From emerging at emergingthreats.net Thu Jan 1 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 1 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090101210009.3CFF64501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Jan 1 16:00:09 2009 [***] [///] Modified active rules: [///] 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (7): 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (3): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A -> Removed from emerging-sid-msg.map.txt (3): 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A From emerging at emergingthreats.net Fri Jan 2 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 2 Jan 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090102210008.E1E044501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Jan 2 16:00:08 2009 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org From AJWOOD at sentara.com Fri Jan 2 16:43:31 2009 From: AJWOOD at sentara.com (ANDREW J WOOD) Date: Fri, 02 Jan 2009 16:43:31 -0500 Subject: [Emerging-Sigs] False positives due to poor port choices Message-ID: <20090102214352.1B5A0B899@ev2.jonkmans.com> I enjoy using the ET sigs, but end up with a TON of false positives due to what I believe are poor port choices. Take the following signature as an example: emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;) This rule triggered on an Active FTP session with the source port of 20. Since this is a "FROM_SERVER" connection, wouldn't the rule would be better written as: emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;) There are many rules with "1024: -> any" and "any -> 1024:" If I'm not out to lunch, is there any sanity checking that can be performed before these rules are posted? Thanks, Andy From jonkman at jonkmans.com Fri Jan 2 16:51:04 2009 From: jonkman at jonkmans.com (jonkman@jonkmans.com) Date: Fri, 2 Jan 2009 21:51:04 +0000 Subject: [Emerging-Sigs] False positives due to poor port choices Message-ID: <1063995119-1230933099-cardhu_decombobulator_blackberry.rim.net-1954072479-@bxe317.bisx.prod.on.blackberry> Really? You had an ftp session with a one byte packet? Wow, what are the odds! The change you propose to that sig is a good one though. As far as I know we haven't seen that one use a low port for a cnc. As far as sanity checking, we do all we can and have some automated QA. But we rely most on these kinds of feedback reports. Please keep em coming! Appreciate it. Will get this change posted asap. Matt ------Original Message------ From: ANDREW J WOOD Sender: To: emerging-sigs at emergingthreats.net Sent: Jan 2, 2009 4:43 PM Subject: [Emerging-Sigs] False positives due to poor port choices I enjoy using the ET sigs, but end up with a TON of false positives due to what I believe are poor port choices. Take the following signature as an example: emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;) This rule triggered on an Active FTP session with the source port of 20. Since this is a "FROM_SERVER" connection, wouldn't the rule would be better written as: emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;) There are many rules with "1024: -> any" and "any -> 1024:" If I'm not out to lunch, is there any sanity checking that can be performed before these rules are posted? Thanks, Andy _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Sent via BlackBerry by AT&T From pepperjack at afferentsecurity.com Fri Jan 2 18:00:59 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 02 Jan 2009 17:00:59 -0600 Subject: [Emerging-Sigs] 2 squared Message-ID: <20090102170059.msjaa3up5w44csgc@mail.afferentsecurity.com> I was trying to research some hits on this rule: http://doc.bleedingthreats.net/bin/view/Main/2007575 but I couldn't really be sure if 2 squared was a fake antispyware or not. Does anybody on the list have a definitive ruling on this? Are they running a legit anti spyware product? jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From frank at knobbe.us Fri Jan 2 20:57:34 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 02 Jan 2009 19:57:34 -0600 Subject: [Emerging-Sigs] False positives due to poor port choices In-Reply-To: <20090102214352.1B5A0B899@ev2.jonkmans.com> References: <20090102214352.1B5A0B899@ev2.jonkmans.com> Message-ID: <1230947854.59836.4.camel@localhost> On Fri, 2009-01-02 at 16:43 -0500, ANDREW J WOOD wrote: > There are many rules with "1024: -> any" and "any -> 1024:" Well, of course, since those signatures fire on traffic that is destined for a high port. The reason that the source port (dynamic) is at "any" instead of "1024:" is so that we don't miss alerts when NAT devices change the source port to something below 1024. That happens often enough. Assuming that dynamic ports always start at 1024 is wrong :) If there are a lot of FP with sigs on FTP data sessions, when I suggest just changing that signature to use a source port of "!20". Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090102/5c0cde66/attachment.bin From jim.mcquaid at gmail.com Sat Jan 3 12:48:02 2009 From: jim.mcquaid at gmail.com (James McQuaid) Date: Sat, 3 Jan 2009 12:48:02 -0500 Subject: [Emerging-Sigs] 2 squared Message-ID: Hi Jack, McAfee and WOT rate it as dangerous. It links to sites that reside on the same IP which are also rated dangerous. McAfee classifies the available downloadable executables as spyware. 75.125.61.162 2squared.com antispywarebot.com errorsweeper.com privacycontrol.com regclean.com www.2squared.com www.antispywarebot.com www.errorsweeper.com www.privacycontrol.com > From: Jack Pepper > Subject: [Emerging-Sigs] 2 squared > To: "Signatures, Emerging Threats" > Message-ID: > <20090102170059.msjaa3up5w44csgc at mail.afferentsecurity.com> > Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; > format="flowed" > > I was trying to research some hits on this rule: > > http://doc.bleedingthreats.net/bin/view/Main/2007575 > > but I couldn't really be sure if 2 squared was a fake antispyware or > not. Does anybody on the list have a definitive ruling on this? Are > they running a legit anti spyware product? > > jp ---------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com -- James McQuaid http://www.jamesmcquaid.com From jonkman at jonkmans.com Sat Jan 3 13:08:02 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 03 Jan 2009 13:08:02 -0500 Subject: [Emerging-Sigs] 2 squared In-Reply-To: References: Message-ID: <495FA982.1080600@jonkmans.com> Thanks for that Jim. I agree, it's not a reputable site. And using AntiSpyware as a user-agent screams out insecurity. If they were a real company doing real research and they wanted to use a custom UA they'd surely be touting their name as branding vs trying to convince us they're really an AS product. :) Side note: make sure you're using references from doc.emergingthreats.net to make sure you have any updates. The one you posted isn't being updated any longer. Matt James McQuaid wrote: > Hi Jack, > > McAfee and WOT rate it as dangerous. It links to sites that reside on > the same IP which are also rated dangerous. McAfee classifies the > available downloadable executables as spyware. > > 75.125.61.162 > 2squared.com > antispywarebot.com > errorsweeper.com > privacycontrol.com > regclean.com > www.2squared.com > www.antispywarebot.com > www.errorsweeper.com > www.privacycontrol.com > >> From: Jack Pepper >> Subject: [Emerging-Sigs] 2 squared >> To: "Signatