 2407048 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (49) (emerging-rbn-BLOCK.rules) > 2407049 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (50) (emerging-rbn-BLOCK.rules) > 2407050 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (51) (emerging-rbn-BLOCK.rules) > 2407051 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (52) (emerging-rbn-BLOCK.rules) > 2407052 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (53) (emerging-rbn-BLOCK.rules) > 2407053 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (54) (emerging-rbn-BLOCK.rules) > 2407054 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (55) (emerging-rbn-BLOCK.rules) > 2407055 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (56) (emerging-rbn-BLOCK.rules) > 2407056 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (57) (emerging-rbn-BLOCK.rules) > 2407057 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (58) (emerging-rbn-BLOCK.rules) > 2407058 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (59) (emerging-rbn-BLOCK.rules) > 2407059 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (60) (emerging-rbn-BLOCK.rules) > 2407060 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (61) (emerging-rbn-BLOCK.rules) > 2407061 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (62) (emerging-rbn-BLOCK.rules) > 2407062 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (63) (emerging-rbn-BLOCK.rules) > 2407063 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (64) (emerging-rbn-BLOCK.rules) > 2407064 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (65) (emerging-rbn-BLOCK.rules) > 2407065 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (66) (emerging-rbn-BLOCK.rules) > 2407066 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (67) (emerging-rbn-BLOCK.rules) > 2407067 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (68) (emerging-rbn-BLOCK.rules) > 2407068 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (69) (emerging-rbn-BLOCK.rules) > 2407069 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (70) (emerging-rbn-BLOCK.rules) > 2407070 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (71) (emerging-rbn-BLOCK.rules) > 2407071 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (72) (emerging-rbn-BLOCK.rules) > 2407072 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (73) (emerging-rbn-BLOCK.rules) > 2407073 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (74) (emerging-rbn-BLOCK.rules) > 2407074 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (75) (emerging-rbn-BLOCK.rules) > 2407075 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (76) (emerging-rbn-BLOCK.rules) > 2407076 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (77) (emerging-rbn-BLOCK.rules) > 2407077 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (78) (emerging-rbn-BLOCK.rules) > 2407078 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (79) (emerging-rbn-BLOCK.rules) > 2407079 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (80) (emerging-rbn-BLOCK.rules) > 2407080 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (81) (emerging-rbn-BLOCK.rules) > 2407081 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (82) (emerging-rbn-BLOCK.rules) > 2407082 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (83) (emerging-rbn-BLOCK.rules) > 2407083 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (84) (emerging-rbn-BLOCK.rules) > 2407084 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (85) (emerging-rbn-BLOCK.rules) > 2407085 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (86) (emerging-rbn-BLOCK.rules) > 2407086 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (87) (emerging-rbn-BLOCK.rules) > 2407087 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (88) (emerging-rbn-BLOCK.rules) > 2407088 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (89) (emerging-rbn-BLOCK.rules) > 2407089 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (90) (emerging-rbn-BLOCK.rules) > 2407090 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (91) (emerging-rbn-BLOCK.rules) > 2407091 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (92) (emerging-rbn-BLOCK.rules) > 2407092 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (93) (emerging-rbn-BLOCK.rules) > 2407093 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (94) (emerging-rbn-BLOCK.rules) > 2407094 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (95) (emerging-rbn-BLOCK.rules) > 2407095 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (96) (emerging-rbn-BLOCK.rules) > 2407096 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (97) (emerging-rbn-BLOCK.rules) > 2407097 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (98) (emerging-rbn-BLOCK.rules) > 2407098 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (99) (emerging-rbn-BLOCK.rules) > 2407099 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (100) (emerging-rbn-BLOCK.rules) > 2407100 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (101) (emerging-rbn-BLOCK.rules) > 2407101 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (102) (emerging-rbn-BLOCK.rules) > 2407102 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (103) (emerging-rbn-BLOCK.rules) > 2407103 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (104) (emerging-rbn-BLOCK.rules) > 2407104 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (105) (emerging-rbn-BLOCK.rules) > 2407105 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (106) (emerging-rbn-BLOCK.rules) > 2407106 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (107) (emerging-rbn-BLOCK.rules) > 2407107 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (108) (emerging-rbn-BLOCK.rules) > 2407108 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (109) (emerging-rbn-BLOCK.rules) > 2407109 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (110) (emerging-rbn-BLOCK.rules) > 2407110 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (111) (emerging-rbn-BLOCK.rules) > 2407111 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (112) (emerging-rbn-BLOCK.rules) > 2407112 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (113) (emerging-rbn-BLOCK.rules) > 2407113 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (114) (emerging-rbn-BLOCK.rules) > 2407114 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (115) (emerging-rbn-BLOCK.rules) > 2407115 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (116) (emerging-rbn-BLOCK.rules) > 2407116 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (117) (emerging-rbn-BLOCK.rules) > 2407117 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (118) (emerging-rbn-BLOCK.rules) > 2407118 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (119) (emerging-rbn-BLOCK.rules) > 2407119 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (120) (emerging-rbn-BLOCK.rules) > 2407120 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (121) (emerging-rbn-BLOCK.rules) > 2407121 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (122) (emerging-rbn-BLOCK.rules) > 2407122 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (123) (emerging-rbn-BLOCK.rules) > 2407123 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (124) (emerging-rbn-BLOCK.rules) > 2407124 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (125) (emerging-rbn-BLOCK.rules) > 2407125 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (126) (emerging-rbn-BLOCK.rules) > 2407126 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (127) (emerging-rbn-BLOCK.rules) > 2407127 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (128) (emerging-rbn-BLOCK.rules) > 2407128 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (129) (emerging-rbn-BLOCK.rules) > 2407129 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (130) (emerging-rbn-BLOCK.rules) > 2407130 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (131) (emerging-rbn-BLOCK.rules) > 2407131 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (132) (emerging-rbn-BLOCK.rules) > 2407132 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (133) (emerging-rbn-BLOCK.rules) > 2407133 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (134) (emerging-rbn-BLOCK.rules) > 2407134 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (135) (emerging-rbn-BLOCK.rules) > 2407135 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (136) (emerging-rbn-BLOCK.rules) > 2407136 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (137) (emerging-rbn-BLOCK.rules) > 2407137 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (138) (emerging-rbn-BLOCK.rules) > 2407138 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (139) (emerging-rbn-BLOCK.rules) > 2407139 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (140) (emerging-rbn-BLOCK.rules) > 2407140 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (141) (emerging-rbn-BLOCK.rules) > 2407141 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (142) (emerging-rbn-BLOCK.rules) > 2407142 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (143) (emerging-rbn-BLOCK.rules) > 2407143 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (144) (emerging-rbn-BLOCK.rules) > 2407144 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (145) (emerging-rbn-BLOCK.rules) > 2407145 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (146) (emerging-rbn-BLOCK.rules) > 2407146 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (147) (emerging-rbn-BLOCK.rules) > 2407147 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (148) (emerging-rbn-BLOCK.rules) > 2407148 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (149) (emerging-rbn-BLOCK.rules) > 2407149 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (150) (emerging-rbn-BLOCK.rules) > 2407150 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (151) (emerging-rbn-BLOCK.rules) > 2407151 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (152) (emerging-rbn-BLOCK.rules) > 2407152 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (153) (emerging-rbn-BLOCK.rules) > 2407153 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (154) (emerging-rbn-BLOCK.rules) > 2407154 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (155) (emerging-rbn-BLOCK.rules) > 2407155 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (156) (emerging-rbn-BLOCK.rules) > 2407156 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (157) (emerging-rbn-BLOCK.rules) > 2407157 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (158) (emerging-rbn-BLOCK.rules) > 2407158 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (159) (emerging-rbn-BLOCK.rules) > 2407159 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (160) (emerging-rbn-BLOCK.rules) > 2407160 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (161) (emerging-rbn-BLOCK.rules) > 2407161 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (162) (emerging-rbn-BLOCK.rules) > 2407162 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (163) (emerging-rbn-BLOCK.rules) > 2407163 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (164) (emerging-rbn-BLOCK.rules) > 2407164 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (165) (emerging-rbn-BLOCK.rules) > 2407165 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (166) (emerging-rbn-BLOCK.rules) > 2407166 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (167) (emerging-rbn-BLOCK.rules) > 2407167 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (168) (emerging-rbn-BLOCK.rules) > 2407168 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (169) (emerging-rbn-BLOCK.rules) > 2407169 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (170) (emerging-rbn-BLOCK.rules) > 2407170 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (171) (emerging-rbn-BLOCK.rules) > 2407171 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (172) (emerging-rbn-BLOCK.rules) > 2407172 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (173) (emerging-rbn-BLOCK.rules) > 2407173 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (174) (emerging-rbn-BLOCK.rules) > 2407174 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (175) (emerging-rbn-BLOCK.rules) > 2407175 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (176) (emerging-rbn-BLOCK.rules) > 2407176 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (177) (emerging-rbn-BLOCK.rules) > 2407177 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (178) (emerging-rbn-BLOCK.rules) > 2407178 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (179) (emerging-rbn-BLOCK.rules) > 2407179 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (180) (emerging-rbn-BLOCK.rules) > 2407180 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (181) (emerging-rbn-BLOCK.rules) > 2407181 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (182) (emerging-rbn-BLOCK.rules) > 2407182 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (183) (emerging-rbn-BLOCK.rules) > 2407183 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (184) (emerging-rbn-BLOCK.rules) > 2407184 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (185) (emerging-rbn-BLOCK.rules) > 2407185 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (186) (emerging-rbn-BLOCK.rules) > 2407186 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (187) (emerging-rbn-BLOCK.rules) > 2407187 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (188) (emerging-rbn-BLOCK.rules) > 2407188 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (189) (emerging-rbn-BLOCK.rules) > 2407189 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (190) (emerging-rbn-BLOCK.rules) > 2407190 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (191) (emerging-rbn-BLOCK.rules) > 2407191 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (192) (emerging-rbn-BLOCK.rules) > 2407192 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (193) (emerging-rbn-BLOCK.rules) > 2407193 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (194) (emerging-rbn-BLOCK.rules) > 2407194 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (195) (emerging-rbn-BLOCK.rules) > 2407195 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (196) (emerging-rbn-BLOCK.rules) > 2407196 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (197) (emerging-rbn-BLOCK.rules) > 2407197 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (198) (emerging-rbn-BLOCK.rules) > 2407198 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (199) (emerging-rbn-BLOCK.rules) > 2407199 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (200) (emerging-rbn-BLOCK.rules) > 2407200 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (201) (emerging-rbn-BLOCK.rules) > 2407201 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (202) (emerging-rbn-BLOCK.rules) > 2407202 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (203) (emerging-rbn-BLOCK.rules) > 2407203 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (204) (emerging-rbn-BLOCK.rules) > 2407204 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (205) (emerging-rbn-BLOCK.rules) > 2407205 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (206) (emerging-rbn-BLOCK.rules) > 2407206 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (207) (emerging-rbn-BLOCK.rules) > 2407207 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (208) (emerging-rbn-BLOCK.rules) > 2407208 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (209) (emerging-rbn-BLOCK.rules) > 2407209 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (210) (emerging-rbn-BLOCK.rules) > 2407210 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (211) (emerging-rbn-BLOCK.rules) > 2407211 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (212) (emerging-rbn-BLOCK.rules) > 2407212 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (213) (emerging-rbn-BLOCK.rules) > > > [---] Removed rules: [---] > > 2008548 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus > User-Agent (3P and version num) (emerging-malware.rules) > > > [+++] Added non-rule lines: [+++] > > -> Added to emerging-drop-BLOCK.rules (2): > # VERSION 1429 > # Generated 2009-01-24 00:03:02 EDT > > -> Added to emerging-drop.rules (2): > # VERSION 1429 > # Generated 2009-01-24 00:03:02 EDT > > -> Added to emerging-policy.rules (1): > #by dxp > > -> Added to emerging-rbn-BLOCK.rules (2): > # VERSION 107 > # Updated 2009-01-20 00:22:00 > > -> Added to emerging-rbn.rules (2): > # VERSION 107 > # Updated 2009-01-20 00:22:00 > > -> Added to emerging-scan.rules (1): > #by kevin ross > > -> Added to emerging-sid-msg.map (37): > 2008665 || ET TROJAN Zbot/Zeus or Related Infection Checkin > 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) > 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) > 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) > 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) > 2009028 || ET MALWARE 404 Response with an EXE Attached - Likely > Malware Drop > 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) > 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible > ddos || url,isc.sans.org/diary.html?storyid=5713 > 2009031 || ET TROJAN Possible Armitage Loader Request > 2009032 || ET TROJAN Armitage Exploit Request > 2009033 || ET POLICY Suspicious Executable (PE under 128) > 2009034 || ET POLICY Suspicious Executable (PE offset 160) > 2009035 || ET POLICY Suspicious Executable (PE offset 512) > 2009036 || ET TROJAN Armitage Loader Check-in > 2009037 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) > 2009038 || ET SCAN SQLNinja MSSQL Version Scan || > url,sqlninja.sourceforge.net/index.html > 2009039 || ET SCAN SQLNinja MSSQL XPCmdShell Scan || > url,sqlninja.sourceforge.net/index.html > 2009040 || ET SCAN SQLNinja MSSQL User Scan || > url,sqlninja.sourceforge.net/index.html > 2009041 || ET SCAN SQLNinja MSSQL Database User Rights Scan || > url,sqlninja.sourceforge.net/index.html > 2009042 || ET SCAN SQLNinja MSSQL Authentication Mode Scan || > url,sqlninja.sourceforge.net/index.html > 2009043 || ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using > sp_configure || url,sqlninja.sourceforge.net/index.html > 2009044 || ET SCAN SQLNinja Attempt To Create xp_cmdshell Session > || url,sqlninja.sourceforge.net/index.html > 2009045 || ET WEB_SPECIFIC cfagcms right.php title Parameter SQL > Injection || url,milw0rm.com/exploits/7483 || bugtraq,32851 > 2009046 || ET WEB_ACTIVEX Chilkat Socket Activex Remote Arbitrary > File Overwrite 1 || url,milw0rm.com/exploits/7594 || bugtraq,32333 > 2009047 || ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX > Control Get Method Buffer Overflow || url,milw0rm.com/exploits/7617 || > bugtraq,33053 > 2009048 || ET WEB_SPECIFIC Sepcity Lawyer Portal deptdisplay.asp ID > parameter SQL Injection || bugtraq,33040 || url,milw0rm.com/exploits/7610 > 2009049 || ET WEB_SPECIFIC RealtyListings type.asp iType Parameter > SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ > 2009050 || ET WEB_SPECIFIC RealtyListings detail.asp iPro Parameter > SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ > 2009051 || ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP > PHPOF_INCLUDE_PATH parameter Remote File Inclusion || bugtraq,25541 > 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || > url,www.shadowserver.org > 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING > SOURCE || url,www.shadowserver.org > 2406213 || ET RBN Known Russian Business Network Monitored Domains > (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork > 2407213 || ET RBN Known Russian Business Network Monitored > Domains - BLOCKING (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork > 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic > (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic > (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2510076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (77) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2510077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (78) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > > -> Added to emerging-sid-msg.map.txt (37): > 2008665 || ET TROJAN Zbot/Zeus or Related Infection Checkin > 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) > 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) > 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) > 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) > 2009028 || ET MALWARE 404 Response with an EXE Attached - Likely > Malware Drop > 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) > 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible > ddos || url,isc.sans.org/diary.html?storyid=5713 > 2009031 || ET TROJAN Possible Armitage Loader Request > 2009032 || ET TROJAN Armitage Exploit Request > 2009033 || ET POLICY Suspicious Executable (PE under 128) > 2009034 || ET POLICY Suspicious Executable (PE offset 160) > 2009035 || ET POLICY Suspicious Executable (PE offset 512) > 2009036 || ET TROJAN Armitage Loader Check-in > 2009037 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) > 2009038 || ET SCAN SQLNinja MSSQL Version Scan || > url,sqlninja.sourceforge.net/index.html > 2009039 || ET SCAN SQLNinja MSSQL XPCmdShell Scan || > url,sqlninja.sourceforge.net/index.html > 2009040 || ET SCAN SQLNinja MSSQL User Scan || > url,sqlninja.sourceforge.net/index.html > 2009041 || ET SCAN SQLNinja MSSQL Database User Rights Scan || > url,sqlninja.sourceforge.net/index.html > 2009042 || ET SCAN SQLNinja MSSQL Authentication Mode Scan || > url,sqlninja.sourceforge.net/index.html > 2009043 || ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using > sp_configure || url,sqlninja.sourceforge.net/index.html > 2009044 || ET SCAN SQLNinja Attempt To Create xp_cmdshell Session > || url,sqlninja.sourceforge.net/index.html > 2009045 || ET WEB_SPECIFIC cfagcms right.php title Parameter SQL > Injection || url,milw0rm.com/exploits/7483 || bugtraq,32851 > 2009046 || ET WEB_ACTIVEX Chilkat Socket Activex Remote Arbitrary > File Overwrite 1 || url,milw0rm.com/exploits/7594 || bugtraq,32333 > 2009047 || ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX > Control Get Method Buffer Overflow || url,milw0rm.com/exploits/7617 || > bugtraq,33053 > 2009048 || ET WEB_SPECIFIC Sepcity Lawyer Portal deptdisplay.asp ID > parameter SQL Injection || bugtraq,33040 || url,milw0rm.com/exploits/7610 > 2009049 || ET WEB_SPECIFIC RealtyListings type.asp iType Parameter > SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ > 2009050 || ET WEB_SPECIFIC RealtyListings detail.asp iPro Parameter > SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ > 2009051 || ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP > PHPOF_INCLUDE_PATH parameter Remote File Inclusion || bugtraq,25541 > 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || > url,www.shadowserver.org > 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING > SOURCE || url,www.shadowserver.org > 2406213 || ET RBN Known Russian Business Network Monitored Domains > (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork > 2407213 || ET RBN Known Russian Business Network Monitored > Domains - BLOCKING (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork > 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic > (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic > (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2510076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (77) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > 2510077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (78) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts > > -> Added to emerging-virus.rules (1): > #by dxp > > -> Added to emerging-web.rules (1): > # By Frank Knobbe > > -> Added to emerging.rules (1): > #by RPG > > [---] Removed non-rule lines: [---] > > -> Removed from emerging-drop-BLOCK.rules (2): > # VERSION 1422 > # Generated 2009-01-17 00:03:02 EDT > > -> Removed from emerging-drop.rules (2): > # VERSION 1422 > # Generated 2009-01-17 00:03:02 EDT > > -> Removed from emerging-rbn-BLOCK.rules (2): > # VERSION 106 > # Updated 2009-01-17 10:28:54 > > -> Removed from emerging-rbn.rules (2): > # VERSION 106 > # Updated 2009-01-17 10:28:54 > > -> Removed from emerging-sid-msg.map (3): > 2008548 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake > Anti-Virus User-Agent (3P and version num) > 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin > 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || > url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html > > -> Removed from emerging-sid-msg.map.txt (3): > 2008548 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake > Anti-Virus User-Agent (3P and version num) > 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin > 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || > url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > This message has been scanned for viruses and > dangerous content by Draytek E-mail System, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by Draytek E-mail System, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090203/0f35cd7f/attachment-0001.html From jonkman at jonkmans.com Tue Feb 3 08:00:33 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Feb 2009 08:00:33 -0500 Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes In-Reply-To: References: <20090124230009.4C2A34502B@goliath.jonkmans.com> Message-ID: <49883FF1.2030004@jonkmans.com> I believe you are correct. Thanks Jackie, fixing that now! Matt Jackie Lai wrote: > original sig: > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN > SQLNinja MSSQL Authentication Mode Scan"; > flow:to_server,established,established; content:"?param=a"; > content:"if%20not%28%28select%20serverproperty%28$27IsIntegratedSecurityOnly"; > distance:2; classtype:attempted-recon; > reference:url,sqlninja.sourceforge.net/index.html; sid:2009042; rev:1;) > > I thinl the content "...%28$27IsIntegratedSecurityOnly" should be > "...%28%27..." :-) > It's a typo! > > > > ======================== > Jackie Lai, CISSP > mailto: gclai [at] draytek [dot] com > ======================== > ----- Original Message ----- > 寄件者: > > 收件者: >; > > > 傳送日期: 2009年1月25日 上午 07:00 > 主旨: [Emerging-Sigs] Emerging Threats Weekly Signature Changes > >> >> [***] Results from Oinkmaster started Sat Jan 24 18:00:09 2009 [***] >> >> [+++] Added rules: [+++] >> >> 2009025 - ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) > (emerging-virus.rules) >> 2009026 - ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) > (emerging-virus.rules) >> 2009027 - ET MALWARE Suspicious User Agent (FileDownloader) > (emerging-malware.rules) >> 2009028 - ET MALWARE 404 Response with an EXE Attached - Likely > Malware Drop (emerging-policy.rules) >> 2009029 - ET WEB SQL Injection Attempt (Agent NV32ts) (emerging-web.rules) >> 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos > (emerging.rules) >> 2009031 - ET TROJAN Possible Armitage Loader Request > (emerging-virus.rules) >> 2009032 - ET TROJAN Armitage Exploit Request (emerging-virus.rules) >> 2009033 - ET POLICY Suspicious Executable (PE under 128) > (emerging-policy.rules) >> 2009034 - ET POLICY Suspicious Executable (PE offset 160) > (emerging-policy.rules) >> 2009035 - ET POLICY Suspicious Executable (PE offset 512) > (emerging-policy.rules) >> 2009036 - ET TROJAN Armitage Loader Check-in (emerging-virus.rules) >> 2009037 - ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) > (emerging-virus.rules) >> 2009038 - ET SCAN SQLNinja MSSQL Version Scan (emerging-scan.rules) >> 2009039 - ET SCAN SQLNinja MSSQL XPCmdShell Scan (emerging-scan.rules) >> 2009040 - ET SCAN SQLNinja MSSQL User Scan (emerging-scan.rules) >> 2009041 - ET SCAN SQLNinja MSSQL Database User Rights Scan > (emerging-scan.rules) >> 2009042 - ET SCAN SQLNinja MSSQL Authentication Mode Scan > (emerging-scan.rules) >> 2009043 - ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using > sp_configure (emerging-scan.rules) >> 2009044 - ET SCAN SQLNinja Attempt To Create xp_cmdshell Session > (emerging-scan.rules) >> 2009045 - ET WEB_SPECIFIC cfagcms right.php title Parameter SQL > Injection (emerging-web_sql_injection.rules) >> 2009046 - ET WEB_ACTIVEX Chilkat Socket Activex Remote Arbitrary File > Overwrite 1 (emerging-web.rules) >> 2009047 - ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX Control > Get Method Buffer Overflow (emerging-web.rules) >> 2009048 - ET WEB_SPECIFIC Sepcity Lawyer Portal deptdisplay.asp ID > parameter SQL Injection (emerging-web_sql_injection.rules) >> 2009049 - ET WEB_SPECIFIC RealtyListings type.asp iType Parameter SQL > Injection (emerging-web_sql_injection.rules) >> 2009050 - ET WEB_SPECIFIC RealtyListings detail.asp iPro Parameter SQL > Injection (emerging-web_sql_injection.rules) >> 2009051 - ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH > parameter Remote File Inclusion (emerging-web_sql_injection.rules) >> 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) > (emerging-botcc.rules) >> 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2406213 - ET RBN Known Russian Business Network Monitored Domains > (214) (emerging-rbn.rules) >> 2407213 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (214) (emerging-rbn-BLOCK.rules) >> >> >> [///] Modified active rules: [///] >> >> 2002887 - ET EXPLOIT SYS get_domain_index_tables Access > (emerging-exploit.rules) >> 2003937 - ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data > (emerging-virus.rules) >> 2008665 - ET TROJAN Zbot/Zeus or Related Infection Checkin > (emerging-virus.rules) >> 2009021 - ET MALWARE Suspicious User Agent (IE_6.0) > (emerging-malware.rules) >> 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting > (emerging.rules) >> 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound > (emerging-drop.rules) >> 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING > SOURCE (emerging-drop-BLOCK.rules) >> 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) >> 2403000 - ET DROP Dshield Block Listed Source - BLOCKING > (emerging-dshield-BLOCK.rules) >> 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) > (emerging-botcc.rules) >> 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) > (emerging-botcc.rules) >> 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) > (emerging-botcc.rules) >> 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) > (emerging-botcc.rules) >> 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) > (emerging-botcc.rules) >> 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) > (emerging-botcc.rules) >> 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) > (emerging-botcc.rules) >> 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) > (emerging-botcc.rules) >> 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) > (emerging-botcc.rules) >> 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) > (emerging-botcc.rules) >> 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) > (emerging-botcc.rules) >> 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) > (emerging-botcc.rules) >> 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) > (emerging-botcc.rules) >> 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) > (emerging-botcc.rules) >> 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) > (emerging-botcc.rules) >> 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) > (emerging-botcc.rules) >> 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) > (emerging-botcc.rules) >> 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) > (emerging-botcc.rules) >> 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) > (emerging-botcc.rules) >> 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE > (emerging-botcc-BLOCK.rules) >> 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) > (emerging-rbn.rules) >> 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) > (emerging-rbn.rules) >> 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) > (emerging-rbn.rules) >> 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) > (emerging-rbn.rules) >> 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) > (emerging-rbn.rules) >> 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) > (emerging-rbn.rules) >> 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) > (emerging-rbn.rules) >> 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) > (emerging-rbn.rules) >> 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) > (emerging-rbn.rules) >> 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) > (emerging-rbn.rules) >> 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) > (emerging-rbn.rules) >> 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) > (emerging-rbn.rules) >> 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) > (emerging-rbn.rules) >> 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) > (emerging-rbn.rules) >> 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) > (emerging-rbn.rules) >> 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) > (emerging-rbn.rules) >> 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) > (emerging-rbn.rules) >> 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) > (emerging-rbn.rules) >> 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) > (emerging-rbn.rules) >> 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) > (emerging-rbn.rules) >> 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) > (emerging-rbn.rules) >> 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) > (emerging-rbn.rules) >> 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) > (emerging-rbn.rules) >> 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) > (emerging-rbn.rules) >> 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) > (emerging-rbn.rules) >> 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) > (emerging-rbn.rules) >> 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) > (emerging-rbn.rules) >> 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) > (emerging-rbn.rules) >> 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) > (emerging-rbn.rules) >> 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) > (emerging-rbn.rules) >> 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) > (emerging-rbn.rules) >> 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) > (emerging-rbn.rules) >> 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) > (emerging-rbn.rules) >> 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) > (emerging-rbn.rules) >> 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) > (emerging-rbn.rules) >> 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) > (emerging-rbn.rules) >> 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) > (emerging-rbn.rules) >> 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) > (emerging-rbn.rules) >> 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) > (emerging-rbn.rules) >> 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) > (emerging-rbn.rules) >> 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) > (emerging-rbn.rules) >> 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) > (emerging-rbn.rules) >> 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) > (emerging-rbn.rules) >> 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) > (emerging-rbn.rules) >> 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) > (emerging-rbn.rules) >> 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) > (emerging-rbn.rules) >> 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) > (emerging-rbn.rules) >> 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) > (emerging-rbn.rules) >> 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) > (emerging-rbn.rules) >> 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) > (emerging-rbn.rules) >> 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) > (emerging-rbn.rules) >> 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) > (emerging-rbn.rules) >> 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) > (emerging-rbn.rules) >> 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) > (emerging-rbn.rules) >> 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) > (emerging-rbn.rules) >> 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) > (emerging-rbn.rules) >> 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) > (emerging-rbn.rules) >> 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) > (emerging-rbn.rules) >> 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) > (emerging-rbn.rules) >> 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) > (emerging-rbn.rules) >> 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) > (emerging-rbn.rules) >> 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) > (emerging-rbn.rules) >> 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) > (emerging-rbn.rules) >> 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) > (emerging-rbn.rules) >> 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) > (emerging-rbn.rules) >> 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) > (emerging-rbn.rules) >> 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) > (emerging-rbn.rules) >> 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) > (emerging-rbn.rules) >> 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) > (emerging-rbn.rules) >> 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) > (emerging-rbn.rules) >> 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) > (emerging-rbn.rules) >> 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) > (emerging-rbn.rules) >> 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) > (emerging-rbn.rules) >> 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) > (emerging-rbn.rules) >> 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) > (emerging-rbn.rules) >> 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) > (emerging-rbn.rules) >> 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) > (emerging-rbn.rules) >> 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) > (emerging-rbn.rules) >> 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) > (emerging-rbn.rules) >> 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) > (emerging-rbn.rules) >> 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) > (emerging-rbn.rules) >> 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) > (emerging-rbn.rules) >> 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) > (emerging-rbn.rules) >> 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) > (emerging-rbn.rules) >> 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) > (emerging-rbn.rules) >> 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) > (emerging-rbn.rules) >> 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) > (emerging-rbn.rules) >> 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) > (emerging-rbn.rules) >> 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) > (emerging-rbn.rules) >> 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) > (emerging-rbn.rules) >> 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) > (emerging-rbn.rules) >> 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) > (emerging-rbn.rules) >> 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) > (emerging-rbn.rules) >> 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) > (emerging-rbn.rules) >> 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) > (emerging-rbn.rules) >> 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) > (emerging-rbn.rules) >> 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) > (emerging-rbn.rules) >> 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) > (emerging-rbn.rules) >> 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) > (emerging-rbn.rules) >> 2406099 - ET RBN Known Russian Business Network Monitored Domains > (100) (emerging-rbn.rules) >> 2406100 - ET RBN Known Russian Business Network Monitored Domains > (101) (emerging-rbn.rules) >> 2406101 - ET RBN Known Russian Business Network Monitored Domains > (102) (emerging-rbn.rules) >> 2406102 - ET RBN Known Russian Business Network Monitored Domains > (103) (emerging-rbn.rules) >> 2406103 - ET RBN Known Russian Business Network Monitored Domains > (104) (emerging-rbn.rules) >> 2406104 - ET RBN Known Russian Business Network Monitored Domains > (105) (emerging-rbn.rules) >> 2406105 - ET RBN Known Russian Business Network Monitored Domains > (106) (emerging-rbn.rules) >> 2406106 - ET RBN Known Russian Business Network Monitored Domains > (107) (emerging-rbn.rules) >> 2406107 - ET RBN Known Russian Business Network Monitored Domains > (108) (emerging-rbn.rules) >> 2406108 - ET RBN Known Russian Business Network Monitored Domains > (109) (emerging-rbn.rules) >> 2406109 - ET RBN Known Russian Business Network Monitored Domains > (110) (emerging-rbn.rules) >> 2406110 - ET RBN Known Russian Business Network Monitored Domains > (111) (emerging-rbn.rules) >> 2406111 - ET RBN Known Russian Business Network Monitored Domains > (112) (emerging-rbn.rules) >> 2406112 - ET RBN Known Russian Business Network Monitored Domains > (113) (emerging-rbn.rules) >> 2406113 - ET RBN Known Russian Business Network Monitored Domains > (114) (emerging-rbn.rules) >> 2406114 - ET RBN Known Russian Business Network Monitored Domains > (115) (emerging-rbn.rules) >> 2406115 - ET RBN Known Russian Business Network Monitored Domains > (116) (emerging-rbn.rules) >> 2406116 - ET RBN Known Russian Business Network Monitored Domains > (117) (emerging-rbn.rules) >> 2406117 - ET RBN Known Russian Business Network Monitored Domains > (118) (emerging-rbn.rules) >> 2406118 - ET RBN Known Russian Business Network Monitored Domains > (119) (emerging-rbn.rules) >> 2406119 - ET RBN Known Russian Business Network Monitored Domains > (120) (emerging-rbn.rules) >> 2406120 - ET RBN Known Russian Business Network Monitored Domains > (121) (emerging-rbn.rules) >> 2406121 - ET RBN Known Russian Business Network Monitored Domains > (122) (emerging-rbn.rules) >> 2406122 - ET RBN Known Russian Business Network Monitored Domains > (123) (emerging-rbn.rules) >> 2406123 - ET RBN Known Russian Business Network Monitored Domains > (124) (emerging-rbn.rules) >> 2406124 - ET RBN Known Russian Business Network Monitored Domains > (125) (emerging-rbn.rules) >> 2406125 - ET RBN Known Russian Business Network Monitored Domains > (126) (emerging-rbn.rules) >> 2406126 - ET RBN Known Russian Business Network Monitored Domains > (127) (emerging-rbn.rules) >> 2406127 - ET RBN Known Russian Business Network Monitored Domains > (128) (emerging-rbn.rules) >> 2406128 - ET RBN Known Russian Business Network Monitored Domains > (129) (emerging-rbn.rules) >> 2406129 - ET RBN Known Russian Business Network Monitored Domains > (130) (emerging-rbn.rules) >> 2406130 - ET RBN Known Russian Business Network Monitored Domains > (131) (emerging-rbn.rules) >> 2406131 - ET RBN Known Russian Business Network Monitored Domains > (132) (emerging-rbn.rules) >> 2406132 - ET RBN Known Russian Business Network Monitored Domains > (133) (emerging-rbn.rules) >> 2406133 - ET RBN Known Russian Business Network Monitored Domains > (134) (emerging-rbn.rules) >> 2406134 - ET RBN Known Russian Business Network Monitored Domains > (135) (emerging-rbn.rules) >> 2406135 - ET RBN Known Russian Business Network Monitored Domains > (136) (emerging-rbn.rules) >> 2406136 - ET RBN Known Russian Business Network Monitored Domains > (137) (emerging-rbn.rules) >> 2406137 - ET RBN Known Russian Business Network Monitored Domains > (138) (emerging-rbn.rules) >> 2406138 - ET RBN Known Russian Business Network Monitored Domains > (139) (emerging-rbn.rules) >> 2406139 - ET RBN Known Russian Business Network Monitored Domains > (140) (emerging-rbn.rules) >> 2406140 - ET RBN Known Russian Business Network Monitored Domains > (141) (emerging-rbn.rules) >> 2406141 - ET RBN Known Russian Business Network Monitored Domains > (142) (emerging-rbn.rules) >> 2406142 - ET RBN Known Russian Business Network Monitored Domains > (143) (emerging-rbn.rules) >> 2406143 - ET RBN Known Russian Business Network Monitored Domains > (144) (emerging-rbn.rules) >> 2406144 - ET RBN Known Russian Business Network Monitored Domains > (145) (emerging-rbn.rules) >> 2406145 - ET RBN Known Russian Business Network Monitored Domains > (146) (emerging-rbn.rules) >> 2406146 - ET RBN Known Russian Business Network Monitored Domains > (147) (emerging-rbn.rules) >> 2406147 - ET RBN Known Russian Business Network Monitored Domains > (148) (emerging-rbn.rules) >> 2406148 - ET RBN Known Russian Business Network Monitored Domains > (149) (emerging-rbn.rules) >> 2406149 - ET RBN Known Russian Business Network Monitored Domains > (150) (emerging-rbn.rules) >> 2406150 - ET RBN Known Russian Business Network Monitored Domains > (151) (emerging-rbn.rules) >> 2406151 - ET RBN Known Russian Business Network Monitored Domains > (152) (emerging-rbn.rules) >> 2406152 - ET RBN Known Russian Business Network Monitored Domains > (153) (emerging-rbn.rules) >> 2406153 - ET RBN Known Russian Business Network Monitored Domains > (154) (emerging-rbn.rules) >> 2406154 - ET RBN Known Russian Business Network Monitored Domains > (155) (emerging-rbn.rules) >> 2406155 - ET RBN Known Russian Business Network Monitored Domains > (156) (emerging-rbn.rules) >> 2406156 - ET RBN Known Russian Business Network Monitored Domains > (157) (emerging-rbn.rules) >> 2406157 - ET RBN Known Russian Business Network Monitored Domains > (158) (emerging-rbn.rules) >> 2406158 - ET RBN Known Russian Business Network Monitored Domains > (159) (emerging-rbn.rules) >> 2406159 - ET RBN Known Russian Business Network Monitored Domains > (160) (emerging-rbn.rules) >> 2406160 - ET RBN Known Russian Business Network Monitored Domains > (161) (emerging-rbn.rules) >> 2406161 - ET RBN Known Russian Business Network Monitored Domains > (162) (emerging-rbn.rules) >> 2406162 - ET RBN Known Russian Business Network Monitored Domains > (163) (emerging-rbn.rules) >> 2406163 - ET RBN Known Russian Business Network Monitored Domains > (164) (emerging-rbn.rules) >> 2406164 - ET RBN Known Russian Business Network Monitored Domains > (165) (emerging-rbn.rules) >> 2406165 - ET RBN Known Russian Business Network Monitored Domains > (166) (emerging-rbn.rules) >> 2406166 - ET RBN Known Russian Business Network Monitored Domains > (167) (emerging-rbn.rules) >> 2406167 - ET RBN Known Russian Business Network Monitored Domains > (168) (emerging-rbn.rules) >> 2406168 - ET RBN Known Russian Business Network Monitored Domains > (169) (emerging-rbn.rules) >> 2406169 - ET RBN Known Russian Business Network Monitored Domains > (170) (emerging-rbn.rules) >> 2406170 - ET RBN Known Russian Business Network Monitored Domains > (171) (emerging-rbn.rules) >> 2406171 - ET RBN Known Russian Business Network Monitored Domains > (172) (emerging-rbn.rules) >> 2406172 - ET RBN Known Russian Business Network Monitored Domains > (173) (emerging-rbn.rules) >> 2406173 - ET RBN Known Russian Business Network Monitored Domains > (174) (emerging-rbn.rules) >> 2406174 - ET RBN Known Russian Business Network Monitored Domains > (175) (emerging-rbn.rules) >> 2406175 - ET RBN Known Russian Business Network Monitored Domains > (176) (emerging-rbn.rules) >> 2406176 - ET RBN Known Russian Business Network Monitored Domains > (177) (emerging-rbn.rules) >> 2406177 - ET RBN Known Russian Business Network Monitored Domains > (178) (emerging-rbn.rules) >> 2406178 - ET RBN Known Russian Business Network Monitored Domains > (179) (emerging-rbn.rules) >> 2406179 - ET RBN Known Russian Business Network Monitored Domains > (180) (emerging-rbn.rules) >> 2406180 - ET RBN Known Russian Business Network Monitored Domains > (181) (emerging-rbn.rules) >> 2406181 - ET RBN Known Russian Business Network Monitored Domains > (182) (emerging-rbn.rules) >> 2406182 - ET RBN Known Russian Business Network Monitored Domains > (183) (emerging-rbn.rules) >> 2406183 - ET RBN Known Russian Business Network Monitored Domains > (184) (emerging-rbn.rules) >> 2406184 - ET RBN Known Russian Business Network Monitored Domains > (185) (emerging-rbn.rules) >> 2406185 - ET RBN Known Russian Business Network Monitored Domains > (186) (emerging-rbn.rules) >> 2406186 - ET RBN Known Russian Business Network Monitored Domains > (187) (emerging-rbn.rules) >> 2406187 - ET RBN Known Russian Business Network Monitored Domains > (188) (emerging-rbn.rules) >> 2406188 - ET RBN Known Russian Business Network Monitored Domains > (189) (emerging-rbn.rules) >> 2406189 - ET RBN Known Russian Business Network Monitored Domains > (190) (emerging-rbn.rules) >> 2406190 - ET RBN Known Russian Business Network Monitored Domains > (191) (emerging-rbn.rules) >> 2406191 - ET RBN Known Russian Business Network Monitored Domains > (192) (emerging-rbn.rules) >> 2406192 - ET RBN Known Russian Business Network Monitored Domains > (193) (emerging-rbn.rules) >> 2406193 - ET RBN Known Russian Business Network Monitored Domains > (194) (emerging-rbn.rules) >> 2406194 - ET RBN Known Russian Business Network Monitored Domains > (195) (emerging-rbn.rules) >> 2406195 - ET RBN Known Russian Business Network Monitored Domains > (196) (emerging-rbn.rules) >> 2406196 - ET RBN Known Russian Business Network Monitored Domains > (197) (emerging-rbn.rules) >> 2406197 - ET RBN Known Russian Business Network Monitored Domains > (198) (emerging-rbn.rules) >> 2406198 - ET RBN Known Russian Business Network Monitored Domains > (199) (emerging-rbn.rules) >> 2406199 - ET RBN Known Russian Business Network Monitored Domains > (200) (emerging-rbn.rules) >> 2406200 - ET RBN Known Russian Business Network Monitored Domains > (201) (emerging-rbn.rules) >> 2406201 - ET RBN Known Russian Business Network Monitored Domains > (202) (emerging-rbn.rules) >> 2406202 - ET RBN Known Russian Business Network Monitored Domains > (203) (emerging-rbn.rules) >> 2406203 - ET RBN Known Russian Business Network Monitored Domains > (204) (emerging-rbn.rules) >> 2406204 - ET RBN Known Russian Business Network Monitored Domains > (205) (emerging-rbn.rules) >> 2406205 - ET RBN Known Russian Business Network Monitored Domains > (206) (emerging-rbn.rules) >> 2406206 - ET RBN Known Russian Business Network Monitored Domains > (207) (emerging-rbn.rules) >> 2406207 - ET RBN Known Russian Business Network Monitored Domains > (208) (emerging-rbn.rules) >> 2406208 - ET RBN Known Russian Business Network Monitored Domains > (209) (emerging-rbn.rules) >> 2406209 - ET RBN Known Russian Business Network Monitored Domains > (210) (emerging-rbn.rules) >> 2406210 - ET RBN Known Russian Business Network Monitored Domains > (211) (emerging-rbn.rules) >> 2406211 - ET RBN Known Russian Business Network Monitored Domains > (212) (emerging-rbn.rules) >> 2406212 - ET RBN Known Russian Business Network Monitored Domains > (213) (emerging-rbn.rules) >> 2407000 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (1) (emerging-rbn-BLOCK.rules) >> 2407001 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (2) (emerging-rbn-BLOCK.rules) >> 2407002 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (3) (emerging-rbn-BLOCK.rules) >> 2407003 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (4) (emerging-rbn-BLOCK.rules) >> 2407004 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (5) (emerging-rbn-BLOCK.rules) >> 2407005 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (6) (emerging-rbn-BLOCK.rules) >> 2407006 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (7) (emerging-rbn-BLOCK.rules) >> 2407007 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (8) (emerging-rbn-BLOCK.rules) >> 2407008 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (9) (emerging-rbn-BLOCK.rules) >> 2407009 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (10) (emerging-rbn-BLOCK.rules) >> 2407010 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (11) (emerging-rbn-BLOCK.rules) >> 2407011 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (12) (emerging-rbn-BLOCK.rules) >> 2407012 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (13) (emerging-rbn-BLOCK.rules) >> 2407013 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (14) (emerging-rbn-BLOCK.rules) >> 2407014 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (15) (emerging-rbn-BLOCK.rules) >> 2407015 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (16) (emerging-rbn-BLOCK.rules) >> 2407016 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (17) (emerging-rbn-BLOCK.rules) >> 2407017 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (18) (emerging-rbn-BLOCK.rules) >> 2407018 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (19) (emerging-rbn-BLOCK.rules) >> 2407019 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (20) (emerging-rbn-BLOCK.rules) >> 2407020 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (21) (emerging-rbn-BLOCK.rules) >> 2407021 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (22) (emerging-rbn-BLOCK.rules) >> 2407022 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (23) (emerging-rbn-BLOCK.rules) >> 2407023 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (24) (emerging-rbn-BLOCK.rules) >> 2407024 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (25) (emerging-rbn-BLOCK.rules) >> 2407025 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (26) (emerging-rbn-BLOCK.rules) >> 2407026 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (27) (emerging-rbn-BLOCK.rules) >> 2407027 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (28) (emerging-rbn-BLOCK.rules) >> 2407028 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (29) (emerging-rbn-BLOCK.rules) >> 2407029 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (30) (emerging-rbn-BLOCK.rules) >> 2407030 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (31) (emerging-rbn-BLOCK.rules) >> 2407031 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (32) (emerging-rbn-BLOCK.rules) >> 2407032 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (33) (emerging-rbn-BLOCK.rules) >> 2407033 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (34) (emerging-rbn-BLOCK.rules) >> 2407034 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (35) (emerging-rbn-BLOCK.rules) >> 2407035 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (36) (emerging-rbn-BLOCK.rules) >> 2407036 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (37) (emerging-rbn-BLOCK.rules) >> 2407037 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (38) (emerging-rbn-BLOCK.rules) >> 2407038 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (39) (emerging-rbn-BLOCK.rules) >> 2407039 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (40) (emerging-rbn-BLOCK.rules) >> 2407040 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (41) (emerging-rbn-BLOCK.rules) >> 2407041 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (42) (emerging-rbn-BLOCK.rules) >> 2407042 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (43) (emerging-rbn-BLOCK.rules) >> 2407043 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (44) (emerging-rbn-BLOCK.rules) >> 2407044 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (45) (emerging-rbn-BLOCK.rules) >> 2407045 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (46) (emerging-rbn-BLOCK.rules) >> 2407046 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (47) (emerging-rbn-BLOCK.rules) >> 2407047 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (48) (emerging-rbn-BLOCK.rules) >> 2407048 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (49) (emerging-rbn-BLOCK.rules) >> 2407049 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (50) (emerging-rbn-BLOCK.rules) >> 2407050 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (51) (emerging-rbn-BLOCK.rules) >> 2407051 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (52) (emerging-rbn-BLOCK.rules) >> 2407052 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (53) (emerging-rbn-BLOCK.rules) >> 2407053 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (54) (emerging-rbn-BLOCK.rules) >> 2407054 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (55) (emerging-rbn-BLOCK.rules) >> 2407055 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (56) (emerging-rbn-BLOCK.rules) >> 2407056 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (57) (emerging-rbn-BLOCK.rules) >> 2407057 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (58) (emerging-rbn-BLOCK.rules) >> 2407058 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (59) (emerging-rbn-BLOCK.rules) >> 2407059 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (60) (emerging-rbn-BLOCK.rules) >> 2407060 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (61) (emerging-rbn-BLOCK.rules) >> 2407061 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (62) (emerging-rbn-BLOCK.rules) >> 2407062 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (63) (emerging-rbn-BLOCK.rules) >> 2407063 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (64) (emerging-rbn-BLOCK.rules) >> 2407064 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (65) (emerging-rbn-BLOCK.rules) >> 2407065 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (66) (emerging-rbn-BLOCK.rules) >> 2407066 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (67) (emerging-rbn-BLOCK.rules) >> 2407067 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (68) (emerging-rbn-BLOCK.rules) >> 2407068 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (69) (emerging-rbn-BLOCK.rules) >> 2407069 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (70) (emerging-rbn-BLOCK.rules) >> 2407070 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (71) (emerging-rbn-BLOCK.rules) >> 2407071 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (72) (emerging-rbn-BLOCK.rules) >> 2407072 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (73) (emerging-rbn-BLOCK.rules) >> 2407073 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (74) (emerging-rbn-BLOCK.rules) >> 2407074 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (75) (emerging-rbn-BLOCK.rules) >> 2407075 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (76) (emerging-rbn-BLOCK.rules) >> 2407076 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (77) (emerging-rbn-BLOCK.rules) >> 2407077 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (78) (emerging-rbn-BLOCK.rules) >> 2407078 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (79) (emerging-rbn-BLOCK.rules) >> 2407079 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (80) (emerging-rbn-BLOCK.rules) >> 2407080 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (81) (emerging-rbn-BLOCK.rules) >> 2407081 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (82) (emerging-rbn-BLOCK.rules) >> 2407082 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (83) (emerging-rbn-BLOCK.rules) >> 2407083 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (84) (emerging-rbn-BLOCK.rules) >> 2407084 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (85) (emerging-rbn-BLOCK.rules) >> 2407085 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (86) (emerging-rbn-BLOCK.rules) >> 2407086 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (87) (emerging-rbn-BLOCK.rules) >> 2407087 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (88) (emerging-rbn-BLOCK.rules) >> 2407088 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (89) (emerging-rbn-BLOCK.rules) >> 2407089 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (90) (emerging-rbn-BLOCK.rules) >> 2407090 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (91) (emerging-rbn-BLOCK.rules) >> 2407091 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (92) (emerging-rbn-BLOCK.rules) >> 2407092 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (93) (emerging-rbn-BLOCK.rules) >> 2407093 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (94) (emerging-rbn-BLOCK.rules) >> 2407094 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (95) (emerging-rbn-BLOCK.rules) >> 2407095 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (96) (emerging-rbn-BLOCK.rules) >> 2407096 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (97) (emerging-rbn-BLOCK.rules) >> 2407097 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (98) (emerging-rbn-BLOCK.rules) >> 2407098 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (99) (emerging-rbn-BLOCK.rules) >> 2407099 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (100) (emerging-rbn-BLOCK.rules) >> 2407100 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (101) (emerging-rbn-BLOCK.rules) >> 2407101 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (102) (emerging-rbn-BLOCK.rules) >> 2407102 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (103) (emerging-rbn-BLOCK.rules) >> 2407103 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (104) (emerging-rbn-BLOCK.rules) >> 2407104 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (105) (emerging-rbn-BLOCK.rules) >> 2407105 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (106) (emerging-rbn-BLOCK.rules) >> 2407106 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (107) (emerging-rbn-BLOCK.rules) >> 2407107 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (108) (emerging-rbn-BLOCK.rules) >> 2407108 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (109) (emerging-rbn-BLOCK.rules) >> 2407109 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (110) (emerging-rbn-BLOCK.rules) >> 2407110 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (111) (emerging-rbn-BLOCK.rules) >> 2407111 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (112) (emerging-rbn-BLOCK.rules) >> 2407112 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (113) (emerging-rbn-BLOCK.rules) >> 2407113 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (114) (emerging-rbn-BLOCK.rules) >> 2407114 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (115) (emerging-rbn-BLOCK.rules) >> 2407115 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (116) (emerging-rbn-BLOCK.rules) >> 2407116 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (117) (emerging-rbn-BLOCK.rules) >> 2407117 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (118) (emerging-rbn-BLOCK.rules) >> 2407118 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (119) (emerging-rbn-BLOCK.rules) >> 2407119 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (120) (emerging-rbn-BLOCK.rules) >> 2407120 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (121) (emerging-rbn-BLOCK.rules) >> 2407121 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (122) (emerging-rbn-BLOCK.rules) >> 2407122 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (123) (emerging-rbn-BLOCK.rules) >> 2407123 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (124) (emerging-rbn-BLOCK.rules) >> 2407124 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (125) (emerging-rbn-BLOCK.rules) >> 2407125 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (126) (emerging-rbn-BLOCK.rules) >> 2407126 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (127) (emerging-rbn-BLOCK.rules) >> 2407127 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (128) (emerging-rbn-BLOCK.rules) >> 2407128 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (129) (emerging-rbn-BLOCK.rules) >> 2407129 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (130) (emerging-rbn-BLOCK.rules) >> 2407130 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (131) (emerging-rbn-BLOCK.rules) >> 2407131 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (132) (emerging-rbn-BLOCK.rules) >> 2407132 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (133) (emerging-rbn-BLOCK.rules) >> 2407133 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (134) (emerging-rbn-BLOCK.rules) >> 2407134 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (135) (emerging-rbn-BLOCK.rules) >> 2407135 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (136) (emerging-rbn-BLOCK.rules) >> 2407136 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (137) (emerging-rbn-BLOCK.rules) >> 2407137 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (138) (emerging-rbn-BLOCK.rules) >> 2407138 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (139) (emerging-rbn-BLOCK.rules) >> 2407139 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (140) (emerging-rbn-BLOCK.rules) >> 2407140 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (141) (emerging-rbn-BLOCK.rules) >> 2407141 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (142) (emerging-rbn-BLOCK.rules) >> 2407142 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (143) (emerging-rbn-BLOCK.rules) >> 2407143 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (144) (emerging-rbn-BLOCK.rules) >> 2407144 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (145) (emerging-rbn-BLOCK.rules) >> 2407145 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (146) (emerging-rbn-BLOCK.rules) >> 2407146 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (147) (emerging-rbn-BLOCK.rules) >> 2407147 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (148) (emerging-rbn-BLOCK.rules) >> 2407148 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (149) (emerging-rbn-BLOCK.rules) >> 2407149 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (150) (emerging-rbn-BLOCK.rules) >> 2407150 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (151) (emerging-rbn-BLOCK.rules) >> 2407151 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (152) (emerging-rbn-BLOCK.rules) >> 2407152 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (153) (emerging-rbn-BLOCK.rules) >> 2407153 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (154) (emerging-rbn-BLOCK.rules) >> 2407154 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (155) (emerging-rbn-BLOCK.rules) >> 2407155 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (156) (emerging-rbn-BLOCK.rules) >> 2407156 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (157) (emerging-rbn-BLOCK.rules) >> 2407157 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (158) (emerging-rbn-BLOCK.rules) >> 2407158 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (159) (emerging-rbn-BLOCK.rules) >> 2407159 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (160) (emerging-rbn-BLOCK.rules) >> 2407160 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (161) (emerging-rbn-BLOCK.rules) >> 2407161 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (162) (emerging-rbn-BLOCK.rules) >> 2407162 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (163) (emerging-rbn-BLOCK.rules) >> 2407163 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (164) (emerging-rbn-BLOCK.rules) >> 2407164 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (165) (emerging-rbn-BLOCK.rules) >> 2407165 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (166) (emerging-rbn-BLOCK.rules) >> 2407166 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (167) (emerging-rbn-BLOCK.rules) >> 2407167 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (168) (emerging-rbn-BLOCK.rules) >> 2407168 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (169) (emerging-rbn-BLOCK.rules) >> 2407169 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (170) (emerging-rbn-BLOCK.rules) >> 2407170 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (171) (emerging-rbn-BLOCK.rules) >> 2407171 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (172) (emerging-rbn-BLOCK.rules) >> 2407172 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (173) (emerging-rbn-BLOCK.rules) >> 2407173 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (174) (emerging-rbn-BLOCK.rules) >> 2407174 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (175) (emerging-rbn-BLOCK.rules) >> 2407175 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (176) (emerging-rbn-BLOCK.rules) >> 2407176 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (177) (emerging-rbn-BLOCK.rules) >> 2407177 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (178) (emerging-rbn-BLOCK.rules) >> 2407178 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (179) (emerging-rbn-BLOCK.rules) >> 2407179 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (180) (emerging-rbn-BLOCK.rules) >> 2407180 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (181) (emerging-rbn-BLOCK.rules) >> 2407181 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (182) (emerging-rbn-BLOCK.rules) >> 2407182 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (183) (emerging-rbn-BLOCK.rules) >> 2407183 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (184) (emerging-rbn-BLOCK.rules) >> 2407184 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (185) (emerging-rbn-BLOCK.rules) >> 2407185 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (186) (emerging-rbn-BLOCK.rules) >> 2407186 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (187) (emerging-rbn-BLOCK.rules) >> 2407187 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (188) (emerging-rbn-BLOCK.rules) >> 2407188 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (189) (emerging-rbn-BLOCK.rules) >> 2407189 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (190) (emerging-rbn-BLOCK.rules) >> 2407190 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (191) (emerging-rbn-BLOCK.rules) >> 2407191 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (192) (emerging-rbn-BLOCK.rules) >> 2407192 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (193) (emerging-rbn-BLOCK.rules) >> 2407193 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (194) (emerging-rbn-BLOCK.rules) >> 2407194 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (195) (emerging-rbn-BLOCK.rules) >> 2407195 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (196) (emerging-rbn-BLOCK.rules) >> 2407196 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (197) (emerging-rbn-BLOCK.rules) >> 2407197 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (198) (emerging-rbn-BLOCK.rules) >> 2407198 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (199) (emerging-rbn-BLOCK.rules) >> 2407199 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (200) (emerging-rbn-BLOCK.rules) >> 2407200 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (201) (emerging-rbn-BLOCK.rules) >> 2407201 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (202) (emerging-rbn-BLOCK.rules) >> 2407202 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (203) (emerging-rbn-BLOCK.rules) >> 2407203 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (204) (emerging-rbn-BLOCK.rules) >> 2407204 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (205) (emerging-rbn-BLOCK.rules) >> 2407205 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (206) (emerging-rbn-BLOCK.rules) >> 2407206 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (207) (emerging-rbn-BLOCK.rules) >> 2407207 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (208) (emerging-rbn-BLOCK.rules) >> 2407208 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (209) (emerging-rbn-BLOCK.rules) >> 2407209 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (210) (emerging-rbn-BLOCK.rules) >> 2407210 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (211) (emerging-rbn-BLOCK.rules) >> 2407211 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (212) (emerging-rbn-BLOCK.rules) >> 2407212 - ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (213) (emerging-rbn-BLOCK.rules) >> >> >> [---] Removed rules: [---] >> >> 2008548 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake > Anti-Virus User-Agent (3P and version num) (emerging-malware.rules) >> >> >> [+++] Added non-rule lines: [+++] >> >> -> Added to emerging-drop-BLOCK.rules (2): >> # VERSION 1429 >> # Generated 2009-01-24 00:03:02 EDT >> >> -> Added to emerging-drop.rules (2): >> # VERSION 1429 >> # Generated 2009-01-24 00:03:02 EDT >> >> -> Added to emerging-policy.rules (1): >> #by dxp >> >> -> Added to emerging-rbn-BLOCK.rules (2): >> # VERSION 107 >> # Updated 2009-01-20 00:22:00 >> >> -> Added to emerging-rbn.rules (2): >> # VERSION 107 >> # Updated 2009-01-20 00:22:00 >> >> -> Added to emerging-scan.rules (1): >> #by kevin ross >> >> -> Added to emerging-sid-msg.map (37): >> 2008665 || ET TROJAN Zbot/Zeus or Related Infection Checkin >> 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) >> 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) >> 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) >> 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) >> 2009028 || ET MALWARE 404 Response with an EXE Attached - > Likely Malware Drop >> 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) >> 2009030 || ET CURRENT_EVENTS NS query for a single dot, > possible ddos || url,isc.sans.org/diary.html?storyid=5713 >> 2009031 || ET TROJAN Possible Armitage Loader Request >> 2009032 || ET TROJAN Armitage Exploit Request >> 2009033 || ET POLICY Suspicious Executable (PE under 128) >> 2009034 || ET POLICY Suspicious Executable (PE offset 160) >> 2009035 || ET POLICY Suspicious Executable (PE offset 512) >> 2009036 || ET TROJAN Armitage Loader Check-in >> 2009037 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) >> 2009038 || ET SCAN SQLNinja MSSQL Version Scan || > url,sqlninja.sourceforge.net/index.html >> 2009039 || ET SCAN SQLNinja MSSQL XPCmdShell Scan || > url,sqlninja.sourceforge.net/index.html >> 2009040 || ET SCAN SQLNinja MSSQL User Scan || > url,sqlninja.sourceforge.net/index.html >> 2009041 || ET SCAN SQLNinja MSSQL Database User Rights Scan || > url,sqlninja.sourceforge.net/index.html >> 2009042 || ET SCAN SQLNinja MSSQL Authentication Mode Scan || > url,sqlninja.sourceforge.net/index.html >> 2009043 || ET SCAN SQLNinja Attempt To Recreate xp_cmdshell > Using sp_configure || url,sqlninja.sourceforge.net/index.html >> 2009044 || ET SCAN SQLNinja Attempt To Create xp_cmdshell > Session || url,sqlninja.sourceforge.net/index.html >> 2009045 || ET WEB_SPECIFIC cfagcms right.php title Parameter > SQL Injection || url,milw0rm.com/exploits/7483 || bugtraq,32851 >> 2009046 || ET WEB_ACTIVEX Chilkat Socket Activex Remote > Arbitrary File Overwrite 1 || url,milw0rm.com/exploits/7594 || bugtraq,32333 >> 2009047 || ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX > Control Get Method Buffer Overflow || url,milw0rm.com/exploits/7617 || > bugtraq,33053 >> 2009048 || ET WEB_SPECIFIC Sepcity Lawyer Portal > deptdisplay.asp ID parameter SQL Injection || bugtraq,33040 || > url,milw0rm.com/exploits/7610 >> 2009049 || ET WEB_SPECIFIC RealtyListings type.asp iType > Parameter SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ >> 2009050 || ET WEB_SPECIFIC RealtyListings detail.asp iPro > Parameter SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ >> 2009051 || ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP > PHPOF_INCLUDE_PATH parameter Remote File Inclusion || bugtraq,25541 >> 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || > url,www.shadowserver.org >> 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING > SOURCE || url,www.shadowserver.org >> 2406213 || ET RBN Known Russian Business Network Monitored > Domains (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork >> 2407213 || ET RBN Known Russian Business Network Monitored > Domains - BLOCKING (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork >> 2500076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2500077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2510076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (77) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2510077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (78) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> >> -> Added to emerging-sid-msg.map.txt (37): >> 2008665 || ET TROJAN Zbot/Zeus or Related Infection Checkin >> 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) >> 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) >> 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) >> 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) >> 2009028 || ET MALWARE 404 Response with an EXE Attached - > Likely Malware Drop >> 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) >> 2009030 || ET CURRENT_EVENTS NS query for a single dot, > possible ddos || url,isc.sans.org/diary.html?storyid=5713 >> 2009031 || ET TROJAN Possible Armitage Loader Request >> 2009032 || ET TROJAN Armitage Exploit Request >> 2009033 || ET POLICY Suspicious Executable (PE under 128) >> 2009034 || ET POLICY Suspicious Executable (PE offset 160) >> 2009035 || ET POLICY Suspicious Executable (PE offset 512) >> 2009036 || ET TROJAN Armitage Loader Check-in >> 2009037 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) >> 2009038 || ET SCAN SQLNinja MSSQL Version Scan || > url,sqlninja.sourceforge.net/index.html >> 2009039 || ET SCAN SQLNinja MSSQL XPCmdShell Scan || > url,sqlninja.sourceforge.net/index.html >> 2009040 || ET SCAN SQLNinja MSSQL User Scan || > url,sqlninja.sourceforge.net/index.html >> 2009041 || ET SCAN SQLNinja MSSQL Database User Rights Scan || > url,sqlninja.sourceforge.net/index.html >> 2009042 || ET SCAN SQLNinja MSSQL Authentication Mode Scan || > url,sqlninja.sourceforge.net/index.html >> 2009043 || ET SCAN SQLNinja Attempt To Recreate xp_cmdshell > Using sp_configure || url,sqlninja.sourceforge.net/index.html >> 2009044 || ET SCAN SQLNinja Attempt To Create xp_cmdshell > Session || url,sqlninja.sourceforge.net/index.html >> 2009045 || ET WEB_SPECIFIC cfagcms right.php title Parameter > SQL Injection || url,milw0rm.com/exploits/7483 || bugtraq,32851 >> 2009046 || ET WEB_ACTIVEX Chilkat Socket Activex Remote > Arbitrary File Overwrite 1 || url,milw0rm.com/exploits/7594 || bugtraq,32333 >> 2009047 || ET WEB_ACTIVEX SaschArt SasCam Webcam Server ActiveX > Control Get Method Buffer Overflow || url,milw0rm.com/exploits/7617 || > bugtraq,33053 >> 2009048 || ET WEB_SPECIFIC Sepcity Lawyer Portal > deptdisplay.asp ID parameter SQL Injection || bugtraq,33040 || > url,milw0rm.com/exploits/7610 >> 2009049 || ET WEB_SPECIFIC RealtyListings type.asp iType > Parameter SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ >> 2009050 || ET WEB_SPECIFIC RealtyListings detail.asp iPro > Parameter SQL Injection || url,milw0rm.com/exploits/7464 || > url,secunia.com/advisories/33167/ >> 2009051 || ET WEB_SPECIFIC PHPOF DB_AdoDB.Class.PHP > PHPOF_INCLUDE_PATH parameter Remote File Inclusion || bugtraq,25541 >> 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || > url,www.shadowserver.org >> 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING > SOURCE || url,www.shadowserver.org >> 2406213 || ET RBN Known Russian Business Network Monitored > Domains (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork >> 2407213 || ET RBN Known Russian Business Network Monitored > Domains - BLOCKING (214) || > url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork >> 2500076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2500077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2510076 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (77) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> 2510077 || ET COMPROMISED Known Compromised or Hostile Host > Traffic - BLOCKING (78) || > url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts >> >> -> Added to emerging-virus.rules (1): >> #by dxp >> >> -> Added to emerging-web.rules (1): >> # By Frank Knobbe >> >> -> Added to emerging.rules (1): >> #by RPG >> >> [---] Removed non-rule lines: [---] >> >> -> Removed from emerging-drop-BLOCK.rules (2): >> # VERSION 1422 >> # Generated 2009-01-17 00:03:02 EDT >> >> -> Removed from emerging-drop.rules (2): >> # VERSION 1422 >> # Generated 2009-01-17 00:03:02 EDT >> >> -> Removed from emerging-rbn-BLOCK.rules (2): >> # VERSION 106 >> # Updated 2009-01-17 10:28:54 >> >> -> Removed from emerging-rbn.rules (2): >> # VERSION 106 >> # Updated 2009-01-17 10:28:54 >> >> -> Removed from emerging-sid-msg.map (3): >> 2008548 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake > Anti-Virus User-Agent (3P and version num) >> 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin >> 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || > url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html >> >> -> Removed from emerging-sid-msg.map.txt (3): >> 2008548 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake > Anti-Virus User-Agent (3P and version num) >> 2008665 || ET TROJAN Obfiscator.vc or Related Infection Checkin >> 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || > url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> This message has been scanned for viruses and >> dangerous content by Draytek E-mail System, and is >> believed to be clean. >> > -- > This message has been scanned for viruses and > dangerous content by *Draytek E-mail System* , > and is > believed to be clean. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From phatbuckett at gmail.com Tue Feb 3 11:58:17 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 3 Feb 2009 09:58:17 -0700 Subject: [Emerging-Sigs] 2008664, use of offset Message-ID: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; uricontent:".txt"; nocase; content:"Pragma|3a| no-cache"; content:"|0d 0a|User-Agent\: "; content:"|0d 0a|"; offset:6; within:2; pcre:"/User-Agent\: \d{6}\x0d\x0a/"; classtype:trojan-activity; sid:2008664; rev:1;) Is 'offset' the right modifier in this rule for the third content match? I don't have payload to compare, but this would seem to make it fall before where I'd expect to find the first CRLF for a typical HTTP request. -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Tue Feb 3 13:10:25 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Feb 2009 13:10:25 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> Message-ID: <49888891.4020004@jonkmans.com> Good catch. Offset is valid here, but the within is killing it. We should make it 8 rather than 6 or it'll never match. Making that change! Matt Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Generic Dropper HTTP Bot grabbing config"; flow: > to_server,established; uricontent:".txt"; nocase; content:"Pragma|3a| > no-cache"; content:"|0d 0a|User-Agent\: "; content:"|0d 0a|"; > offset:6; within:2; pcre:"/User-Agent\: \d{6}\x0d\x0a/"; > classtype:trojan-activity; sid:2008664; rev:1;) > > Is 'offset' the right modifier in this rule for the third content > match? I don't have payload to compare, but this would seem to make it > fall before where I'd expect to find the first CRLF for a typical HTTP > request. > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Feb 3 15:13:21 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 03 Feb 2009 15:13:21 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Feb-02-2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2922@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C2922@webmail.latis.com> Message-ID: <4988A561.1080907@jonkmans.com> Posted, thanks! matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *WEB-PHP PHP-Daily add_postit.php id Parameter SQL Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PHP-Daily add_postit.php id Parameter SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/add_postit.php?"; nocase; uricontent:"mode=rep"; nocase; > uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack;reference:url,secunia.com/Advisories/32408; > reference:url,milw0rm.com/exploits/6833; sid:2008588; rev:1;) > > 2. *WEB-PHP PHP-Daily delete.php id Parameter SQL Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PHP-Daily delete.php id Parameter SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/delete.php?"; nocase; uricontent:"mode=postit"; nocase; > uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack;reference:url,secunia.com/Advisories/32/32408; > reference:url,milw0rm.com/exploits/6833; sid:2008589; rev:1;) > > 3. *WEB-PHP PHP-Fusion Members CV(job) Module members.php sortby > parameter SQL injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PHP-Fusion Members CV(job) Module members.php sortby parameter SQL > injection"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/members.php?"; nocase; uricontent:"sortby="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:bugtraq,33156; reference:url,milw0rm.com/exploits/7697; > sid:2008270; rev:1;) > > 4. *WEB-PHP iGaming CMS previews.php browse parameter SQL injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > iGaming CMS previews.php browse parameter SQL injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/previews.php?"; nocase; uricontent:"browse="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:cve,2008-5841; reference:bugtraq,31340; > reference:url,milw0rm.com/exploits/6540; sid:2008272; rev:1;) > > 5. *WEB-PHP iGaming CMS reviews.php browse parameter SQL injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > iGaming CMS reviews.php browse parameter SQL injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/reviews.php?"; nocase; uricontent:"browse="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:cve,2008-5841; reference:bugtraq,31340; > reference:url,milw0rm.com/exploits/6540; sid:2008273; rev:1;) > > 6. *WEB-PHP phpSkelSite TplSuffix parameter local file inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpSkelSite TplSuffix parameter local file inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/login.tpl.php?"; nocase; uricontent:"TplSuffix="; nocase; > content:"../"; classtype:web-application-attack; > reference:bugtraq,33092; sid:2008249; rev:1;) > > 7. *WEB-PHP phpSkelSite theme parameter remote file inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > phpSkelSite theme parameter remote file inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/login.tpl.php?"; nocase; uricontent:"theme="; nocase; > pcre:"/theme=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; reference:bugtraq,33092; sid:2008250; > rev:1;) > > 8. *WEB-PHP PNphpBB2 admin_words.php ModName parameter Local File > inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PNphpBB2 admin_words.php ModName parameter Local File inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/admin/admin_words.php?"; nocase; uricontent:"ModName="; > nocase; content:"../"; classtype:web-application-attack; > reference:bugtraq,33103; sid:2008251; rev:1;) > > 9. *WEB-PHP PNphpBB2 admin_groups_reapir.php ModName parameter > Local File inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PNphpBB2 admin_groups_reapir.php ModName parameter Local File > inclusion"; flow:established,to_server; content:"GET "; depth:4; > uricontent:"/admin/admin_groups_reapir.php?"; nocase; > uricontent:"ModName="; nocase; content:"../"; > classtype:web-application-attack; reference:bugtraq,33103; sid:2008252; > rev:1;) > > 10. *WEB-PHP PNphpBB2 admin_smilies.php ModName parameter Local File > inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > PNphpBB2 admin_smilies.php ModName parameter Local File inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/admin/admin_smilies.php?"; nocase; uricontent:"ModName="; > nocase; content:"../"; classtype:web-application-attack; > reference:bugtraq,33103; sid:2008253; rev:1;) > > Looking forward for your comments, if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Feb 3 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 3 Feb 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090203210008.E839545026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Feb 3 16:00:08 2009 [***] [+++] Added rules: [+++] 2009065 - ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2009066 - ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2009067 - ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection (emerging-web_sql_injection.rules) 2009068 - ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection (emerging-web_sql_injection.rules) 2009069 - ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection (emerging-web_sql_injection.rules) 2009070 - ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion (emerging-web_sql_injection.rules) 2009071 - ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion (emerging-web_sql_injection.rules) 2009073 - ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) 2009074 - ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) 2009075 - ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) [///] Modified active rules: [///] 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules) 2009042 - ET SCAN SQLNinja MSSQL Authentication Mode Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (12): 2009065 || ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32408 2009066 || ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32/32408 2009067 || ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection || url,milw0rm.com/exploits/7697 || bugtraq,33156 2009068 || ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009069 || ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009070 || ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion || bugtraq,33092 2009071 || ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion || bugtraq,33092 2009073 || ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion || bugtraq,33103 2009074 || ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion || bugtraq,33103 2009075 || ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion || bugtraq,33103 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (12): 2009065 || ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32408 2009066 || ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32/32408 2009067 || ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection || url,milw0rm.com/exploits/7697 || bugtraq,33156 2009068 || ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009069 || ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009070 || ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion || bugtraq,33092 2009071 || ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion || bugtraq,33092 2009073 || ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion || bugtraq,33103 2009074 || ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion || bugtraq,33103 2009075 || ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion || bugtraq,33103 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From frank at knobbe.us Tue Feb 3 23:19:43 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Feb 2009 22:19:43 -0600 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <49888891.4020004@jonkmans.com> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> Message-ID: <1233721183.36419.7.camel@server1> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: > Good catch. Offset is valid here, but the within is killing it. We > should make it 8 rather than 6 or it'll never match. Uhm... no. :) You want to make it "distance", not "offset". "offset" and "depth" start from the packets beginning. "distance" and "within" start from the last match. So, "offset" here is completely wrong :) I could refer you to snort.org and the section on how to write Snort rules, but that may be more of interest for the original submitter :) Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. From dokas at oitsec.umn.edu Tue Feb 3 23:23:14 2009 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Tue, 03 Feb 2009 22:23:14 -0600 Subject: [Emerging-Sigs] nasty PDFs Message-ID: <49891832.4080101@oitsec.umn.edu> We've been taking a large number of Vundo infections recently that have been coming through online ad sites serving up PDFs that exploit vulns probably in acroread. Here's a rule to ID the serving sites: It's basically a loose rework of another ET Nginx detection rule. The last two content: clauses could use a lot of tightening up. Paul alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Nginx Server in use - Possible malware content (PDF)"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx"; nocase; distance:4; within:300; content:"Content-Type\: application/pdf"; nocase; within: 400; content:"Content-Disposition\: inline"; nocase; within: 400; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown;) -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From frank at knobbe.us Wed Feb 4 00:11:12 2009 From: frank at knobbe.us (Frank Knobbe) Date: Tue, 03 Feb 2009 23:11:12 -0600 Subject: [Emerging-Sigs] Proposal for reference additions Message-ID: <1233724272.39097.7.camel@server1> Greetings, while some rules have the Documentation Wiki pages as a reference (even when they are not used), I was thinking of adding this reference to *all* signatures. Likewise, I would like to add a reference for each rule that links back to the CVS Web interface to provide a bit of historical information for the rules (for example, and to find out how old the rule is and what changes have occurred). This would effect all rules, so a lot of changes. But since that can be automated/scripted, it wouldn't require a lot of work. I wanted to check here and poll your opinion. Personally I think those references would be useful for a quick click-through to the Wiki (for check on rule documentation.... and perhaps even get some folks to enter some) and quick look-up for changes to a rule. I think it would be more convenient to do this with a quick click-through from $YOUR_IDS_PORTAL to the ET web page instead of going hunting for CVS change logs. Please let me know if there is any reluctance, resistance, or revolt from your side if I were to add these :) If the response is favorable, I'll have those added pretty quick. Thanks, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. From phatbuckett at gmail.com Wed Feb 4 00:16:55 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 3 Feb 2009 22:16:55 -0700 Subject: [Emerging-Sigs] Proposal for reference additions In-Reply-To: <1233724272.39097.7.camel@server1> References: <1233724272.39097.7.camel@server1> Message-ID: <839aec700902032116iddd94b0v688a4b71a23444e9@mail.gmail.com> On Tue, Feb 3, 2009 at 10:11 PM, Frank Knobbe wrote: > Greetings, > > while some rules have the Documentation Wiki pages as a reference (even > when they are not used), I was thinking of adding this reference to > *all* signatures. Seconded. > Likewise, I would like to add a reference for each rule that links back > to the CVS Web interface to provide a bit of historical information for > the rules (for example, and to find out how old the rule is and what > changes have occurred). Seconded. > Please let me know if there is any reluctance, resistance, or revolt > from your side if I were to add these :) If the response is favorable, > I'll have those added pretty quick. I've thought for some time this would be of benefit as community-driven rule documentation is in many cases as useful (IOW: very) as the rule contributions themselves. I picture links to threat reports, analysis resources, media coverage, sample payloads, sources of infections, etc. -- Darren Spruell phatbuckett at gmail.com From david.glosser at gmail.com Wed Feb 4 06:32:57 2009 From: david.glosser at gmail.com (David Glosser) Date: Wed, 4 Feb 2009 06:32:57 -0500 Subject: [Emerging-Sigs] Proposal for reference additions In-Reply-To: <839aec700902032116iddd94b0v688a4b71a23444e9@mail.gmail.com> References: <1233724272.39097.7.camel@server1> <839aec700902032116iddd94b0v688a4b71a23444e9@mail.gmail.com> Message-ID: really like this idea. Would be especially useful for researching false positives and adding a FP or comment to the wikipage quickly On Wed, Feb 4, 2009 at 12:16 AM, Darren Spruell wrote: > On Tue, Feb 3, 2009 at 10:11 PM, Frank Knobbe wrote: > > Greetings, > > > > while some rules have the Documentation Wiki pages as a reference (even > > when they are not used), I was thinking of adding this reference to > > *all* signatures. > > Seconded. > > > Likewise, I would like to add a reference for each rule that links back > > to the CVS Web interface to provide a bit of historical information for > > the rules (for example, and to find out how old the rule is and what > > changes have occurred). > > Seconded. > > > Please let me know if there is any reluctance, resistance, or revolt > > from your side if I were to add these :) If the response is favorable, > > I'll have those added pretty quick. > > I've thought for some time this would be of benefit as > community-driven rule documentation is in many cases as useful (IOW: > very) as the rule contributions themselves. I picture links to threat > reports, analysis resources, media coverage, sample payloads, sources > of infections, etc. > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090204/41a4d7d6/attachment-0001.html From vickslee at gmail.com Wed Feb 4 07:38:50 2009 From: vickslee at gmail.com (Victor Lee) Date: Wed, 4 Feb 2009 20:38:50 +0800 Subject: [Emerging-Sigs] snort rules to detect mms virus Message-ID: <117842850902040438vf591093m71a5de034934b169@mail.gmail.com> Hi, Does any one could share with me the snort rules to detect MMS virus such as Commwarrior ? Many thanks. BR, KS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090204/3c9a17e3/attachment.html From vickslee at gmail.com Wed Feb 4 07:55:08 2009 From: vickslee at gmail.com (Victor Lee) Date: Wed, 4 Feb 2009 20:55:08 +0800 Subject: [Emerging-Sigs] snort rules to detect mms virus Message-ID: <117842850902040455v35f1a4c1l78d0095dea15e5da@mail.gmail.com> Hi, Does anyone share with me some of those snort rules to detect MMS virus such as Commwarrior ? BR, KS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090204/f9b5cb73/attachment.html From jonkman at jonkmans.com Wed Feb 4 08:33:41 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 08:33:41 -0500 Subject: [Emerging-Sigs] snort rules to detect mms virus In-Reply-To: <117842850902040455v35f1a4c1l78d0095dea15e5da@mail.gmail.com> References: <117842850902040455v35f1a4c1l78d0095dea15e5da@mail.gmail.com> Message-ID: <49899935.9080000@jonkmans.com> Don't know much about that one. If you have more detail we can probably work up something. Matt Victor Lee wrote: > Hi, > > Does anyone share with me some of those snort rules to detect MMS virus > such as Commwarrior ? > > BR, > > KS > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 4 08:38:57 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 08:38:57 -0500 Subject: [Emerging-Sigs] Proposal for reference additions In-Reply-To: References: <1233724272.39097.7.camel@server1> <839aec700902032116iddd94b0v688a4b71a23444e9@mail.gmail.com> Message-ID: <49899A71.4010009@jonkmans.com> The idea overall is what you suggest. The event managers (i believe) are adding a direct reference for the ET sigs as pointing to http://doc.emergingthreats.net/ That'll always go straight to the docs for that sig. Although I haven't been checking in to make sure that got added to recent versions of the major event managers. That work for everyone? Matt David Glosser wrote: > really like this idea. Would be especially useful for researching false > positives and adding a FP or comment to the wikipage quickly > > > On Wed, Feb 4, 2009 at 12:16 AM, Darren Spruell > wrote: > > On Tue, Feb 3, 2009 at 10:11 PM, Frank Knobbe > wrote: > > Greetings, > > > > while some rules have the Documentation Wiki pages as a reference > (even > > when they are not used), I was thinking of adding this reference to > > *all* signatures. > > Seconded. > > > Likewise, I would like to add a reference for each rule that links > back > > to the CVS Web interface to provide a bit of historical > information for > > the rules (for example, and to find out how old the rule is and what > > changes have occurred). > > Seconded. > > > Please let me know if there is any reluctance, resistance, or revolt > > from your side if I were to add these :) If the response is > favorable, > > I'll have those added pretty quick. > > I've thought for some time this would be of benefit as > community-driven rule documentation is in many cases as useful (IOW: > very) as the rule contributions themselves. I picture links to threat > reports, analysis resources, media coverage, sample payloads, sources > of infections, etc. > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 4 08:58:06 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 08:58:06 -0500 Subject: [Emerging-Sigs] Proposal for reference additions In-Reply-To: <1233724272.39097.7.camel@server1> References: <1233724272.39097.7.camel@server1> Message-ID: <49899EEE.4080500@jonkmans.com> I like the idea of referencing cvs... but maybe we could easier do that by adding that link to the wiki page? Then we still just need the stock sid reference for each sig. Matt Frank Knobbe wrote: > Greetings, > > while some rules have the Documentation Wiki pages as a reference (even > when they are not used), I was thinking of adding this reference to > *all* signatures. > > Likewise, I would like to add a reference for each rule that links back > to the CVS Web interface to provide a bit of historical information for > the rules (for example, and to find out how old the rule is and what > changes have occurred). > > This would effect all rules, so a lot of changes. But since that can be > automated/scripted, it wouldn't require a lot of work. > > I wanted to check here and poll your opinion. Personally I think those > references would be useful for a quick click-through to the Wiki (for > check on rule documentation.... and perhaps even get some folks to enter > some) and quick look-up for changes to a rule. I think it would be more > convenient to do this with a quick click-through from $YOUR_IDS_PORTAL > to the ET web page instead of going hunting for CVS change logs. > > Please let me know if there is any reluctance, resistance, or revolt > from your side if I were to add these :) If the response is favorable, > I'll have those added pretty quick. > > Thanks, > Frank > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 4 09:06:46 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 09:06:46 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <1233721183.36419.7.camel@server1> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> Message-ID: <4989A0F6.2060806@jonkmans.com> Offset goes from the last content match as well: snip The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet. offset modifies the previous 'content' keyword in the rule. snip So this will work as well. Distance would match in that first 6 which the rule doesn't want to do as I understand it. ya? Matt Frank Knobbe wrote: > On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: >> Good catch. Offset is valid here, but the within is killing it. We >> should make it 8 rather than 6 or it'll never match. > > Uhm... no. :) > > You want to make it "distance", not "offset". "offset" and "depth" start > from the packets beginning. "distance" and "within" start from the last > match. So, "offset" here is completely wrong :) > > I could refer you to snort.org and the section on how to write Snort > rules, but that may be more of interest for the original submitter :) > > Regards, > Frank > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Wed Feb 4 09:20:48 2009 From: eslerj at gmail.com (Joel Esler) Date: Wed, 4 Feb 2009 09:20:48 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <4989A0F6.2060806@jonkmans.com> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> <4989A0F6.2060806@jonkmans.com> Message-ID: Offset starts at the beginning of the packet. Depth tells the search how far to go, from the beginning of the last content match. Distance starts at the end of the previous content match and reads forward Within tells the search how far to go from the end of the last content match. J On Feb 4, 2009, at 9:06 AM, Matt Jonkman allegedly wrote: > Offset goes from the last content match as well: > > snip > > The offset keyword allows the rule writer to specify where to start > searching for a pattern within a packet. offset modifies the previous > 'content' keyword in the rule. > > snip > > So this will work as well. Distance would match in that first 6 which > the rule doesn't want to do as I understand it. ya? > > Matt > > Frank Knobbe wrote: >> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: >>> Good catch. Offset is valid here, but the within is killing it. We >>> should make it 8 rather than 6 or it'll never match. >> >> Uhm... no. :) >> >> You want to make it "distance", not "offset". "offset" and "depth" >> start >> from the packets beginning. "distance" and "within" start from the >> last >> match. So, "offset" here is completely wrong :) >> >> I could refer you to snort.org and the section on how to write Snort >> rules, but that may be more of interest for the original submitter :) >> >> Regards, >> Frank >> >> >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] From jonkman at jonkmans.com Wed Feb 4 09:50:06 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 09:50:06 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> <4989A0F6.2060806@jonkmans.com> Message-ID: <4989AB1E.8010205@jonkmans.com> I originally was thinking offset was start of the packet always as well, but the manual (as snipped below) disagrees. Are we all confused or is the manual incorrect? :) Matt Joel Esler wrote: > Offset starts at the beginning of the packet. > Depth tells the search how far to go, from the beginning of the last > content match. > > Distance starts at the end of the previous content match and reads > forward > Within tells the search how far to go from the end of the last content > match. > > J > > On Feb 4, 2009, at 9:06 AM, Matt Jonkman allegedly wrote: > >> Offset goes from the last content match as well: >> >> snip >> >> The offset keyword allows the rule writer to specify where to start >> searching for a pattern within a packet. offset modifies the previous >> 'content' keyword in the rule. >> >> snip >> >> So this will work as well. Distance would match in that first 6 which >> the rule doesn't want to do as I understand it. ya? >> >> Matt >> >> Frank Knobbe wrote: >>> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: >>>> Good catch. Offset is valid here, but the within is killing it. We >>>> should make it 8 rather than 6 or it'll never match. >>> Uhm... no. :) >>> >>> You want to make it "distance", not "offset". "offset" and "depth" >>> start >>> from the packets beginning. "distance" and "within" start from the >>> last >>> match. So, "offset" here is completely wrong :) >>> >>> I could refer you to snort.org and the section on how to write Snort >>> rules, but that may be more of interest for the original submitter :) >>> >>> Regards, >>> Frank >>> >>> >>> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Feb 4 09:51:27 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 09:51:27 -0500 Subject: [Emerging-Sigs] nasty PDFs In-Reply-To: <49891832.4080101@oitsec.umn.edu> References: <49891832.4080101@oitsec.umn.edu> Message-ID: <4989AB6F.4000701@jonkmans.com> Interesting idea Paul! I'll put this into current_events and we can test it out for a bit and see what happens. Sound good? matt Paul Dokas wrote: > We've been taking a large number of Vundo infections recently that have > been coming through online ad sites serving up PDFs that exploit vulns > probably in acroread. Here's a rule to ID the serving sites: It's > basically a loose rework of another ET Nginx detection rule. The last > two content: clauses could use a lot of tightening up. > > Paul > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Nginx Server in use - Possible malware content (PDF)"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx"; nocase; distance:4; within:300; > content:"Content-Type\: application/pdf"; nocase; within: 400; content:"Content-Disposition\: inline"; nocase; within: 400; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown;) -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Wed Feb 4 10:11:14 2009 From: eslerj at gmail.com (Joel Esler) Date: Wed, 4 Feb 2009 10:11:14 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <4989AB1E.8010205@jonkmans.com> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> <4989A0F6.2060806@jonkmans.com> <4989AB1E.8010205@jonkmans.com> Message-ID: I think you are confused: "The offset keyword allows the rule writer to specify where to start > >> searching for a pattern within a packet. offset modifies the previous >> 'content' keyword in the rule." Offset keyword... start searching... pattern. (so beginning of packet) Now for second sentence which is where you are confused. Offset modifies the previous content keyword. Meaning it doesn't take it into effect. It "modifies" where the ptr is. If you use a content:"joel"; offset:3; content:"esler"; offset:7; The second content modified the first content, in that it ignored where the ptr was set and started looking for esler from the beginning again. J On Feb 4, 2009, at 9:50 AM, Matt Jonkman allegedly wrote: > I originally was thinking offset was start of the packet always as > well, > but the manual (as snipped below) disagrees. > > Are we all confused or is the manual incorrect? :) > > Matt > > Joel Esler wrote: >> Offset starts at the beginning of the packet. >> Depth tells the search how far to go, from the beginning of the last >> content match. >> >> Distance starts at the end of the previous content match and reads >> forward >> Within tells the search how far to go from the end of the last >> content >> match. >> >> J >> >> On Feb 4, 2009, at 9:06 AM, Matt Jonkman allegedly wrote: >> >>> Offset goes from the last content match as well: >>> >>> snip >>> >>> The offset keyword allows the rule writer to specify where to start >>> searching for a pattern within a packet. offset modifies the >>> previous >>> 'content' keyword in the rule. >>> >>> snip >>> >>> So this will work as well. Distance would match in that first 6 >>> which >>> the rule doesn't want to do as I understand it. ya? >>> >>> Matt >>> >>> Frank Knobbe wrote: >>>> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: >>>>> Good catch. Offset is valid here, but the within is killing it. We >>>>> should make it 8 rather than 6 or it'll never match. >>>> Uhm... no. :) >>>> >>>> You want to make it "distance", not "offset". "offset" and "depth" >>>> start >>>> from the packets beginning. "distance" and "within" start from the >>>> last >>>> match. So, "offset" here is completely wrong :) >>>> >>>> I could refer you to snort.org and the section on how to write >>>> Snort >>>> rules, but that may be more of interest for the original >>>> submitter :) >>>> >>>> Regards, >>>> Frank >>>> >>>> >>>> >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> -- >> Joel Esler >> ? http://www.joelesler.net >> ? http://www.twitter.com/joelesler >> [m] >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] From jonkman at jonkmans.com Wed Feb 4 13:01:59 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 13:01:59 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> <4989A0F6.2060806@jonkmans.com> <4989AB1E.8010205@jonkmans.com> Message-ID: <4989D817.90204@jonkmans.com> OK, ya. You're right. That's what I thought initially but went and re-read it when the question came up and didn't read closely enough. I'll modify it to be distance 6 and within 8. That'd get the bytes at position 7 and 8 after the end of the previous match, which is what we're looking for. Thanks Matt Joel Esler wrote: > I think you are confused: > > "The offset keyword allows the rule writer to specify where to start >>> searching for a pattern within a packet. offset modifies the previous >>> 'content' keyword in the rule." > > Offset keyword... start searching... pattern. (so beginning of > packet) Now for second sentence which is where you are confused. > > Offset modifies the previous content keyword. Meaning it doesn't take > it into effect. It "modifies" where the ptr is. If you use a > > content:"joel"; offset:3; content:"esler"; offset:7; > > The second content modified the first content, in that it ignored > where the ptr was set and started looking for esler from the beginning > again. > > J > > > On Feb 4, 2009, at 9:50 AM, Matt Jonkman allegedly wrote: > >> I originally was thinking offset was start of the packet always as >> well, >> but the manual (as snipped below) disagrees. >> >> Are we all confused or is the manual incorrect? :) >> >> Matt >> >> Joel Esler wrote: >>> Offset starts at the beginning of the packet. >>> Depth tells the search how far to go, from the beginning of the last >>> content match. >>> >>> Distance starts at the end of the previous content match and reads >>> forward >>> Within tells the search how far to go from the end of the last >>> content >>> match. >>> >>> J >>> >>> On Feb 4, 2009, at 9:06 AM, Matt Jonkman allegedly wrote: >>> >>>> Offset goes from the last content match as well: >>>> >>>> snip >>>> >>>> The offset keyword allows the rule writer to specify where to start >>>> searching for a pattern within a packet. offset modifies the >>>> previous >>>> 'content' keyword in the rule. >>>> >>>> snip >>>> >>>> So this will work as well. Distance would match in that first 6 >>>> which >>>> the rule doesn't want to do as I understand it. ya? >>>> >>>> Matt >>>> >>>> Frank Knobbe wrote: >>>>> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: >>>>>> Good catch. Offset is valid here, but the within is killing it. We >>>>>> should make it 8 rather than 6 or it'll never match. >>>>> Uhm... no. :) >>>>> >>>>> You want to make it "distance", not "offset". "offset" and "depth" >>>>> start >>>>> from the packets beginning. "distance" and "within" start from the >>>>> last >>>>> match. So, "offset" here is completely wrong :) >>>>> >>>>> I could refer you to snort.org and the section on how to write >>>>> Snort >>>>> rules, but that may be more of interest for the original >>>>> submitter :) >>>>> >>>>> Regards, >>>>> Frank >>>>> >>>>> >>>>> >>>> -- >>>> -------------------------------------------- >>>> Matthew Jonkman >>>> Emerging Threats >>>> Phone 765-429-0398 >>>> Fax 312-264-0205 >>>> http://www.emergingthreats.net >>>> -------------------------------------------- >>>> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> -- >>> Joel Esler >>> ? http://www.joelesler.net >>> ? http://www.twitter.com/joelesler >>> [m] >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dokas at oitsec.umn.edu Wed Feb 4 13:11:17 2009 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Wed, 04 Feb 2009 12:11:17 -0600 Subject: [Emerging-Sigs] nasty PDFs In-Reply-To: <4989AB6F.4000701@jonkmans.com> References: <49891832.4080101@oitsec.umn.edu> <4989AB6F.4000701@jonkmans.com> Message-ID: <4989DA45.4050101@oitsec.umn.edu> Matt Jonkman wrote: > Interesting idea Paul! > > I'll put this into current_events and we can test it out for a bit and > see what happens. Sound good? Sounds fine. Also, I'd be interested in any fine tuning that anyone can provide. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From duckie37 at gmail.com Wed Feb 4 14:29:36 2009 From: duckie37 at gmail.com (Scott Melnick) Date: Wed, 4 Feb 2009 14:29:36 -0500 Subject: [Emerging-Sigs] nasty PDFs In-Reply-To: <4989AB6F.4000701@jonkmans.com> References: <49891832.4080101@oitsec.umn.edu> <4989AB6F.4000701@jonkmans.com> Message-ID: <6d234b6a0902041129v79244432ga1dc5a0f2eea2597@mail.gmail.com> Ah good. This may help with our recent unexplainable infections despite AV efforts on the workstations. I will give this a try. Scott On Wed, Feb 4, 2009 at 9:51 AM, Matt Jonkman wrote: > Interesting idea Paul! > > I'll put this into current_events and we can test it out for a bit and > see what happens. Sound good? > > matt > > Paul Dokas wrote: > > We've been taking a large number of Vundo infections recently that have > > been coming through online ad sites serving up PDFs that exploit vulns > > probably in acroread. Here's a rule to ID the serving sites: It's > > basically a loose rework of another ET Nginx detection rule. The last > > two content: clauses could use a lot of tightening up. > > > > Paul > > > > > > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Nginx Server > in use - Possible malware content (PDF)"; flow:established,from_server; > content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx"; nocase; > distance:4; within:300; > > content:"Content-Type\: application/pdf"; nocase; within: 400; > content:"Content-Disposition\: inline"; nocase; within: 400; threshold:type > limit, seconds 60, count 10, track by_src; classtype:bad-unknown;) > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090204/e629c779/attachment.html From phatbuckett at gmail.com Wed Feb 4 14:35:09 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 4 Feb 2009 12:35:09 -0700 Subject: [Emerging-Sigs] Candidate rule: Fed Reserve phishing -> malware agent comms Message-ID: <839aec700902041135w77651956k6c06d12aba6f5a42@mail.gmail.com> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 80 (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; classtype:trojan-activity; sid:XXXXXXX; rev:1;) This pertains to the malware downloaded from sites spammed with the Federal Reserve / banking phish themes; implements a credential stealer for at least POP3/IMAP/FTP/web forms. Sandbox report: http://www.threatexpert.com/report.aspx?md5=012048455cb3abc22e99ba0142931ea1 Another writeup: http://realsecurity.wordpress.com/2008/08/28/analysis-of-a-dll-injector-trojanwin32injectdnz/ 12:21:48.440723 IP 192.168.245.128.1045 > 209.160.73.106.80: S 3290729002:3290729002(0) win 16384 0x0000: 4500 0030 002c 4000 8006 2968 c0a8 f580 E..0., at ...)h.... 0x0010: d1a0 496a 0415 0050 c424 8a2a 0000 0000 ..Ij...P.$.*.... 0x0020: 7002 4000 1f37 0000 0204 05b4 0101 0402 p. at ..7.......... 12:21:48.536665 IP 209.160.73.106.80 > 192.168.245.128.1045: S 2128814470:2128814470(0) ack 3290729003 win 64240 0x0000: 4500 002c 41df 0000 8006 27b9 d1a0 496a E..,A.....'...Ij 0x0010: c0a8 f580 0050 0415 7ee3 2186 c424 8a2b .....P..~.!..$.+ 0x0020: 6012 faf0 d8d2 0000 0204 05b4 0000 `............. 12:21:48.541055 IP 192.168.245.128.1045 > 209.160.73.106.80: . ack 1 win 17520 0x0000: 4500 0028 002d 4000 8006 296f c0a8 f580 E..(.- at ...)o.... 0x0010: d1a0 496a 0415 0050 c424 8a2b 7ee3 2187 ..Ij...P.$.+~.!. 0x0020: 5010 4470 a710 0000 P.Dp.... 12:21:48.544917 IP 192.168.245.128.1045 > 209.160.73.106.80: P 1:2(1) ack 1 win 17520 0x0000: 4500 0029 002e 4000 8006 296d c0a8 f580 E..).. at ...)m.... 0x0010: d1a0 496a 0415 0050 c424 8a2b 7ee3 2187 ..Ij...P.$.+~.!. 0x0020: 5018 4470 df06 0000 c8 P.Dp..... 12:21:48.545626 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 2 win 64240 0x0000: 4500 0028 41e0 0000 8006 27bc d1a0 496a E..(A.....'...Ij 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a2c .....P..~.!..$., 0x0020: 5010 faf0 f08e 0000 0000 0000 0000 P............. 12:21:48.547647 IP 192.168.245.128.1045 > 209.160.73.106.80: P 2:3(1) ack 1 win 17520 0x0000: 4500 0029 002f 4000 8006 296c c0a8 f580 E..)./@...)l.... 0x0010: d1a0 496a 0415 0050 c424 8a2c 7ee3 2187 ..Ij...P.$.,~.!. 0x0020: 5018 4470 a006 0000 07 P.Dp..... 12:21:48.547878 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 3 win 64240 0x0000: 4500 0028 41e1 0000 8006 27bb d1a0 496a E..(A.....'...Ij 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a2d .....P..~.!..$.- 0x0020: 5010 faf0 f08d 0000 0000 0000 0000 P............. 12:21:48.549130 IP 192.168.245.128.1045 > 209.160.73.106.80: P 3:10(7) ack 1 win 17520 0x0000: 4500 002f 0030 4000 8006 2965 c0a8 f580 E../.0 at ...)e.... 0x0010: d1a0 496a 0415 0050 c424 8a2d 7ee3 2187 ..Ij...P.$.-~.!. 0x0020: 5018 4470 ca68 0000 4632 3232 3232 32 P.Dp.h..F222222 12:21:48.549505 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 10 win 64240 0x0000: 4500 0028 41e2 0000 8006 27ba d1a0 496a E..(A.....'...Ij 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a34 .....P..~.!..$.4 0x0020: 5010 faf0 f086 0000 0000 0000 0000 P............. The target payload is in packet 8 above and appears to be static across analyzed variants. I'm unsure if there's a need to be concerned about the use of the dsize option here given the warning on the option in the docs: "dsize will fail on stream rebuilt packets, regardless of the size of the payload. " The activity has always been noted to start out on port 80/tcp (but is *not* HTTP) and then later moves to encrypted communications on port 443/tcp (but is *not* HTTPS). -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Wed Feb 4 15:59:03 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 04 Feb 2009 15:59:03 -0500 Subject: [Emerging-Sigs] Candidate rule: Fed Reserve phishing -> malware agent comms In-Reply-To: <839aec700902041135w77651956k6c06d12aba6f5a42@mail.gmail.com> References: <839aec700902041135w77651956k6c06d12aba6f5a42@mail.gmail.com> Message-ID: <498A0197.5050202@jonkmans.com> Definitely an interesting one Darren. Posting the sig now, thanks!! Matt Darren Spruell wrote: > alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 80 (msg:"ET TROJAN > TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; > content:"F222222"; > reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; > classtype:trojan-activity; sid:XXXXXXX; rev:1;) > > This pertains to the malware downloaded from sites spammed with the > Federal Reserve / banking phish themes; implements a credential > stealer for at least POP3/IMAP/FTP/web forms. Sandbox report: > > http://www.threatexpert.com/report.aspx?md5=012048455cb3abc22e99ba0142931ea1 > > Another writeup: > > http://realsecurity.wordpress.com/2008/08/28/analysis-of-a-dll-injector-trojanwin32injectdnz/ > > 12:21:48.440723 IP 192.168.245.128.1045 > 209.160.73.106.80: S > 3290729002:3290729002(0) win 16384 > 0x0000: 4500 0030 002c 4000 8006 2968 c0a8 f580 E..0., at ...)h.... > 0x0010: d1a0 496a 0415 0050 c424 8a2a 0000 0000 ..Ij...P.$.*.... > 0x0020: 7002 4000 1f37 0000 0204 05b4 0101 0402 p. at ..7.......... > 12:21:48.536665 IP 209.160.73.106.80 > 192.168.245.128.1045: S > 2128814470:2128814470(0) ack 3290729003 win 64240 > 0x0000: 4500 002c 41df 0000 8006 27b9 d1a0 496a E..,A.....'...Ij > 0x0010: c0a8 f580 0050 0415 7ee3 2186 c424 8a2b .....P..~.!..$.+ > 0x0020: 6012 faf0 d8d2 0000 0204 05b4 0000 `............. > 12:21:48.541055 IP 192.168.245.128.1045 > 209.160.73.106.80: . ack 1 win 17520 > 0x0000: 4500 0028 002d 4000 8006 296f c0a8 f580 E..(.- at ...)o.... > 0x0010: d1a0 496a 0415 0050 c424 8a2b 7ee3 2187 ..Ij...P.$.+~.!. > 0x0020: 5010 4470 a710 0000 P.Dp.... > 12:21:48.544917 IP 192.168.245.128.1045 > 209.160.73.106.80: P 1:2(1) > ack 1 win 17520 > 0x0000: 4500 0029 002e 4000 8006 296d c0a8 f580 E..).. at ...)m.... > 0x0010: d1a0 496a 0415 0050 c424 8a2b 7ee3 2187 ..Ij...P.$.+~.!. > 0x0020: 5018 4470 df06 0000 c8 P.Dp..... > 12:21:48.545626 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 2 win 64240 > 0x0000: 4500 0028 41e0 0000 8006 27bc d1a0 496a E..(A.....'...Ij > 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a2c .....P..~.!..$., > 0x0020: 5010 faf0 f08e 0000 0000 0000 0000 P............. > 12:21:48.547647 IP 192.168.245.128.1045 > 209.160.73.106.80: P 2:3(1) > ack 1 win 17520 > 0x0000: 4500 0029 002f 4000 8006 296c c0a8 f580 E..)./@...)l.... > 0x0010: d1a0 496a 0415 0050 c424 8a2c 7ee3 2187 ..Ij...P.$.,~.!. > 0x0020: 5018 4470 a006 0000 07 P.Dp..... > 12:21:48.547878 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 3 win 64240 > 0x0000: 4500 0028 41e1 0000 8006 27bb d1a0 496a E..(A.....'...Ij > 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a2d .....P..~.!..$.- > 0x0020: 5010 faf0 f08d 0000 0000 0000 0000 P............. > > 12:21:48.549130 IP 192.168.245.128.1045 > 209.160.73.106.80: P 3:10(7) > ack 1 win 17520 > 0x0000: 4500 002f 0030 4000 8006 2965 c0a8 f580 E../.0 at ...)e.... > 0x0010: d1a0 496a 0415 0050 c424 8a2d 7ee3 2187 ..Ij...P.$.-~.!. > 0x0020: 5018 4470 ca68 0000 4632 3232 3232 32 P.Dp.h..F222222 > > 12:21:48.549505 IP 209.160.73.106.80 > 192.168.245.128.1045: . ack 10 win 64240 > 0x0000: 4500 0028 41e2 0000 8006 27ba d1a0 496a E..(A.....'...Ij > 0x0010: c0a8 f580 0050 0415 7ee3 2187 c424 8a34 .....P..~.!..$.4 > 0x0020: 5010 faf0 f086 0000 0000 0000 0000 P............. > > > The target payload is in packet 8 above and appears to be static > across analyzed variants. I'm unsure if there's a need to be concerned > about the use of the dsize option here given the warning on the option > in the docs: > > "dsize will fail on stream rebuilt packets, regardless of the size of > the payload. " > > The activity has always been noted to start out on port 80/tcp (but is > *not* HTTP) and then later moves to encrypted communications on port > 443/tcp (but is *not* HTTPS). > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Feb 4 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 4 Feb 2009 16:00:11 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090204210011.695AE4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Feb 4 16:00:11 2009 [***] [+++] Added rules: [+++] 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2003179 - ET POLICY exe download without User Agent (emerging-policy.rules) 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules) 2008960 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan (emerging.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 109 # Updated 2009-02-04 13:03:51 -> Added to emerging-rbn.rules (2): # VERSION 109 # Updated 2009-02-04 13:03:51 -> Added to emerging-sid-msg.map (15): 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) 2406222 || ET RBN Known Russian Business Network Monitored Domains (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406223 || ET RBN Known Russian Business Network Monitored Domains (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406224 || ET RBN Known Russian Business Network Monitored Domains (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406225 || ET RBN Known Russian Business Network Monitored Domains (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406226 || ET RBN Known Russian Business Network Monitored Domains (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406227 || ET RBN Known Russian Business Network Monitored Domains (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407222 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407223 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407224 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407225 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407226 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407227 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (15): 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) 2406222 || ET RBN Known Russian Business Network Monitored Domains (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406223 || ET RBN Known Russian Business Network Monitored Domains (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406224 || ET RBN Known Russian Business Network Monitored Domains (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406225 || ET RBN Known Russian Business Network Monitored Domains (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406226 || ET RBN Known Russian Business Network Monitored Domains (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406227 || ET RBN Known Russian Business Network Monitored Domains (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407222 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407223 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407224 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407225 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407226 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407227 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging.rules (1): #by Paul Dokas. Testing this out for a bit... [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 108 # Updated 2009-01-27 17:33:56 -> Removed from emerging-rbn.rules (2): # VERSION 108 # Updated 2009-01-27 17:33:56 From frank at knobbe.us Wed Feb 4 20:47:40 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 04 Feb 2009 19:47:40 -0600 Subject: [Emerging-Sigs] Proposal for reference additions In-Reply-To: <49899EEE.4080500@jonkmans.com> References: <1233724272.39097.7.camel@server1> <49899EEE.4080500@jonkmans.com> Message-ID: <1233798460.31144.1.camel@server1> On Wed, 2009-02-04 at 08:58 -0500, Matt Jonkman wrote: > I like the idea of referencing cvs... but maybe we could easier do that > by adding that link to the wiki page? Then we still just need the stock > sid reference for each sig. But then you have to edit each page :) Instead, we just have two stock references for each sig. Piece of cake really. I'm gonna wait one more day. If there are no objections, I'll start adding these references. To maintain sanity with rule updates, I'm aiming for about 100 sigs a day. Or maybe 200, dunno... need to take a count of what we got. Cheers, Frank From emerging at emergingthreats.net Thu Feb 5 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 5 Feb 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090205210009.25DAC45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Feb 5 16:00:09 2009 [***] [+++] Added rules: [+++] 2009077 - ET TROJAN TROJ_INJECT.NI Update Request (emerging-virus.rules) 2009078 - ET TROJAN Backdoor Lanfiltrator Checkin (emerging-virus.rules) 2009079 - ET TROJAN Delfsnif/Buzus.fte Remote Response (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2009077 || ET TROJAN TROJ_INJECT.NI Update Request || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T 2009078 || ET TROJAN Backdoor Lanfiltrator Checkin || url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642 2009079 || ET TROJAN Delfsnif/Buzus.fte Remote Response || url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html -> Added to emerging-sid-msg.map.txt (3): 2009077 || ET TROJAN TROJ_INJECT.NI Update Request || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T 2009078 || ET TROJAN Backdoor Lanfiltrator Checkin || url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642 2009079 || ET TROJAN Delfsnif/Buzus.fte Remote Response || url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html -> Added to emerging-virus.rules (6): #by sjirkdog #re 146244b0d5cce3d21719ad94d650a82f #traffic was on port 2009 in sample, since it is a new year. Maybe use it as the source #by Darren Spruell #by Shirkdog #re 8888fcb5020d1295f4343f601263306a From eslerj at gmail.com Fri Feb 6 22:43:00 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 6 Feb 2009 22:43:00 -0500 Subject: [Emerging-Sigs] 2008664, use of offset In-Reply-To: <4989D817.90204@jonkmans.com> References: <839aec700902030858w314da2b2uf5d4388f11fb0429@mail.gmail.com> <49888891.4020004@jonkmans.com> <1233721183.36419.7.camel@server1> <4989A0F6.2060806@jonkmans.com> <4989AB1E.8010205@jonkmans.com> <4989D817.90204@jonkmans.com> Message-ID: <8c643a500902061943g3237455as8aca62901201e316@mail.gmail.com> Actually, using your example (only wanted to get two bytes) It would be distance 6, within 2. J On Wed, Feb 4, 2009 at 1:01 PM, Matt Jonkman wrote: > OK, ya. You're right. That's what I thought initially but went and > re-read it when the question came up and didn't read closely enough. > > I'll modify it to be distance 6 and within 8. That'd get the bytes at > position 7 and 8 after the end of the previous match, which is what > we're looking for. > > Thanks > > Matt > > Joel Esler wrote: > > I think you are confused: > > > > "The offset keyword allows the rule writer to specify where to start > >>> searching for a pattern within a packet. offset modifies the previous > >>> 'content' keyword in the rule." > > > > Offset keyword... start searching... pattern. (so beginning of > > packet) Now for second sentence which is where you are confused. > > > > Offset modifies the previous content keyword. Meaning it doesn't take > > it into effect. It "modifies" where the ptr is. If you use a > > > > content:"joel"; offset:3; content:"esler"; offset:7; > > > > The second content modified the first content, in that it ignored > > where the ptr was set and started looking for esler from the beginning > > again. > > > > J > > > > > > On Feb 4, 2009, at 9:50 AM, Matt Jonkman allegedly wrote: > > > >> I originally was thinking offset was start of the packet always as > >> well, > >> but the manual (as snipped below) disagrees. > >> > >> Are we all confused or is the manual incorrect? :) > >> > >> Matt > >> > >> Joel Esler wrote: > >>> Offset starts at the beginning of the packet. > >>> Depth tells the search how far to go, from the beginning of the last > >>> content match. > >>> > >>> Distance starts at the end of the previous content match and reads > >>> forward > >>> Within tells the search how far to go from the end of the last > >>> content > >>> match. > >>> > >>> J > >>> > >>> On Feb 4, 2009, at 9:06 AM, Matt Jonkman allegedly wrote: > >>> > >>>> Offset goes from the last content match as well: > >>>> > >>>> snip > >>>> > >>>> The offset keyword allows the rule writer to specify where to start > >>>> searching for a pattern within a packet. offset modifies the > >>>> previous > >>>> 'content' keyword in the rule. > >>>> > >>>> snip > >>>> > >>>> So this will work as well. Distance would match in that first 6 > >>>> which > >>>> the rule doesn't want to do as I understand it. ya? > >>>> > >>>> Matt > >>>> > >>>> Frank Knobbe wrote: > >>>>> On Tue, 2009-02-03 at 13:10 -0500, Matt Jonkman wrote: > >>>>>> Good catch. Offset is valid here, but the within is killing it. We > >>>>>> should make it 8 rather than 6 or it'll never match. > >>>>> Uhm... no. :) > >>>>> > >>>>> You want to make it "distance", not "offset". "offset" and "depth" > >>>>> start > >>>>> from the packets beginning. "distance" and "within" start from the > >>>>> last > >>>>> match. So, "offset" here is completely wrong :) > >>>>> > >>>>> I could refer you to snort.org and the section on how to write > >>>>> Snort > >>>>> rules, but that may be more of interest for the original > >>>>> submitter :) > >>>>> > >>>>> Regards, > >>>>> Frank > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> -------------------------------------------- > >>>> Matthew Jonkman > >>>> Emerging Threats > >>>> Phone 765-429-0398 > >>>> Fax 312-264-0205 > >>>> http://www.emergingthreats.net > >>>> -------------------------------------------- > >>>> > >>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>> > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> -- > >>> Joel Esler > >>> ? http://www.joelesler.net > >>> ? http://www.twitter.com/joelesler > >>> [m] > >>> > >>> _______________________________________________ > >>> Emerging-sigs mailing list > >>> Emerging-sigs at emergingthreats.net > >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >> -- > >> -------------------------------------------- > >> Matthew Jonkman > >> Emerging Threats > >> Phone 765-429-0398 > >> Fax 312-264-0205 > >> http://www.emergingthreats.net > >> -------------------------------------------- > >> > >> PGP: http://www.jonkmans.com/mattjonkman.asc > >> > >> > > > > > > -- > > Joel Esler > > ? http://www.joelesler.net > > ? http://www.twitter.com/joelesler > > [m] > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090206/61b2e013/attachment.html From emerging at emergingthreats.net Sat Feb 7 12:02:34 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 7 Feb 2009 12:02:34 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090207170234.B94554501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 7 12:02:34 2009 [***] [///] Modified active rules: [///] 2000006 - ET DOS Cisco Router HTTP DoS (emerging-dos.rules) 2000010 - ET DOS Cisco 514 UDP flood DoS (emerging-dos.rules) 2000011 - ET DOS Catalyst memory leak attack (emerging-dos.rules) 2000016 - ET DOS SSL Bomb DoS Attempt (emerging-dos.rules) 2000345 - ET ATTACK RESPONSE IRC - Nick change on non-std port (emerging-attack_response.rules) 2000346 - ET ATTACK RESPONSE IRC - Name response on non-std port (emerging-attack_response.rules) 2000347 - ET ATTACK RESPONSE IRC - Private message on non-std port (emerging-attack_response.rules) 2000348 - ET ATTACK RESPONSE IRC - Channel JOIN on non-std port (emerging-attack_response.rules) 2000349 - ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port (emerging-attack_response.rules) 2000350 - ET ATTACK RESPONSE IRC - DCC chat request on non-std port (emerging-attack_response.rules) 2000351 - ET ATTACK RESPONSE IRC - channel join on non-std port (emerging-attack_response.rules) 2000352 - ET ATTACK RESPONSE IRC - dns request on non-std port (emerging-attack_response.rules) 2000496 - ET DOS Microsoft SMS dos attempt (emerging-dos.rules) 2000499 - ET ATTACK RESPONSE FTP inaccessible directory access COM1 (emerging-attack_response.rules) 2000500 - ET ATTACK RESPONSE FTP inaccessible directory access COM2 (emerging-attack_response.rules) 2000501 - ET ATTACK RESPONSE FTP inaccessible directory access COM3 (emerging-attack_response.rules) 2000502 - ET ATTACK RESPONSE FTP inaccessible directory access COM4 (emerging-attack_response.rules) 2000503 - ET ATTACK RESPONSE FTP inaccessible directory access LPT1 (emerging-attack_response.rules) 2000504 - ET ATTACK RESPONSE FTP inaccessible directory access LPT2 (emerging-attack_response.rules) 2000505 - ET ATTACK RESPONSE FTP inaccessible directory access LPT3 (emerging-attack_response.rules) 2000506 - ET ATTACK RESPONSE FTP inaccessible directory access LPT4 (emerging-attack_response.rules) 2000507 - ET ATTACK RESPONSE FTP inaccessible directory access AUX (emerging-attack_response.rules) 2000508 - ET ATTACK RESPONSE FTP inaccessible directory access NULL (emerging-attack_response.rules) 2001349 - ET INAPPROPRIATE free XXX (emerging-inappropriate.rules) 2001350 - ET INAPPROPRIATE hardcore anal (emerging-inappropriate.rules) 2001362 - ET DOS MS04-030 Attempted DoS (emerging-dos.rules) 2001366 - ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt (emerging-dos.rules) 2001392 - ET INAPPROPRIATE Sextracker Tracking Code Detected (1) (emerging-inappropriate.rules) 2001393 - ET INAPPROPRIATE Sextracker Tracking Code Detected (2) (emerging-inappropriate.rules) 2001616 - ET ATTACK RESPONSE Zone-H.org defacement notification (emerging-attack_response.rules) 2001620 - ET ATTACK RESPONSE Likely Botnet Activity (emerging-attack_response.rules) 2001628 - ET ATTACK RESPONSE Outbound PHP Connection (emerging-attack_response.rules) 2001635 - ET DOS HTTP GET with newline appended (emerging-dos.rules) 2001636 - ET DOS squ1rt Apache DoS (emerging-dos.rules) 2001795 - ET DOS Excessive SMTP MAIL-FROM DDoS (emerging-dos.rules) 2001846 - ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt (emerging-dos.rules) 2001882 - ET DOS ICMP Path MTU lowered below acceptable threshold (emerging-dos.rules) 2002034 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) (emerging-attack_response.rules) 2002809 - ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) (emerging-attack_response.rules) 2002810 - ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) (emerging-attack_response.rules) 2002811 - ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) (emerging-attack_response.rules) 2002843 - ET DOS Microsoft Streaming Server Malformed Request (emerging-dos.rules) 2002853 - ET DOS FreeBSD NFS RPC Kernel Panic (emerging-dos.rules) 2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (emerging-dos.rules) 2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (emerging-dos.rules) 2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (emerging-dos.rules) 2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (emerging-dos.rules) 2002927 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port (emerging-dos.rules) 2002928 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port (emerging-dos.rules) 2002998 - ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service (emerging-dos.rules) 2003071 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) (emerging-attack_response.rules) 2003149 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) (emerging-attack_response.rules) 2003150 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) (emerging-attack_response.rules) 2003236 - ET DOS NetrWkstaUserEnum Request with large Preferred Max Len (emerging-dos.rules) 2003464 - ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) (emerging-attack_response.rules) 2003465 - ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) (emerging-attack_response.rules) 2003535 - ET ATTACK RESPONSE r57 phpshell footer detected (emerging-attack_response.rules) 2003536 - ET ATTACK RESPONSE r57 phpshell source being uploaded (emerging-attack_response.rules) 2006417 - ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected (emerging-attack_response.rules) 2007651 - ET ATTACK RESPONSE x2300 phpshell detected (emerging-attack_response.rules) 2007652 - ET ATTACK RESPONSE c99shell phpshell detected (emerging-attack_response.rules) 2007653 - ET ATTACK RESPONSE RFI Scanner detected (emerging-attack_response.rules) 2007654 - ET ATTACK RESPONSE C99 Modified phpshell detected (emerging-attack_response.rules) 2007656 - ET ATTACK RESPONSE ALBANIA id.php detected (emerging-attack_response.rules) 2007715 - ET ATTACK RESPONSE Off-Port FTP Without Banners - user (emerging-attack_response.rules) 2007717 - ET ATTACK RESPONSE Off-Port FTP Without Banners - pass (emerging-attack_response.rules) 2007723 - ET ATTACK RESPONSE Off-Port FTP Without Banners - retr (emerging-attack_response.rules) 2007725 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) (emerging-attack_response.rules) 2007726 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) (emerging-attack_response.rules) 2008014 - ET CURRENT_EVENTS Suspicious Download (drv32.data) (emerging.rules) 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) (emerging.rules) 2008193 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) (emerging.rules) 2008206 - ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) (emerging.rules) 2008207 - ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) (emerging.rules) 2008235 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) (emerging.rules) 2008286 - ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server (emerging.rules) 2008313 - ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related (emerging.rules) 2008314 - ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related (emerging.rules) 2008315 - ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related (emerging.rules) 2008359 - ET TROJAN Unnamed - kuaiche.com related (emerging.rules) 2008368 - ET TROJAN Unknown Keylogger checkin (emerging.rules) 2008373 - ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request (emerging.rules) 2008387 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) (emerging.rules) 2008388 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) (emerging.rules) 2008394 - ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) (emerging.rules) 2008407 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) (emerging.rules) 2008408 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) (emerging.rules) 2008409 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) (emerging.rules) 2008446 - ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt (emerging.rules) 2008447 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt (emerging.rules) 2008475 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt (emerging.rules) 2008496 - ET TROJAN Unknown Initial Checkin (emerging.rules) 2008497 - ET TROJAN Unknown Checkin (emerging.rules) 2008498 - ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) (emerging.rules) 2008508 - ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site (emerging.rules) 2008528 - ET CURRENT_EVENTS Malware (e-card.exe) (emerging.rules) 2008530 - ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server (emerging.rules) 2008531 - ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server (emerging.rules) 2008539 - ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound (emerging.rules) 2008552 - ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely (emerging.rules) 2008554 - ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan (emerging.rules) 2008555 - ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan (emerging.rules) 2008556 - ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious (emerging-attack_response.rules) 2008559 - ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection (emerging-attack_response.rules) 2008562 - ET TROJAN Suspicious SMTP handshake outbound (emerging.rules) 2008563 - ET TROJAN Suspicious SMTP handshake reply (emerging.rules) 2008599 - ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt (emerging.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin (emerging.rules) 2008738 - ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related (emerging.rules) 2008739 - ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound (emerging.rules) 2008741 - ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin (emerging.rules) 2008773 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (emerging.rules) 2008774 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008775 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008779 - ET CURRENT_EVENTS Unknown Keepalive out (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive in (emerging.rules) 2008796 - ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected (emerging.rules) 2008799 - ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download (emerging.rules) 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2008876 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (emerging.rules) 2008877 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) (emerging.rules) 2008909 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 (emerging.rules) 2008910 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 (emerging.rules) 2008948 - ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin (emerging.rules) 2008953 - ET ATTACK RESPONSE Possible MS CMD Shell opened on local system (emerging-attack_response.rules) 2008960 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan (emerging.rules) 2008990 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 (emerging.rules) 2008991 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check (emerging.rules) 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 (emerging.rules) 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 (emerging.rules) 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting (emerging.rules) 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos (emerging.rules) 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging.rules) [///] Modified inactive rules: [///] 2001205 - ET DOS Internet Explorer Memory Corruption Bug (emerging-dos.rules) 2001346 - ET INAPPROPRIATE Kiddy Porn preteen (emerging-inappropriate.rules) 2001347 - ET INAPPROPRIATE Kiddy Porn pre-teen (emerging-inappropriate.rules) 2001348 - ET INAPPROPRIATE Kiddy Porn early teen (emerging-inappropriate.rules) 2001351 - ET INAPPROPRIATE masturbation (emerging-inappropriate.rules) 2001352 - ET INAPPROPRIATE ejaculation (emerging-inappropriate.rules) 2001353 - ET INAPPROPRIATE BDSM (emerging-inappropriate.rules) 2001386 - ET INAPPROPRIATE Kiddy Porn pthc (emerging-inappropriate.rules) 2001387 - ET INAPPROPRIATE Kiddy Porn zeps (emerging-inappropriate.rules) 2001388 - ET INAPPROPRIATE Kiddy Porn r at ygold (emerging-inappropriate.rules) 2001389 - ET INAPPROPRIATE Kiddy Porn childlover (emerging-inappropriate.rules) 2001608 - ET INAPPROPRIATE Likely Porn (emerging-inappropriate.rules) 2002925 - ET INAPPROPRIATE Google Image Search, Safe Mode Off (emerging-inappropriate.rules) 2007655 - ET ATTACK RESPONSE lila.jpg phpshell detected (emerging-attack_response.rules) 2007657 - ET ATTACK RESPONSE Mic22 id.php detected (emerging-attack_response.rules) 2008470 - ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter (emerging.rules) 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # active use, but can be forced by hostile parties by a number of methods -> Added to emerging-sid-msg.map (154): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Router_HTTP_DOS || url,doc.emergingthreats.net/bin/view/Main/2000006 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS || url,doc.emergingthreats.net/bin/view/Main/2000010 || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Catalyst_memory_leak_attack || url,doc.emergingthreats.net/bin/view/Main/2000011 || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_SSL_Bomb_Attempt || url,doc.emergingthreats.net/bin/view/Main/2000016 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000345 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000346 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000347 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000348 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000349 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000350 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000351 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000352 2000496 || ET DOS Microsoft SMS dos attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMS || url,doc.emergingthreats.net/bin/view/Main/2000496 || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000499 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000500 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000501 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000502 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000503 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000504 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000505 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000506 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000507 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000508 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_IE || url,doc.emergingthreats.net/bin/view/Main/2001205 || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001346 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001347 2001348 || ET INAPPROPRIATE Kiddy Porn early teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001348 2001349 || ET INAPPROPRIATE free XXX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001349 2001350 || ET INAPPROPRIATE hardcore anal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001350 2001351 || ET INAPPROPRIATE masturbation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001351 2001352 || ET INAPPROPRIATE ejaculation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001352 2001353 || ET INAPPROPRIATE BDSM || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001353 2001362 || ET DOS MS04-030 Attempted DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS04-030 || url,doc.emergingthreats.net/bin/view/Main/2001362 || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS || url,doc.emergingthreats.net/bin/view/Main/2001366 || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001386 2001387 || ET INAPPROPRIATE Kiddy Porn zeps || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001387 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001388 2001389 || ET INAPPROPRIATE Kiddy Porn childlover || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001389 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001392 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001393 2001608 || ET INAPPROPRIATE Likely Porn || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001608 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement || url,doc.emergingthreats.net/bin/view/Main/2001616 2001620 || ET ATTACK RESPONSE Likely Botnet Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2001620 2001628 || ET ATTACK RESPONSE Outbound PHP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen || url,doc.emergingthreats.net/bin/view/Main/2001628 2001635 || ET DOS HTTP GET with newline appended || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001635 || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001636 || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mail-From || url,doc.emergingthreats.net/bin/view/Main/2001795 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001846 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001882 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2002034 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002809 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002810 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002811 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038 || url,doc.emergingthreats.net/bin/view/Main/2002843 || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_FreeBSD || url,doc.emergingthreats.net/bin/view/Main/2002853 || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002880 || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002881 || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002882 || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Google || url,doc.emergingthreats.net/bin/view/Main/2002925 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002926 || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002927 || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002928 || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MailEnable || url,doc.emergingthreats.net/bin/view/Main/2002998 || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003071 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003149 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003150 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMB || url,doc.emergingthreats.net/bin/view/Main/2003236 || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003464 || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003465 || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003535 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003536 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge || url,doc.emergingthreats.net/bin/view/Main/2006417 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007651 || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007652 || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007653 || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007654 || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007655 || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007656 || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007657 || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK RESPONSE Off-Port FTP Without Banners - user || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007715 2007717 || ET ATTACK RESPONSE Off-Port FTP Without Banners - pass || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007717 2007723 || ET ATTACK RESPONSE Off-Port FTP Without Banners - retr || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007723 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007725 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007726 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Test_Suspicious_DL || url,doc.emergingthreats.net/bin/view/Main/2008014 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008077 || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008193 || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008206 || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008207 || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008235 || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Iamleet.be || url,doc.emergingthreats.net/bin/view/Main/2008286 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008313 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008314 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008315 2008359 || ET TROJAN Unnamed - kuaiche.com related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008359 2008368 || ET TROJAN Unknown Keylogger checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008368 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008373 || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008387 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008388 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008407 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008408 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008409 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008446 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008447 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008470 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008475 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008496 2008497 || ET TROJAN Unknown Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008497 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Facebook || url,doc.emergingthreats.net/bin/view/Main/2008498 || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008508 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ecards || url,doc.emergingthreats.net/bin/view/Main/2008528 || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Danmec || url,doc.emergingthreats.net/bin/view/Main/2008530 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com || url,doc.emergingthreats.net/bin/view/Main/2008531 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Airmail_Express || url,doc.emergingthreats.net/bin/view/Main/2008539 || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fordo || url,doc.emergingthreats.net/bin/view/Main/2008552 || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008554 || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008555 || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP || url,doc.emergingthreats.net/bin/view/Main/2008556 2008559 || ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download || url,doc.emergingthreats.net/bin/view/Main/2008559 2008562 || ET TROJAN Suspicious SMTP handshake outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008562 2008563 || ET TROJAN Suspicious SMTP handshake reply || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008563 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008599 || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fake_MS_Update || url,doc.emergingthreats.net/bin/view/Main/2008646 || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008739 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_PDF_Malware || url,doc.emergingthreats.net/bin/view/Main/2008741 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008773 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008774 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008775 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008779 2008780 || ET CURRENT_EVENTS Unknown Keepalive in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008780 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS08-067 || url,doc.emergingthreats.net/bin/view/Main/2008799 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008804 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Flash || url,doc.emergingthreats.net/bin/view/Main/2008845 || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008876 || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008877 || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008909 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008910 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET ATTACK RESPONSE Possible MS CMD Shell opened on local system || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell || url,doc.emergingthreats.net/bin/view/Main/2008953 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008960 || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008990 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008991 || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009006 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009007 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009008 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF || url,doc.emergingthreats.net/bin/view/Main/2009076 -> Added to emerging-sid-msg.map.txt (154): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Router_HTTP_DOS || url,doc.emergingthreats.net/bin/view/Main/2000006 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS || url,doc.emergingthreats.net/bin/view/Main/2000010 || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Catalyst_memory_leak_attack || url,doc.emergingthreats.net/bin/view/Main/2000011 || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_SSL_Bomb_Attempt || url,doc.emergingthreats.net/bin/view/Main/2000016 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000345 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000346 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000347 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000348 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000349 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000350 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000351 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000352 2000496 || ET DOS Microsoft SMS dos attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMS || url,doc.emergingthreats.net/bin/view/Main/2000496 || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000499 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000500 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000501 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000502 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000503 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000504 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000505 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000506 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000507 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000508 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_IE || url,doc.emergingthreats.net/bin/view/Main/2001205 || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001346 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001347 2001348 || ET INAPPROPRIATE Kiddy Porn early teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001348 2001349 || ET INAPPROPRIATE free XXX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001349 2001350 || ET INAPPROPRIATE hardcore anal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001350 2001351 || ET INAPPROPRIATE masturbation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001351 2001352 || ET INAPPROPRIATE ejaculation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001352 2001353 || ET INAPPROPRIATE BDSM || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001353 2001362 || ET DOS MS04-030 Attempted DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS04-030 || url,doc.emergingthreats.net/bin/view/Main/2001362 || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS || url,doc.emergingthreats.net/bin/view/Main/2001366 || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001386 2001387 || ET INAPPROPRIATE Kiddy Porn zeps || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001387 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001388 2001389 || ET INAPPROPRIATE Kiddy Porn childlover || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001389 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001392 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001393 2001608 || ET INAPPROPRIATE Likely Porn || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001608 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement || url,doc.emergingthreats.net/bin/view/Main/2001616 2001620 || ET ATTACK RESPONSE Likely Botnet Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2001620 2001628 || ET ATTACK RESPONSE Outbound PHP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen || url,doc.emergingthreats.net/bin/view/Main/2001628 2001635 || ET DOS HTTP GET with newline appended || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001635 || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001636 || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mail-From || url,doc.emergingthreats.net/bin/view/Main/2001795 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001846 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001882 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2002034 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002809 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002810 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002811 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038 || url,doc.emergingthreats.net/bin/view/Main/2002843 || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_FreeBSD || url,doc.emergingthreats.net/bin/view/Main/2002853 || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002880 || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002881 || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002882 || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Google || url,doc.emergingthreats.net/bin/view/Main/2002925 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002926 || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002927 || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002928 || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MailEnable || url,doc.emergingthreats.net/bin/view/Main/2002998 || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003071 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003149 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003150 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMB || url,doc.emergingthreats.net/bin/view/Main/2003236 || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003464 || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003465 || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003535 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003536 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge || url,doc.emergingthreats.net/bin/view/Main/2006417 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007651 || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007652 || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007653 || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007654 || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007655 || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007656 || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007657 || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK RESPONSE Off-Port FTP Without Banners - user || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007715 2007717 || ET ATTACK RESPONSE Off-Port FTP Without Banners - pass || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007717 2007723 || ET ATTACK RESPONSE Off-Port FTP Without Banners - retr || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007723 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007725 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007726 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Test_Suspicious_DL || url,doc.emergingthreats.net/bin/view/Main/2008014 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008077 || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008193 || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008206 || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008207 || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008235 || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Iamleet.be || url,doc.emergingthreats.net/bin/view/Main/2008286 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008313 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008314 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008315 2008359 || ET TROJAN Unnamed - kuaiche.com related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008359 2008368 || ET TROJAN Unknown Keylogger checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008368 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008373 || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008387 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008388 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008407 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008408 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008409 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008446 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008447 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008470 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008475 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008496 2008497 || ET TROJAN Unknown Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008497 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Facebook || url,doc.emergingthreats.net/bin/view/Main/2008498 || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008508 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ecards || url,doc.emergingthreats.net/bin/view/Main/2008528 || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Danmec || url,doc.emergingthreats.net/bin/view/Main/2008530 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com || url,doc.emergingthreats.net/bin/view/Main/2008531 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Airmail_Express || url,doc.emergingthreats.net/bin/view/Main/2008539 || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fordo || url,doc.emergingthreats.net/bin/view/Main/2008552 || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008554 || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008555 || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP || url,doc.emergingthreats.net/bin/view/Main/2008556 2008559 || ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download || url,doc.emergingthreats.net/bin/view/Main/2008559 2008562 || ET TROJAN Suspicious SMTP handshake outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008562 2008563 || ET TROJAN Suspicious SMTP handshake reply || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008563 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008599 || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fake_MS_Update || url,doc.emergingthreats.net/bin/view/Main/2008646 || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008739 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_PDF_Malware || url,doc.emergingthreats.net/bin/view/Main/2008741 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008773 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008774 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008775 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008779 2008780 || ET CURRENT_EVENTS Unknown Keepalive in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008780 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS08-067 || url,doc.emergingthreats.net/bin/view/Main/2008799 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008804 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Flash || url,doc.emergingthreats.net/bin/view/Main/2008845 || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008876 || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008877 || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008909 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008910 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET ATTACK RESPONSE Possible MS CMD Shell opened on local system || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell || url,doc.emergingthreats.net/bin/view/Main/2008953 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008960 || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008990 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008991 || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009006 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009007 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009008 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF || url,doc.emergingthreats.net/bin/view/Main/2009076 -> Added to emerging.rules (2): # Mass File Injection attacks # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport [---] Removed non-rule lines: [---] -> Removed from emerging-attack_response.rules (1): # active use, but can be forced by hostile parties by a number of methods -> Removed from emerging-sid-msg.map (154): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port 2000496 || ET DOS Microsoft SMS dos attempt || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen 2001348 || ET INAPPROPRIATE Kiddy Porn early teen 2001349 || ET INAPPROPRIATE free XXX 2001350 || ET INAPPROPRIATE hardcore anal 2001351 || ET INAPPROPRIATE masturbation 2001352 || ET INAPPROPRIATE ejaculation 2001353 || ET INAPPROPRIATE BDSM 2001362 || ET DOS MS04-030 Attempted DoS || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc 2001387 || ET INAPPROPRIATE Kiddy Porn zeps 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold 2001389 || ET INAPPROPRIATE Kiddy Porn childlover 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) 2001608 || ET INAPPROPRIATE Likely Porn 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification 2001620 || ET ATTACK RESPONSE Likely Botnet Activity 2001628 || ET ATTACK RESPONSE Outbound PHP Connection 2001635 || ET DOS HTTP GET with newline appended || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user 2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass 2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related 2008359 || ET TROJAN Unnamed - kuaiche.com related 2008368 || ET TROJAN Unknown Keylogger checkin 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious 2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection 2008562 || ET Suspicious SMTP handshake outbound 2008563 || ET Suspicious SMTP handshake reply 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) -> Removed from emerging-sid-msg.map.txt (154): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port 2000496 || ET DOS Microsoft SMS dos attempt || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen 2001348 || ET INAPPROPRIATE Kiddy Porn early teen 2001349 || ET INAPPROPRIATE free XXX 2001350 || ET INAPPROPRIATE hardcore anal 2001351 || ET INAPPROPRIATE masturbation 2001352 || ET INAPPROPRIATE ejaculation 2001353 || ET INAPPROPRIATE BDSM 2001362 || ET DOS MS04-030 Attempted DoS || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc 2001387 || ET INAPPROPRIATE Kiddy Porn zeps 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold 2001389 || ET INAPPROPRIATE Kiddy Porn childlover 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) 2001608 || ET INAPPROPRIATE Likely Porn 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification 2001620 || ET ATTACK RESPONSE Likely Botnet Activity 2001628 || ET ATTACK RESPONSE Outbound PHP Connection 2001635 || ET DOS HTTP GET with newline appended || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user 2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass 2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related 2008359 || ET TROJAN Unnamed - kuaiche.com related 2008368 || ET TROJAN Unknown Keylogger checkin 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious 2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection 2008562 || ET Suspicious SMTP handshake outbound 2008563 || ET Suspicious SMTP handshake reply 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) -> Removed from emerging.rules (2): # Mass File Injection attacks # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport From emerging at emergingthreats.net Sat Feb 7 18:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 7 Feb 2009 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090207230009.7FC034501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Feb 7 18:00:09 2009 [***] [+++] Added rules: [+++] 2009065 - ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2009066 - ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection (emerging-web_sql_injection.rules) 2009067 - ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection (emerging-web_sql_injection.rules) 2009068 - ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection (emerging-web_sql_injection.rules) 2009069 - ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection (emerging-web_sql_injection.rules) 2009070 - ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion (emerging-web_sql_injection.rules) 2009071 - ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion (emerging-web_sql_injection.rules) 2009073 - ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) 2009074 - ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) 2009075 - ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion (emerging-web_sql_injection.rules) 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging.rules) 2009077 - ET TROJAN TROJ_INJECT.NI Update Request (emerging-virus.rules) 2009078 - ET TROJAN Backdoor Lanfiltrator Checkin (emerging-virus.rules) 2009079 - ET TROJAN Delfsnif/Buzus.fte Remote Response (emerging-virus.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2000006 - ET DOS Cisco Router HTTP DoS (emerging-dos.rules) 2000010 - ET DOS Cisco 514 UDP flood DoS (emerging-dos.rules) 2000011 - ET DOS Catalyst memory leak attack (emerging-dos.rules) 2000016 - ET DOS SSL Bomb DoS Attempt (emerging-dos.rules) 2000345 - ET ATTACK RESPONSE IRC - Nick change on non-std port (emerging-attack_response.rules) 2000346 - ET ATTACK RESPONSE IRC - Name response on non-std port (emerging-attack_response.rules) 2000347 - ET ATTACK RESPONSE IRC - Private message on non-std port (emerging-attack_response.rules) 2000348 - ET ATTACK RESPONSE IRC - Channel JOIN on non-std port (emerging-attack_response.rules) 2000349 - ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port (emerging-attack_response.rules) 2000350 - ET ATTACK RESPONSE IRC - DCC chat request on non-std port (emerging-attack_response.rules) 2000351 - ET ATTACK RESPONSE IRC - channel join on non-std port (emerging-attack_response.rules) 2000352 - ET ATTACK RESPONSE IRC - dns request on non-std port (emerging-attack_response.rules) 2000496 - ET DOS Microsoft SMS dos attempt (emerging-dos.rules) 2000499 - ET ATTACK RESPONSE FTP inaccessible directory access COM1 (emerging-attack_response.rules) 2000500 - ET ATTACK RESPONSE FTP inaccessible directory access COM2 (emerging-attack_response.rules) 2000501 - ET ATTACK RESPONSE FTP inaccessible directory access COM3 (emerging-attack_response.rules) 2000502 - ET ATTACK RESPONSE FTP inaccessible directory access COM4 (emerging-attack_response.rules) 2000503 - ET ATTACK RESPONSE FTP inaccessible directory access LPT1 (emerging-attack_response.rules) 2000504 - ET ATTACK RESPONSE FTP inaccessible directory access LPT2 (emerging-attack_response.rules) 2000505 - ET ATTACK RESPONSE FTP inaccessible directory access LPT3 (emerging-attack_response.rules) 2000506 - ET ATTACK RESPONSE FTP inaccessible directory access LPT4 (emerging-attack_response.rules) 2000507 - ET ATTACK RESPONSE FTP inaccessible directory access AUX (emerging-attack_response.rules) 2000508 - ET ATTACK RESPONSE FTP inaccessible directory access NULL (emerging-attack_response.rules) 2001349 - ET INAPPROPRIATE free XXX (emerging-inappropriate.rules) 2001350 - ET INAPPROPRIATE hardcore anal (emerging-inappropriate.rules) 2001362 - ET DOS MS04-030 Attempted DoS (emerging-dos.rules) 2001366 - ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt (emerging-dos.rules) 2001392 - ET INAPPROPRIATE Sextracker Tracking Code Detected (1) (emerging-inappropriate.rules) 2001393 - ET INAPPROPRIATE Sextracker Tracking Code Detected (2) (emerging-inappropriate.rules) 2001616 - ET ATTACK RESPONSE Zone-H.org defacement notification (emerging-attack_response.rules) 2001620 - ET ATTACK RESPONSE Likely Botnet Activity (emerging-attack_response.rules) 2001628 - ET ATTACK RESPONSE Outbound PHP Connection (emerging-attack_response.rules) 2001635 - ET DOS HTTP GET with newline appended (emerging-dos.rules) 2001636 - ET DOS squ1rt Apache DoS (emerging-dos.rules) 2001795 - ET DOS Excessive SMTP MAIL-FROM DDoS (emerging-dos.rules) 2001846 - ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt (emerging-dos.rules) 2001882 - ET DOS ICMP Path MTU lowered below acceptable threshold (emerging-dos.rules) 2002034 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) (emerging-attack_response.rules) 2002809 - ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) (emerging-attack_response.rules) 2002810 - ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) (emerging-attack_response.rules) 2002811 - ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) (emerging-attack_response.rules) 2002843 - ET DOS Microsoft Streaming Server Malformed Request (emerging-dos.rules) 2002853 - ET DOS FreeBSD NFS RPC Kernel Panic (emerging-dos.rules) 2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (emerging-dos.rules) 2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (emerging-dos.rules) 2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (emerging-dos.rules) 2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (emerging-dos.rules) 2002927 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port (emerging-dos.rules) 2002928 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port (emerging-dos.rules) 2002998 - ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service (emerging-dos.rules) 2003071 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) (emerging-attack_response.rules) 2003149 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) (emerging-attack_response.rules) 2003150 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) (emerging-attack_response.rules) 2003179 - ET POLICY exe download without User Agent (emerging-policy.rules) 2003236 - ET DOS NetrWkstaUserEnum Request with large Preferred Max Len (emerging-dos.rules) 2003464 - ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) (emerging-attack_response.rules) 2003465 - ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) (emerging-attack_response.rules) 2003535 - ET ATTACK RESPONSE r57 phpshell footer detected (emerging-attack_response.rules) 2003536 - ET ATTACK RESPONSE r57 phpshell source being uploaded (emerging-attack_response.rules) 2006417 - ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected (emerging-attack_response.rules) 2007651 - ET ATTACK RESPONSE x2300 phpshell detected (emerging-attack_response.rules) 2007652 - ET ATTACK RESPONSE c99shell phpshell detected (emerging-attack_response.rules) 2007653 - ET ATTACK RESPONSE RFI Scanner detected (emerging-attack_response.rules) 2007654 - ET ATTACK RESPONSE C99 Modified phpshell detected (emerging-attack_response.rules) 2007656 - ET ATTACK RESPONSE ALBANIA id.php detected (emerging-attack_response.rules) 2007715 - ET ATTACK RESPONSE Off-Port FTP Without Banners - user (emerging-attack_response.rules) 2007717 - ET ATTACK RESPONSE Off-Port FTP Without Banners - pass (emerging-attack_response.rules) 2007723 - ET ATTACK RESPONSE Off-Port FTP Without Banners - retr (emerging-attack_response.rules) 2007725 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) (emerging-attack_response.rules) 2007726 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) (emerging-attack_response.rules) 2008014 - ET CURRENT_EVENTS Suspicious Download (drv32.data) (emerging.rules) 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) (emerging.rules) 2008193 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) (emerging.rules) 2008206 - ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) (emerging.rules) 2008207 - ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) (emerging.rules) 2008235 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) (emerging.rules) 2008286 - ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server (emerging.rules) 2008313 - ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related (emerging.rules) 2008314 - ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related (emerging.rules) 2008315 - ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related (emerging.rules) 2008359 - ET TROJAN Unnamed - kuaiche.com related (emerging.rules) 2008368 - ET TROJAN Unknown Keylogger checkin (emerging.rules) 2008373 - ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request (emerging.rules) 2008387 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) (emerging.rules) 2008388 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) (emerging.rules) 2008394 - ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) (emerging.rules) 2008407 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) (emerging.rules) 2008408 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) (emerging.rules) 2008409 - ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) (emerging.rules) 2008446 - ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt (emerging.rules) 2008447 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt (emerging.rules) 2008475 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt (emerging.rules) 2008496 - ET TROJAN Unknown Initial Checkin (emerging.rules) 2008497 - ET TROJAN Unknown Checkin (emerging.rules) 2008498 - ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) (emerging.rules) 2008508 - ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site (emerging.rules) 2008528 - ET CURRENT_EVENTS Malware (e-card.exe) (emerging.rules) 2008530 - ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server (emerging.rules) 2008531 - ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server (emerging.rules) 2008539 - ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound (emerging.rules) 2008552 - ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely (emerging.rules) 2008554 - ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan (emerging.rules) 2008555 - ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan (emerging.rules) 2008556 - ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious (emerging-attack_response.rules) 2008559 - ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection (emerging-attack_response.rules) 2008562 - ET TROJAN Suspicious SMTP handshake outbound (emerging.rules) 2008563 - ET TROJAN Suspicious SMTP handshake reply (emerging.rules) 2008599 - ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt (emerging.rules) 2008646 - ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC (emerging.rules) 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (emerging-virus.rules) 2008737 - ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin (emerging.rules) 2008738 - ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related (emerging.rules) 2008739 - ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound (emerging.rules) 2008741 - ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin (emerging.rules) 2008773 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (emerging.rules) 2008774 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008775 - ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) (emerging.rules) 2008779 - ET CURRENT_EVENTS Unknown Keepalive out (emerging.rules) 2008780 - ET CURRENT_EVENTS Unknown Keepalive in (emerging.rules) 2008796 - ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected (emerging.rules) 2008799 - ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download (emerging.rules) 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008845 - ET CURRENT_EVENTS Possible Malicious Flash Update (emerging.rules) 2008876 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (emerging.rules) 2008877 - ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) (emerging.rules) 2008909 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 (emerging.rules) 2008910 - ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 (emerging.rules) 2008948 - ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin (emerging.rules) 2008953 - ET ATTACK RESPONSE Possible MS CMD Shell opened on local system (emerging-attack_response.rules) 2008960 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan (emerging.rules) 2008990 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 (emerging.rules) 2008991 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check (emerging.rules) 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 (emerging.rules) 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 (emerging.rules) 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting (emerging.rules) 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos (emerging.rules) 2009042 - ET SCAN SQLNinja MSSQL Authentication Mode Scan (emerging-scan.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) [///] Modified inactive rules: [///] 2001205 - ET DOS Internet Explorer Memory Corruption Bug (emerging-dos.rules) 2001346 - ET INAPPROPRIATE Kiddy Porn preteen (emerging-inappropriate.rules) 2001347 - ET INAPPROPRIATE Kiddy Porn pre-teen (emerging-inappropriate.rules) 2001348 - ET INAPPROPRIATE Kiddy Porn early teen (emerging-inappropriate.rules) 2001351 - ET INAPPROPRIATE masturbation (emerging-inappropriate.rules) 2001352 - ET INAPPROPRIATE ejaculation (emerging-inappropriate.rules) 2001353 - ET INAPPROPRIATE BDSM (emerging-inappropriate.rules) 2001386 - ET INAPPROPRIATE Kiddy Porn pthc (emerging-inappropriate.rules) 2001387 - ET INAPPROPRIATE Kiddy Porn zeps (emerging-inappropriate.rules) 2001388 - ET INAPPROPRIATE Kiddy Porn r at ygold (emerging-inappropriate.rules) 2001389 - ET INAPPROPRIATE Kiddy Porn childlover (emerging-inappropriate.rules) 2001608 - ET INAPPROPRIATE Likely Porn (emerging-inappropriate.rules) 2002925 - ET INAPPROPRIATE Google Image Search, Safe Mode Off (emerging-inappropriate.rules) 2007655 - ET ATTACK RESPONSE lila.jpg phpshell detected (emerging-attack_response.rules) 2007657 - ET ATTACK RESPONSE Mic22 id.php detected (emerging-attack_response.rules) 2008470 - ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter (emerging.rules) 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): # active use, but can be forced by hostile parties by a number of methods -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1443 # Generated 2009-02-07 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1443 # Generated 2009-02-07 00:03:02 EDT -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 109 # Updated 2009-02-04 13:03:51 -> Added to emerging-rbn.rules (2): # VERSION 109 # Updated 2009-02-04 13:03:51 -> Added to emerging-sid-msg.map (183): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Router_HTTP_DOS || url,doc.emergingthreats.net/bin/view/Main/2000006 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS || url,doc.emergingthreats.net/bin/view/Main/2000010 || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Catalyst_memory_leak_attack || url,doc.emergingthreats.net/bin/view/Main/2000011 || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_SSL_Bomb_Attempt || url,doc.emergingthreats.net/bin/view/Main/2000016 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000345 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000346 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000347 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000348 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000349 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000350 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000351 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000352 2000496 || ET DOS Microsoft SMS dos attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMS || url,doc.emergingthreats.net/bin/view/Main/2000496 || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000499 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000500 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000501 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000502 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000503 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000504 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000505 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000506 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000507 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000508 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_IE || url,doc.emergingthreats.net/bin/view/Main/2001205 || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001346 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001347 2001348 || ET INAPPROPRIATE Kiddy Porn early teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001348 2001349 || ET INAPPROPRIATE free XXX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001349 2001350 || ET INAPPROPRIATE hardcore anal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001350 2001351 || ET INAPPROPRIATE masturbation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001351 2001352 || ET INAPPROPRIATE ejaculation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001352 2001353 || ET INAPPROPRIATE BDSM || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001353 2001362 || ET DOS MS04-030 Attempted DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS04-030 || url,doc.emergingthreats.net/bin/view/Main/2001362 || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS || url,doc.emergingthreats.net/bin/view/Main/2001366 || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001386 2001387 || ET INAPPROPRIATE Kiddy Porn zeps || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001387 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001388 2001389 || ET INAPPROPRIATE Kiddy Porn childlover || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001389 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001392 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001393 2001608 || ET INAPPROPRIATE Likely Porn || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001608 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement || url,doc.emergingthreats.net/bin/view/Main/2001616 2001620 || ET ATTACK RESPONSE Likely Botnet Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2001620 2001628 || ET ATTACK RESPONSE Outbound PHP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen || url,doc.emergingthreats.net/bin/view/Main/2001628 2001635 || ET DOS HTTP GET with newline appended || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001635 || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001636 || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mail-From || url,doc.emergingthreats.net/bin/view/Main/2001795 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001846 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001882 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2002034 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002809 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002810 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002811 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038 || url,doc.emergingthreats.net/bin/view/Main/2002843 || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_FreeBSD || url,doc.emergingthreats.net/bin/view/Main/2002853 || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002880 || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002881 || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002882 || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Google || url,doc.emergingthreats.net/bin/view/Main/2002925 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002926 || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002927 || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002928 || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MailEnable || url,doc.emergingthreats.net/bin/view/Main/2002998 || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003071 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003149 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003150 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMB || url,doc.emergingthreats.net/bin/view/Main/2003236 || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003464 || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003465 || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003535 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003536 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge || url,doc.emergingthreats.net/bin/view/Main/2006417 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007651 || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007652 || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007653 || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007654 || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007655 || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007656 || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007657 || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK RESPONSE Off-Port FTP Without Banners - user || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007715 2007717 || ET ATTACK RESPONSE Off-Port FTP Without Banners - pass || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007717 2007723 || ET ATTACK RESPONSE Off-Port FTP Without Banners - retr || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007723 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007725 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007726 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Test_Suspicious_DL || url,doc.emergingthreats.net/bin/view/Main/2008014 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008077 || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008193 || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008206 || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008207 || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008235 || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Iamleet.be || url,doc.emergingthreats.net/bin/view/Main/2008286 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008313 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008314 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008315 2008359 || ET TROJAN Unnamed - kuaiche.com related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008359 2008368 || ET TROJAN Unknown Keylogger checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008368 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008373 || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008387 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008388 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008407 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008408 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008409 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008446 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008447 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008470 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008475 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008496 2008497 || ET TROJAN Unknown Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008497 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Facebook || url,doc.emergingthreats.net/bin/view/Main/2008498 || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008508 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ecards || url,doc.emergingthreats.net/bin/view/Main/2008528 || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Danmec || url,doc.emergingthreats.net/bin/view/Main/2008530 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com || url,doc.emergingthreats.net/bin/view/Main/2008531 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Airmail_Express || url,doc.emergingthreats.net/bin/view/Main/2008539 || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fordo || url,doc.emergingthreats.net/bin/view/Main/2008552 || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008554 || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008555 || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP || url,doc.emergingthreats.net/bin/view/Main/2008556 2008559 || ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download || url,doc.emergingthreats.net/bin/view/Main/2008559 2008562 || ET TROJAN Suspicious SMTP handshake outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008562 2008563 || ET TROJAN Suspicious SMTP handshake reply || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008563 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008599 || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fake_MS_Update || url,doc.emergingthreats.net/bin/view/Main/2008646 || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008739 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_PDF_Malware || url,doc.emergingthreats.net/bin/view/Main/2008741 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008773 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008774 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008775 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008779 2008780 || ET CURRENT_EVENTS Unknown Keepalive in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008780 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS08-067 || url,doc.emergingthreats.net/bin/view/Main/2008799 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008804 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Flash || url,doc.emergingthreats.net/bin/view/Main/2008845 || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008876 || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008877 || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008909 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008910 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET ATTACK RESPONSE Possible MS CMD Shell opened on local system || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell || url,doc.emergingthreats.net/bin/view/Main/2008953 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008960 || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008990 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008991 || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009006 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009007 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009008 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009065 || ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32408 2009066 || ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32/32408 2009067 || ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection || url,milw0rm.com/exploits/7697 || bugtraq,33156 2009068 || ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009069 || ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009070 || ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion || bugtraq,33092 2009071 || ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion || bugtraq,33092 2009073 || ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion || bugtraq,33103 2009074 || ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion || bugtraq,33103 2009075 || ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion || bugtraq,33103 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF || url,doc.emergingthreats.net/bin/view/Main/2009076 2009077 || ET TROJAN TROJ_INJECT.NI Update Request || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T 2009078 || ET TROJAN Backdoor Lanfiltrator Checkin || url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642 2009079 || ET TROJAN Delfsnif/Buzus.fte Remote Response || url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406222 || ET RBN Known Russian Business Network Monitored Domains (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406223 || ET RBN Known Russian Business Network Monitored Domains (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406224 || ET RBN Known Russian Business Network Monitored Domains (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406225 || ET RBN Known Russian Business Network Monitored Domains (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406226 || ET RBN Known Russian Business Network Monitored Domains (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406227 || ET RBN Known Russian Business Network Monitored Domains (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407222 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407223 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407224 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407225 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407226 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407227 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (183): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Router_HTTP_DOS || url,doc.emergingthreats.net/bin/view/Main/2000006 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS || url,doc.emergingthreats.net/bin/view/Main/2000010 || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Catalyst_memory_leak_attack || url,doc.emergingthreats.net/bin/view/Main/2000011 || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_SSL_Bomb_Attempt || url,doc.emergingthreats.net/bin/view/Main/2000016 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000345 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000346 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000347 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000348 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000349 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000350 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000351 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2000352 2000496 || ET DOS Microsoft SMS dos attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMS || url,doc.emergingthreats.net/bin/view/Main/2000496 || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000499 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000500 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000501 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000502 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000503 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000504 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000505 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000506 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000507 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity || url,doc.emergingthreats.net/bin/view/Main/2000508 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_IE || url,doc.emergingthreats.net/bin/view/Main/2001205 || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001346 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001347 2001348 || ET INAPPROPRIATE Kiddy Porn early teen || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001348 2001349 || ET INAPPROPRIATE free XXX || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001349 2001350 || ET INAPPROPRIATE hardcore anal || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001350 2001351 || ET INAPPROPRIATE masturbation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001351 2001352 || ET INAPPROPRIATE ejaculation || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001352 2001353 || ET INAPPROPRIATE BDSM || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001353 2001362 || ET DOS MS04-030 Attempted DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS04-030 || url,doc.emergingthreats.net/bin/view/Main/2001362 || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS || url,doc.emergingthreats.net/bin/view/Main/2001366 || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001386 2001387 || ET INAPPROPRIATE Kiddy Porn zeps || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001387 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001388 2001389 || ET INAPPROPRIATE Kiddy Porn childlover || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Kiddy_Porn || url,doc.emergingthreats.net/bin/view/Main/2001389 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001392 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001393 2001608 || ET INAPPROPRIATE Likely Porn || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Porn || url,doc.emergingthreats.net/bin/view/Main/2001608 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement || url,doc.emergingthreats.net/bin/view/Main/2001616 2001620 || ET ATTACK RESPONSE Likely Botnet Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC || url,doc.emergingthreats.net/bin/view/Main/2001620 2001628 || ET ATTACK RESPONSE Outbound PHP Connection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen || url,doc.emergingthreats.net/bin/view/Main/2001628 2001635 || ET DOS HTTP GET with newline appended || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001635 || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Apache_Squ1rt || url,doc.emergingthreats.net/bin/view/Main/2001636 || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mail-From || url,doc.emergingthreats.net/bin/view/Main/2001795 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001846 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019 || url,doc.emergingthreats.net/bin/view/Main/2001882 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2002034 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002809 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002810 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2002811 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038 || url,doc.emergingthreats.net/bin/view/Main/2002843 || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_FreeBSD || url,doc.emergingthreats.net/bin/view/Main/2002853 || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002880 || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002881 || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002882 || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/INAPPROPRIATE/INAPPROPRIATE_Google || url,doc.emergingthreats.net/bin/view/Main/2002925 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002926 || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002927 || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP || url,doc.emergingthreats.net/bin/view/Main/2002928 || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MailEnable || url,doc.emergingthreats.net/bin/view/Main/2002998 || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003071 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003149 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd || url,doc.emergingthreats.net/bin/view/Main/2003150 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMB || url,doc.emergingthreats.net/bin/view/Main/2003236 || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003464 || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2003465 || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003535 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2003536 || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge || url,doc.emergingthreats.net/bin/view/Main/2006417 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007651 || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007652 || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007653 || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007654 || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007655 || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007656 || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells || url,doc.emergingthreats.net/bin/view/Main/2007657 || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK RESPONSE Off-Port FTP Without Banners - user || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007715 2007717 || ET ATTACK RESPONSE Off-Port FTP Without Banners - pass || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007717 2007723 || ET ATTACK RESPONSE Off-Port FTP Without Banners - retr || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP || url,doc.emergingthreats.net/bin/view/Main/2007723 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007725 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/bin/view/Main/2007726 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Test_Suspicious_DL || url,doc.emergingthreats.net/bin/view/Main/2008014 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008077 || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008193 || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008206 || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections || url,doc.emergingthreats.net/bin/view/Main/2008207 || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Storm || url,doc.emergingthreats.net/bin/view/Main/2008235 || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Iamleet.be || url,doc.emergingthreats.net/bin/view/Main/2008286 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008313 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008314 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008315 2008359 || ET TROJAN Unnamed - kuaiche.com related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008359 2008368 || ET TROJAN Unknown Keylogger checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008368 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008373 || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008387 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections || url,doc.emergingthreats.net/bin/view/Main/2008388 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes || url,doc.emergingthreats.net/bin/view/Main/2008394 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008407 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008408 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot || url,doc.emergingthreats.net/bin/view/Main/2008409 || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008446 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008447 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008470 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning || url,doc.emergingthreats.net/bin/view/Main/2008475 || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008496 2008497 || ET TROJAN Unknown Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008497 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Facebook || url,doc.emergingthreats.net/bin/view/Main/2008498 || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008508 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ecards || url,doc.emergingthreats.net/bin/view/Main/2008528 || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Danmec || url,doc.emergingthreats.net/bin/view/Main/2008530 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com || url,doc.emergingthreats.net/bin/view/Main/2008531 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Airmail_Express || url,doc.emergingthreats.net/bin/view/Main/2008539 || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fordo || url,doc.emergingthreats.net/bin/view/Main/2008552 || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008554 || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Email_Worms || url,doc.emergingthreats.net/bin/view/Main/2008555 || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP || url,doc.emergingthreats.net/bin/view/Main/2008556 2008559 || ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download || url,doc.emergingthreats.net/bin/view/Main/2008559 2008562 || ET TROJAN Suspicious SMTP handshake outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008562 2008563 || ET TROJAN Suspicious SMTP handshake reply || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan || url,doc.emergingthreats.net/bin/view/Main/2008563 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox || url,doc.emergingthreats.net/bin/view/Main/2008599 || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fake_MS_Update || url,doc.emergingthreats.net/bin/view/Main/2008646 || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008737 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008738 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Kernelbot || url,doc.emergingthreats.net/bin/view/Main/2008739 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_PDF_Malware || url,doc.emergingthreats.net/bin/view/Main/2008741 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008773 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008774 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Activation_Key_Trojan || url,doc.emergingthreats.net/bin/view/Main/2008775 || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008779 2008780 || ET CURRENT_EVENTS Unknown Keepalive in || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3 || url,doc.emergingthreats.net/bin/view/Main/2008780 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger || url,doc.emergingthreats.net/bin/view/Main/2008796 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS08-067 || url,doc.emergingthreats.net/bin/view/Main/2008799 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008802 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008803 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2008804 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Flash || url,doc.emergingthreats.net/bin/view/Main/2008845 || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008876 || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_IE_0Day || url,doc.emergingthreats.net/bin/view/Main/2008877 || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008909 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL || url,doc.emergingthreats.net/bin/view/Main/2008910 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer || url,doc.emergingthreats.net/bin/view/Main/2008948 || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET ATTACK RESPONSE Possible MS CMD Shell opened on local system || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell || url,doc.emergingthreats.net/bin/view/Main/2008953 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008960 || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008990 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2008991 || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009006 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009007 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube || url,doc.emergingthreats.net/bin/view/Main/2009008 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/bin/view/Main/2009024 || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot || url,doc.emergingthreats.net/bin/view/Main/2009030 || url,isc.sans.org/diary.html?storyid=5713 2009065 || ET WEB_SPECIFIC PHP-Daily add_postit.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32408 2009066 || ET WEB_SPECIFIC PHP-Daily delete.php id Parameter SQL Injection || url,milw0rm.com/exploits/6833 || url,secunia.com/Advisories/32/32408 2009067 || ET WEB_SPECIFIC PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection || url,milw0rm.com/exploits/7697 || bugtraq,33156 2009068 || ET WEB_SPECIFIC iGaming CMS previews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009069 || ET WEB_SPECIFIC iGaming CMS reviews.php browse parameter SQL injection || url,milw0rm.com/exploits/6540 || bugtraq,31340 || cve,2008-5841 2009070 || ET WEB_SPECIFIC phpSkelSite TplSuffix parameter local file inclusion || bugtraq,33092 2009071 || ET WEB_SPECIFIC phpSkelSite theme parameter remote file inclusion || bugtraq,33092 2009073 || ET WEB_SPECIFIC PNphpBB2 admin_words.php ModName parameter Local File inclusion || bugtraq,33103 2009074 || ET WEB_SPECIFIC PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion || bugtraq,33103 2009075 || ET WEB_SPECIFIC PNphpBB2 admin_smilies.php ModName parameter Local File inclusion || bugtraq,33103 2009076 || ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF || url,doc.emergingthreats.net/bin/view/Main/2009076 2009077 || ET TROJAN TROJ_INJECT.NI Update Request || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T 2009078 || ET TROJAN Backdoor Lanfiltrator Checkin || url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642 2009079 || ET TROJAN Delfsnif/Buzus.fte Remote Response || url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org 2406222 || ET RBN Known Russian Business Network Monitored Domains (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406223 || ET RBN Known Russian Business Network Monitored Domains (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406224 || ET RBN Known Russian Business Network Monitored Domains (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406225 || ET RBN Known Russian Business Network Monitored Domains (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406226 || ET RBN Known Russian Business Network Monitored Domains (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406227 || ET RBN Known Russian Business Network Monitored Domains (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407222 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407223 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407224 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407225 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407226 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407227 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (6): #by sjirkdog #re 146244b0d5cce3d21719ad94d650a82f #traffic was on port 2009 in sample, since it is a new year. Maybe use it as the source #by Darren Spruell #by Shirkdog #re 8888fcb5020d1295f4343f601263306a -> Added to emerging.rules (3): # Mass File Injection attacks #by Paul Dokas. Testing this out for a bit... # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport [---] Removed non-rule lines: [---] -> Removed from emerging-attack_response.rules (1): # active use, but can be forced by hostile parties by a number of methods -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1436 # Generated 2009-01-31 00:03:03 EDT -> Removed from emerging-drop.rules (2): # VERSION 1436 # Generated 2009-01-31 00:03:03 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 108 # Updated 2009-01-27 17:33:56 -> Removed from emerging-rbn.rules (2): # VERSION 108 # Updated 2009-01-27 17:33:56 -> Removed from emerging-sid-msg.map (153): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port 2000496 || ET DOS Microsoft SMS dos attempt || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen 2001348 || ET INAPPROPRIATE Kiddy Porn early teen 2001349 || ET INAPPROPRIATE free XXX 2001350 || ET INAPPROPRIATE hardcore anal 2001351 || ET INAPPROPRIATE masturbation 2001352 || ET INAPPROPRIATE ejaculation 2001353 || ET INAPPROPRIATE BDSM 2001362 || ET DOS MS04-030 Attempted DoS || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc 2001387 || ET INAPPROPRIATE Kiddy Porn zeps 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold 2001389 || ET INAPPROPRIATE Kiddy Porn childlover 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) 2001608 || ET INAPPROPRIATE Likely Porn 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification 2001620 || ET ATTACK RESPONSE Likely Botnet Activity 2001628 || ET ATTACK RESPONSE Outbound PHP Connection 2001635 || ET DOS HTTP GET with newline appended || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user 2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass 2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related 2008359 || ET TROJAN Unnamed - kuaiche.com related 2008368 || ET TROJAN Unknown Keylogger checkin 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious 2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection 2008562 || ET Suspicious SMTP handshake outbound 2008563 || ET Suspicious SMTP handshake reply 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 -> Removed from emerging-sid-msg.map.txt (153): 2000006 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml 2000010 || ET DOS Cisco 514 UDP flood DoS || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml 2000011 || ET DOS Catalyst memory leak attack || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml 2000016 || ET DOS SSL Bomb DoS Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port 2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port 2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port 2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port 2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port 2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port 2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port 2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port 2000496 || ET DOS Microsoft SMS dos attempt || url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0 2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1 2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2 2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3 2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4 2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1 2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2 2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3 2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4 2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX 2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL 2001205 || ET DOS Internet Explorer Memory Corruption Bug || url,www.securiteam.com/windowsntfocus/5XP051FDFM.html 2001346 || ET INAPPROPRIATE Kiddy Porn preteen 2001347 || ET INAPPROPRIATE Kiddy Porn pre-teen 2001348 || ET INAPPROPRIATE Kiddy Porn early teen 2001349 || ET INAPPROPRIATE free XXX 2001350 || ET INAPPROPRIATE hardcore anal 2001351 || ET INAPPROPRIATE masturbation 2001352 || ET INAPPROPRIATE ejaculation 2001353 || ET INAPPROPRIATE BDSM 2001362 || ET DOS MS04-030 Attempted DoS || url,isc.sans.org/diary.php?date=2004-10-20 2001366 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 2001386 || ET INAPPROPRIATE Kiddy Porn pthc 2001387 || ET INAPPROPRIATE Kiddy Porn zeps 2001388 || ET INAPPROPRIATE Kiddy Porn r at ygold 2001389 || ET INAPPROPRIATE Kiddy Porn childlover 2001392 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) 2001393 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) 2001608 || ET INAPPROPRIATE Likely Porn 2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification 2001620 || ET ATTACK RESPONSE Likely Botnet Activity 2001628 || ET ATTACK RESPONSE Outbound PHP Connection 2001635 || ET DOS HTTP GET with newline appended || cve,2004-0942 2001636 || ET DOS squ1rt Apache DoS || cve,2004-0942 2001795 || ET DOS Excessive SMTP MAIL-FROM DDoS 2001846 || ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,can-2004-0790 2001882 || ET DOS ICMP Path MTU lowered below acceptable threshold || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || cve,CAN-2004-1060 2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) 2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) 2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) 2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) 2002843 || ET DOS Microsoft Streaming Server Malformed Request || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || bugtraq,1282 2002853 || ET DOS FreeBSD NFS RPC Kernel Panic || bugtraq,19017 || cve,2006-0900 2002880 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || bugtraq,10186 || cve,2004-0714 2002881 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || bugtraq,10186 || cve,2004-0714 2002882 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || bugtraq,10186 || cve,2004-0714 2002925 || ET INAPPROPRIATE Google Image Search, Safe Mode Off 2002926 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || bugtraq,10186 || cve,2004-0714 2002927 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || bugtraq,10186 || cve,2004-0714 2002928 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || bugtraq,10186 || cve,2004-0714 2002998 || ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service || bugtraq,18630 || cve,2006-3277 2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) 2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) 2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) 2003236 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || cve,2006-6723 2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org 2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com 2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected 2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php 2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php 2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php 2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php 2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php 2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php 2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php 2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user 2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass 2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr 2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) 2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data) 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008193 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent) || url,www.sudosecure.net/archives/67 2008206 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008207 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || url,www.sudosecure.net/archives/119 2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server 2008313 || ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related 2008314 || ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related 2008315 || ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related 2008359 || ET TROJAN Unnamed - kuaiche.com related 2008368 || ET TROJAN Unknown Keylogger checkin 2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/ 2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) 2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) 2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 2008407 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008408 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008409 || ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || bugtraq,30114 2008446 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt 2008447 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008470 || ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter 2008475 || ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html 2008508 || ET CURRENT_EVENTS Internal User may have Visited an ASPROX Infected Site 2008528 || ET CURRENT_EVENTS Malware (e-card.exe) || url,garwarner.blogspot.com/2008/08/e-cards-run-wild-where-are-anti-virus.html 2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server 2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server 2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail 2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7 2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email 2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access 2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious 2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection 2008562 || ET Suspicious SMTP handshake outbound 2008563 || ET Suspicious SMTP handshake reply 2008599 || ET CURRENT_EVENTS Asprox Cookie SQL Injection Attempt || url,isc.sans.org/diary.html?n&storyid=5092 2008646 || ET CURRENT_EVENTS Trojan resulting from Fake MS Updates Email Login to CnC || url,isc.sans.org/diary.html?storyid=5159 2008737 || ET CURRENT_EVENTS KernelBot/MS08-067 related Trojan Checkin 2008738 || ET CURRENT_EVENTS Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot Trojan Related 2008739 || ET CURRENT_EVENTS MS08-067 Worm Traffic Outbound 2008741 || ET CURRENT_EVENTS CVE-2008-2992 Adobe Reader PDF Exploit Related Malware Checkin 2008773 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008774 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008775 || ET CURRENT_EVENTS Recovery KEYS for your account Trojan Email Trojan Inbound (2) || url,www.sophos.com/blogs/gc/g/2008/11/06/activation-key-malware-morphs-its-disguise/ || url,www.sophos.com/blogs/gc/g/2008/11/04/spammed-out-personal-account-keys-contain-trojan-horse/ 2008779 || ET CURRENT_EVENTS Unknown Keepalive out 2008780 || ET CURRENT_EVENTS Unknown Keepalive in 2008796 || ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected 2008799 || ET CURRENT_EVENTS Win32.Kernelbot Second Stage Infection Download 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008845 || ET CURRENT_EVENTS Possible Malicious Flash Update || url,isc.sans.org/diary.html?storyid=5437 2008876 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt || url,isc.sans.org/diary.html?storyid=5458 2008877 || ET CURRENT_EVENTS Possible XML 0-day for Internet Explorer Exploitation Attempt (obfuscation 1) || url,isc.sans.org/diary.html?storyid=5458 2008909 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008910 || ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 -> Removed from emerging.rules (2): # Mass File Injection attacks # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport From emerging at emergingthreats.net Sun Feb 8 01:17:01 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 8 Feb 2009 01:17:01 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090208061701.216E24501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Feb 8 01:17:01 2009 [***] [///] Modified active rules: [///] 2000005 - ET EXPLOIT Cisco Telnet Buffer Overflow (emerging-exploit.rules) 2000007 - ET EXPLOIT Catalyst SSH protocol mismatch (emerging-exploit.rules) 2000009 - ET EXPLOIT Cisco IOS HTTP DoS (emerging-exploit.rules) 2000012 - ET EXPLOIT Cisco %u IDS evasion (emerging-exploit.rules) 2000013 - ET EXPLOIT Cisco IOS HTTP server DoS (emerging-exploit.rules) 2000017 - ET EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit (emerging-exploit.rules) 2000032 - ET EXPLOIT LSA exploit (emerging-exploit.rules) 2000033 - ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) (emerging-exploit.rules) 2000046 - ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) (emerging-exploit.rules) 2000329 - ET EXPLOIT mIRC <=6.12 DCC Buffer Overflow (emerging-exploit.rules) 2000342 - ET EXPLOIT Squid NTLM Auth Overflow Exploit (emerging-exploit.rules) 2000372 - ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment (emerging-exploit.rules) 2000373 - ET EXPLOIT MS-SQL SQL Injection line comment (emerging-exploit.rules) 2000377 - ET EXPLOIT MS-SQL heap overflow attempt (emerging-exploit.rules) 2000378 - ET EXPLOIT MS-SQL DOS attempt (08) (emerging-exploit.rules) 2000379 - ET EXPLOIT MS-SQL DOS attempt (08) 1 byte (emerging-exploit.rules) 2000380 - ET EXPLOIT MS-SQL Spike buffer overflow (emerging-exploit.rules) 2000381 - ET EXPLOIT MS-SQL DOS bouncing packets (emerging-exploit.rules) 2000488 - ET EXPLOIT MS-SQL SQL Injection closing string plus line comment (emerging-exploit.rules) 2000563 - ET EXPLOIT Pwdump3e Password Hash Retrieval port 445 (emerging-exploit.rules) 2000564 - ET EXPLOIT Pwdump3e pwservice.exe Access port 445 (emerging-exploit.rules) 2000565 - ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139 (emerging-exploit.rules) 2000566 - ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445 (emerging-exploit.rules) 2000567 - ET EXPLOIT Pwdump3e pwservice.exe Access port 139 (emerging-exploit.rules) 2000568 - ET EXPLOIT Pwdump3e Password Hash Retrieval port 139 (emerging-exploit.rules) 2001022 - ET EXPLOIT Invalid non-fragmented packet with fragment offset>0 (emerging-exploit.rules) 2001023 - ET EXPLOIT Invalid fragment - ACK reset (emerging-exploit.rules) 2001024 - ET EXPLOIT Invalid fragment - illegal flags (emerging-exploit.rules) 2001048 - ET EXPLOIT IE process injection iexplore.exe executable download (emerging-exploit.rules) 2001052 - ET EXPLOIT NTDump Session Established Reg-Entry port 139 (emerging-exploit.rules) 2001053 - ET EXPLOIT NTDump.exe Service Started port 139 (emerging-exploit.rules) 2001058 - ET EXPLOIT libpng tRNS overflow attempt (emerging-exploit.rules) 2001095 - ET EXPLOIT IFRAME ExecCommand vulnerability (emerging-exploit.rules) 2001099 - ET EXPLOIT Attempt to execute VBScript code (emerging-exploit.rules) 2001101 - ET EXPLOIT Stealth attempt to execute Javascript code (emerging-exploit.rules) 2001102 - ET EXPLOIT Stealth attempt to execute VBScript code (emerging-exploit.rules) 2001103 - ET EXPLOIT Stealth attempt to access SHELL\: (emerging-exploit.rules) 2001105 - ET EXPLOIT Javascript execution with expression eval (emerging-exploit.rules) 2001106 - ET EXPLOIT Javascript execution with expression eval hex (emerging-exploit.rules) 2001181 - ET EXPLOIT Internet Explorer Plugin.ocx Heap Overflow (emerging-exploit.rules) 2001182 - ET EXPLOIT IE trojan Ants3set 1.exe - process injection (emerging-exploit.rules) 2001190 - ET EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP (emerging-exploit.rules) 2001191 - ET EXPLOIT libPNG - Width exceeds limit (emerging-exploit.rules) 2001192 - ET EXPLOIT libPNG - Height exceeds limit (emerging-exploit.rules) 2001195 - ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT (emerging-exploit.rules) 2001210 - ET EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability (emerging-exploit.rules) 2001211 - ET EXPLOIT FTP Serv-U directory traversal vulnerability (1) (emerging-exploit.rules) 2001212 - ET EXPLOIT FTP Serv-U directory traversal vulnerability (2) (emerging-exploit.rules) 2001213 - ET EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow (emerging-exploit.rules) 2001215 - ET EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability (emerging-exploit.rules) 2001217 - ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte (emerging-exploit.rules) 2001363 - ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt (emerging-exploit.rules) 2001364 - ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt (emerging-exploit.rules) 2001369 - ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit (emerging-exploit.rules) 2001374 - ET EXPLOIT MS04-032 Bad EMF file (emerging-exploit.rules) 2001385 - ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt (emerging-exploit.rules) 2001401 - ET EXPLOIT IE IFRAME Exploit (emerging-exploit.rules) 2001543 - ET EXPLOIT NTDump Session Established Reg-Entry port 445 (emerging-exploit.rules) 2001544 - ET EXPLOIT NTDump.exe Service Started port 445 (emerging-exploit.rules) 2001549 - ET EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1) (emerging-exploit.rules) 2001550 - ET EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2) (emerging-exploit.rules) 2001551 - ET EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3) (emerging-exploit.rules) 2001552 - ET EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4) (emerging-exploit.rules) 2001622 - ET EXPLOIT winhlp32 ActiveX control attack, phase 1 (emerging-exploit.rules) 2001623 - ET EXPLOIT winhlp32 ActiveX control attack, phase 2 (emerging-exploit.rules) 2001624 - ET EXPLOIT winhlp32 ActiveX control attack, phase 3 (emerging-exploit.rules) 2001625 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1 (emerging-exploit.rules) 2001626 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2 (emerging-exploit.rules) 2001627 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3 (emerging-exploit.rules) 2001633 - ET EXPLOIT Probable MSIE XPSP2 Remote Compromise (1) (emerging-exploit.rules) 2001634 - ET EXPLOIT Probable MSIE XPSP2 Remote Compromise (2) (emerging-exploit.rules) 2001668 - ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack (emerging-exploit.rules) 2001686 - ET EXPLOIT Awstats Remote Code Execution Attempt (emerging-exploit.rules) 2001720 - ET EXPLOIT CAN-2004-0597 PNG with indexed color (emerging-exploit.rules) 2001721 - ET EXPLOIT CAN-2004-0597 PNG with too big PLTE (emerging-exploit.rules) 2001722 - ET EXPLOIT CAN-2004-0597 PNG with too big hIST (emerging-exploit.rules) 2001725 - ET EXPLOIT MS05-014 HTML OBJECT tag local zone exploit (emerging-exploit.rules) 2001727 - ET EXPLOIT MS05-005 Office XP .doc Remote Code Attempt (emerging-exploit.rules) 2001742 - ET EXPLOIT Arkeia full remote access without password or authentication (emerging-exploit.rules) 2001751 - ET EXPLOIT Nullsoft Shoutcast Server Format String Attack (emerging-exploit.rules) 2001753 - ET EXPLOIT Pwdump4 Session Established GetHash port 139 (emerging-exploit.rules) 2001754 - ET EXPLOIT Pwdump4 Session Established GetHash port 445 (emerging-exploit.rules) 2001780 - ET EXPLOIT Solaris TTYPROMPT environment variable set (emerging-exploit.rules) 2001807 - ET EXPLOIT CAN-2005-0399 Gif Vuln via http (emerging-exploit.rules) 2001813 - ET EXPLOIT MSIE Hidden Address Bar (Phish) (emerging-exploit.rules) 2001848 - ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1) (emerging-exploit.rules) 2001849 - ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2) (emerging-exploit.rules) 2001873 - ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021) (emerging-exploit.rules) 2001874 - ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021) (emerging-exploit.rules) 2001875 - ET EXPLOIT MS Exchange chunks accepted (emerging-exploit.rules) 2001876 - ET EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021) (emerging-exploit.rules) 2001932 - ET EXPLOIT wowBB view_user.php SQL Injection (emerging-exploit.rules) 2001944 - ET EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt (emerging-exploit.rules) 2001954 - ET EXPLOIT Meteor FTP Server Exploit (emerging-exploit.rules) 2001988 - ET EXPLOIT MySQL MaxDB Buffer Overflow (emerging-exploit.rules) 2001990 - ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt (emerging-exploit.rules) 2001991 - ET EXPLOIT WebHints Scripts Remote Command Execution Attempt (emerging-exploit.rules) 2002064 - ET EXPLOIT ms05-011 exploit (emerging-exploit.rules) 2002065 - ET EXPLOIT Veritas backupexec_agent exploit (emerging-exploit.rules) 2002068 - ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon (emerging-exploit.rules) 2002101 - ET GAMES Battle.net Starcraft login (emerging-game.rules) 2002102 - ET GAMES Battle.net Brood War login (emerging-game.rules) 2002103 - ET GAMES Battle.net Diablo login (emerging-game.rules) 2002104 - ET GAMES Battle.net Diablo 2 login (emerging-game.rules) 2002105 - ET GAMES Battle.net Diablo 2 Lord of Destruction login (emerging-game.rules) 2002106 - ET GAMES Battle.net Warcraft 2 login (emerging-game.rules) 2002107 - ET GAMES Battle.net Warcraft 3 login (emerging-game.rules) 2002108 - ET GAMES Battle.net Warcraft 3\: The Frozen throne login (emerging-game.rules) 2002109 - ET GAMES Battle.net old game version (emerging-game.rules) 2002110 - ET GAMES Battle.net invalid version (emerging-game.rules) 2002111 - ET GAMES Battle.net invalid cdkey (emerging-game.rules) 2002112 - ET GAMES Battle.net cdkey in use (emerging-game.rules) 2002113 - ET GAMES Battle.net banned key (emerging-game.rules) 2002114 - ET GAMES Battle.net wrong product (emerging-game.rules) 2002115 - ET GAMES Battle.net failed account login (OLS)\: wrong password (emerging-game.rules) 2002116 - ET GAMES Battle.net failed account login (NLS)\: wrong password (emerging-game.rules) 2002117 - ET GAMES Battle.net connection reset (possible IP-Ban) (emerging-game.rules) 2002118 - ET GAMES Battle.net user in channel (emerging-game.rules) 2002119 - ET GAMES Battle.net outgoing chat message (emerging-game.rules) 2002120 - ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Profile Size (emerging-exploit.rules) 2002121 - ET EXPLOIT Potential MS05-036 exploit - JPEG with embedded ICC - Excessive Tag Count (emerging-exploit.rules) 2002122 - ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size (emerging-exploit.rules) 2002123 - ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Tag Count (emerging-exploit.rules) 2002127 - ET EXPLOIT Firefox Set Wallpaper Code Execution Attempt (img) (emerging-exploit.rules) 2002128 - ET EXPLOIT Firefox Set Wallpaper Code Execution Attempt (input) (emerging-exploit.rules) 2002134 - ET EXPLOIT MS05-036 exploit - JPEG ICC r/b/g/XYZ GetColorProfileElement overflow (emerging-exploit.rules) 2002137 - ET EXPLOIT MS05-036 exploit - GIF ICC r/b/g/XYZ GetColorProfileElement overflow (emerging-exploit.rules) 2002138 - ET GAMES World of Warcraft connection (emerging-game.rules) 2002139 - ET GAMES World of Warcraft failed logon (emerging-game.rules) 2002140 - ET GAMES Battle.net user joined channel (emerging-game.rules) 2002141 - ET GAMES Battle.net user left channel (emerging-game.rules) 2002142 - ET GAMES Battle.net received whisper message (emerging-game.rules) 2002143 - ET GAMES Battle.net received server broadcast (emerging-game.rules) 2002144 - ET GAMES Battle.net joined channel (emerging-game.rules) 2002145 - ET GAMES Battle.net user had a flags update (emerging-game.rules) 2002146 - ET GAMES Battle.net sent a whisper (emerging-game.rules) 2002147 - ET GAMES Battle.net channel full (emerging-game.rules) 2002148 - ET GAMES Battle.net channel doesn't exist (emerging-game.rules) 2002149 - ET GAMES Battle.net channel is restricted (emerging-game.rules) 2002150 - ET GAMES Battle.net informational message (emerging-game.rules) 2002151 - ET GAMES Battle.net error message (emerging-game.rules) 2002152 - ET GAMES Battle.net 'emote' message (emerging-game.rules) 2002154 - ET GAMES Guild Wars connection (emerging-game.rules) 2002155 - ET GAMES Steam connection (emerging-game.rules) 2002158 - ET EXPLOIT XML-RPC for PHP Remote Code Injection (emerging-exploit.rules) 2002170 - ET GAMES Battle.net incoming chat message (emerging-game.rules) 2002181 - ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt (emerging-exploit.rules) 2002182 - ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable (emerging-exploit.rules) 2002199 - ET EXPLOIT SMB-DS DCERPC PnP HOD bind attempt (emerging-exploit.rules) 2002200 - ET EXPLOIT SMB-DS DCERPC PnP bind attempt (emerging-exploit.rules) 2002201 - ET EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt (emerging-exploit.rules) 2002202 - ET EXPLOIT SMB DCERPC PnP bind attempt (emerging-exploit.rules) 2002203 - ET EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt (emerging-exploit.rules) 2002315 - ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit (emerging-exploit.rules) 2002316 - ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit (emerging-exploit.rules) 2002380 - ET EXPLOIT Firefox Domain Name Buffer Overflow (emerging-exploit.rules) 2002381 - ET EXPLOIT RealPlayer/Helix Player Format String Exploit (emerging-exploit.rules) 2002382 - ET EXPLOIT Wzdftpd SITE command arbitrary command execution attempt (emerging-exploit.rules) 2002389 - ET EXPLOIT Vulnerable Mercury 4.01a IMAP Banner (emerging-exploit.rules) 2002390 - ET EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow (emerging-exploit.rules) 2002406 - ET EXPLOIT TAC Attack Directory Traversal (emerging-exploit.rules) 2002656 - ET EXPLOIT malformed Sack - Snort DoS-by-$um$id (emerging-exploit.rules) 2002682 - ET EXPLOIT Microsoft Internet Explorer Window() Possible Code Execution (emerging-exploit.rules) 2002697 - ET EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution (emerging-exploit.rules) 2002702 - ET EXPLOIT OSTicket Remote Code Execution Attempt (emerging-exploit.rules) 2002703 - ET EXPLOIT GuppY error.php Arbitrary Remote Code Execution (emerging-exploit.rules) 2002734 - ET EXPLOIT WMF Exploit (emerging-exploit.rules) 2002741 - ET EXPLOIT WMF Escape Record Exploit - Web Only - version 3 (emerging-exploit.rules) 2002742 - ET EXPLOIT WMF Escape Record Exploit - Version 3 (emerging-exploit.rules) 2002743 - ET EXPLOIT WMF Escape Record Exploit - Web Only - all versions (emerging-exploit.rules) 2002757 - ET EXPLOIT WMF Escape Record Exploit - Web Only - version 1 (emerging-exploit.rules) 2002758 - ET EXPLOIT WMF Escape Record Exploit - Version 1 (emerging-exploit.rules) 2002764 - ET EXPLOIT WinProxy Host port buffer overflow (emerging-exploit.rules) 2002791 - ET EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow (emerging-exploit.rules) 2002799 - ET EXPLOIT MS05-005 Office XP .rtf Remote Code Attempt (emerging-exploit.rules) 2002802 - ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image (emerging-exploit.rules) 2002803 - ET EXPLOIT BMP with invalid bfOffBits (emerging-exploit.rules) 2002845 - ET EXPLOIT MSSQL Hello Overflow Attempt (emerging-exploit.rules) 2002848 - ET EXPLOIT SIP UDP Softphone INVITE overflow (emerging-exploit.rules) 2002850 - ET FTP USER login flowbit (emerging-exploit.rules) 2002851 - ET FTP HP-UX LIST command without login (emerging-exploit.rules) 2002852 - ET EXPLOIT HP-UX Printer LPD Command Insertion (emerging-exploit.rules) 2002855 - ET GAMES Blizzard Downloader (emerging-game.rules) 2002860 - ET EXPLOIT Internet Explorer createTextRange Code Execution (emerging-exploit.rules) 2002862 - ET EXPLOIT PeerCast Url Overflow (emerging-exploit.rules) 2002886 - ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt (emerging-exploit.rules) 2002887 - ET EXPLOIT SYS get_domain_index_tables Access (emerging-exploit.rules) 2002888 - ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt (emerging-exploit.rules) 2002896 - ET EXPLOIT Symantec Scan Engine Request Password Hash (emerging-exploit.rules) 2002903 - ET EXPLOIT x86 PexFnstenvMov/Sub Encoder (emerging-exploit.rules) 2002904 - ET EXPLOIT x86 Alpha2 GetEIPs Encoder (emerging-exploit.rules) 2002905 - ET EXPLOIT x86 Countdown Encoder (emerging-exploit.rules) 2002906 - ET EXPLOIT x86 PexAlphaNum Encoder (emerging-exploit.rules) 2002907 - ET EXPLOIT x86 PexCall Encoder (emerging-exploit.rules) 2002908 - ET EXPLOIT x86 JmpCallAdditive Encoder (emerging-exploit.rules) 2002912 - ET EXPLOIT VNC Possible Vulnerable Server Response (emerging-exploit.rules) 2002913 - ET EXPLOIT VNC Client response (emerging-exploit.rules) 2002914 - ET EXPLOIT VNC Server VNC Auth Offer (emerging-exploit.rules) 2002915 - ET EXPLOIT VNC Authentication Reply (emerging-exploit.rules) 2002916 - ET EXPLOIT RealVNC Authentication Bypass Attempt (emerging-exploit.rules) 2002917 - ET EXPLOIT RealVNC Server Authentication Bypass Successful (emerging-exploit.rules) 2002918 - ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string (emerging-exploit.rules) 2002919 - ET EXPLOIT VNC Good Authentication Reply (emerging-exploit.rules) 2002920 - ET POLICY VNC Authentication Failure (emerging-exploit.rules) 2002921 - ET EXPLOIT VNC Multiple Authentication Failures (emerging-exploit.rules) 2002922 - ET POLICY VNC Authentication Successful (emerging-exploit.rules) 2002923 - ET EXPLOIT VNC Server Not Requiring Authentication (case 2) (emerging-exploit.rules) 2002924 - ET EXPLOIT VNC Server Not Requiring Authentication (emerging-exploit.rules) 2003023 - ET EXPLOIT IE StructuredGraphicsControl SourceURL Bug MoBB#6 (emerging-exploit.rules) 2003039 - ET EXPLOIT UPnP DLink M-Search Overflow Attempt (emerging-exploit.rules) 2003064 - ET EXPLOIT Cisco-MARS/JBoss jmx-console POST (emerging-exploit.rules) 2003065 - ET EXPLOIT Cisco-MARS/JBoss Remote Command Execution (emerging-exploit.rules) 2003067 - ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT (emerging-exploit.rules) 2003072 - ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt (emerging-exploit.rules) 2003081 - ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) (emerging-exploit.rules) 2003082 - ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) (emerging-exploit.rules) 2003089 - ET GAMES STEAM Connection (v2) (emerging-game.rules) 2003109 - ET EXPLOIT Microsoft Internet Explorer VML Fill Method Attribute Overflow (emerging-exploit.rules) 2003110 - ET EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy (emerging-exploit.rules) 2003145 - ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (emerging-exploit.rules) 2003146 - ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (emerging-exploit.rules) 2003147 - ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap) (emerging-exploit.rules) 2003148 - ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap) (emerging-exploit.rules) 2003173 - ET EXPLOIT Possible UTF-8 encoded Shellcode Detected (emerging-exploit.rules) 2003174 - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected (emerging-exploit.rules) 2003196 - ET EXPLOIT FTP .message file write (emerging-exploit.rules) 2003197 - ET EXPLOIT ProFTPD .message file overflow attempt (emerging-exploit.rules) 2003198 - ET EXPLOIT TFTP Invalid Mode in file Get (emerging-exploit.rules) 2003199 - ET EXPLOIT TFTP Invalid Mode in file Put (emerging-exploit.rules) 2003206 - ET EXPLOIT Quicktime .mov File Requested (emerging-exploit.rules) 2003207 - ET EXPLOIT Quicktime .mov File with embedded Javascript (emerging-exploit.rules) 2003230 - ET EXPLOIT Microsoft IE FTP URL Arbitrary Command Injection (emerging-exploit.rules) 2003237 - ET EXPLOIT MultiTech SIP UDP Overflow (emerging-exploit.rules) 2003250 - ET EXPLOIT Symantec Remote Management RTVScan Exploit (emerging-exploit.rules) 2003329 - ET EXPLOIT Centrality IP Phone (PA-168 Chipset) Session Hijacking (emerging-exploit.rules) 2003332 - ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution (emerging-exploit.rules) 2003370 - ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (emerging-exploit.rules) 2003378 - ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow (emerging-exploit.rules) 2003379 - ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS (emerging-exploit.rules) 2003400 - ET EXPLOIT US-ASCII Obfuscated script (emerging-exploit.rules) 2003401 - ET EXPLOIT US-ASCII Obfuscated VBScript download file (emerging-exploit.rules) 2003402 - ET EXPLOIT US-ASCII Obfuscated VBScript execute command (emerging-exploit.rules) 2003403 - ET EXPLOIT US-ASCII Obfuscated VBScript (emerging-exploit.rules) 2003411 - ET EXPLOIT Solaris telnet USER environment vuln Attack inbound (emerging-exploit.rules) 2003412 - ET EXPLOIT Solaris telnet USER environment vuln Attack outbound (emerging-exploit.rules) 2003415 - ET EXPLOIT Firefox Cookie Manipulation Attempt (emerging-exploit.rules) 2003434 - ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt (emerging-exploit.rules) 2003518 - ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit (emerging-exploit.rules) 2003519 - ET EXPLOIT MS ANI exploit (emerging-exploit.rules) 2003750 - ET EXPLOIT CA Brightstor ARCServe caloggerd DoS (emerging-exploit.rules) 2003751 - ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS (emerging-exploit.rules) 2007584 - ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request) (emerging-exploit.rules) 2007847 - ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit (emerging-exploit.rules) 2007851 - ET EXPLOIT Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit (emerging-exploit.rules) 2007874 - ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability (emerging-exploit.rules) 2007875 - ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability (emerging-exploit.rules) 2007876 - ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp (emerging-exploit.rules) 2007877 - ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp (emerging-exploit.rules) 2007906 - ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (emerging-game.rules) 2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (emerging-exploit.rules) 2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (emerging-exploit.rules) 2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (emerging-exploit.rules) 2008063 - ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit (emerging-exploit.rules) 2008170 - ET EXPLOIT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability (emerging-exploit.rules) 2008426 - ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow (emerging-exploit.rules) 2008444 - ET EXPLOIT PWDump4 Password dumping exe copied to victim (emerging-exploit.rules) 2008445 - ET EXPLOIT Pwdump6 Session Established test file created on victim (emerging-exploit.rules) 2008476 - ET EXPLOIT Foofus.net Password dumping, dll injection (emerging-exploit.rules) 2008517 - ET EXPLOIT SQL sp_configure - configuration change (emerging-exploit.rules) 2008518 - ET EXPLOIT SQL sp_configure attempt (emerging-exploit.rules) 2008542 - ET EXPLOIT CitectSCADA ODBC Overflowflow Attempt (emerging-exploit.rules) 2008690 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) (emerging-exploit.rules) 2008691 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) (emerging-exploit.rules) 2008692 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) (emerging-exploit.rules) 2008693 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) (emerging-exploit.rules) 2008694 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) (emerging-exploit.rules) 2008695 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) (emerging-exploit.rules) 2008696 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) (emerging-exploit.rules) 2008697 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) (emerging-exploit.rules) 2008698 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) (emerging-exploit.rules) 2008699 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) (emerging-exploit.rules) 2008700 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (emerging-exploit.rules) 2008701 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) (emerging-exploit.rules) 2008702 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) (emerging-exploit.rules) 2008703 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) (emerging-exploit.rules) 2008704 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) (emerging-exploit.rules) 2008705 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) (emerging-exploit.rules) 2008706 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) (emerging-exploit.rules) 2008707 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) (emerging-exploit.rules) 2008708 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) (emerging-exploit.rules) 2008709 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) (emerging-exploit.rules) 2008710 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) (emerging-exploit.rules) 2008711 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) (emerging-exploit.rules) 2008712 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) (emerging-exploit.rules) 2008713 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) (emerging-exploit.rules) 2008714 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) (emerging-exploit.rules) 2008715 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) (emerging-exploit.rules) 2008716 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) (emerging-exploit.rules) 2008717 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) (emerging-exploit.rules) 2008718 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) (emerging-exploit.rules) 2008719 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) (emerging-exploit.rules) 2008720 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) (emerging-exploit.rules) 2008721 - ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) (emerging-exploit.rules) 2008776 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 (emerging-exploit.rules) 2008777 - ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 (emerging-exploit.rules) [///] Modified inactive rules: [///] 2001718 - ET EXPLOIT CAN-2004-1244 PNG with bad width (emerging-exploit.rules) 2001719 - ET EXPLOIT CAN-2004-1244 PNG with bad height (emerging-exploit.rules) 2001723 - ET EXPLOIT ATmaCA PoC for CORE-2004-0819 - Bad PNG (emerging-exploit.rules) 2001724 - ET EXPLOIT libpng CAN-2004-1244 overflow attempt (emerging-exploit.rules) 2002061 - ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound) (emerging-exploit.rules) 2002062 - ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound) (emerging-exploit.rules) 2002124 - ET EXPLOIT Potential MS05-036 exploit - PNG with embedded ICC document (emerging-exploit.rules) 2002186 - ET EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability (emerging-exploit.rules) 2002187 - ET EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln (emerging-exploit.rules) 2002188 - ET EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln (emerging-exploit.rules) 2002733 - ET EXPLOIT WMF Escape Record Exploit - All Ports - v3 (emerging-exploit.rules) 2002759 - ET EXPLOIT WMF Escape Record Exploit - All Ports - v1 (emerging-exploit.rules) 2002783 - ET EXPLOIT Java runtime.exec() call (emerging-exploit.rules) 2002784 - ET EXPLOIT Java private function call sun.misc.unsafe (emerging-exploit.rules) 2002785 - ET EXPLOIT Java field reflector call java.lang.reflect.field (emerging-exploit.rules) 2002786 - ET EXPLOIT Javascript unsafe applet call (emerging-exploit.rules) 2002787 - ET EXPLOIT Javascript Securitymanager class applet call (emerging-exploit.rules) 2003369 - ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-exploit.rules (45): # MS05-036 has a pile of vectors into the system. These are just some of them. # False negative warning: JPEG ICC can be fragged into multiple chunks. # False negative warning: GIF ICC can be fragged into multiple chunks. # D9 EE fldz # D9 74 24 F4 fnstenv [esp - 12] # 5B pop ebx # 81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey # 83 EB FC sub ebx,-4 # E2 F4 loop xor_xor # Content1 # 98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 2E D6 9A FE <83 EB FC E2 F4> t$.[.s.......... # Xorkey Content2 # E8 FF FF FF call $+4 # FF C1 inc ecx # 5E pop esi # 30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl # E2 FA loop xor_xor # VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc # ?? JJJJJ ?? baseaddr # VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder # E8 FF FF FF call $+4 # FF C0 inc eax # 5E pop esi # 81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey # 83 EE FC sub esi, -4 # E2 F4 loop xor_xor # FC cld # BB key mov ebx, key # EB 0C jmp short 0x14 # 5E pop esi # 56 push esi # 31 1E xor [esi], ebx # AD lodsd # 01 C3 add ebx, eax # 85 C0 test eax, eax # 75 F7 jnz 0xa # C3 ret # E8 EF FF FF FF call 0x8 # bc d3 c3 d2 c9 d0 d4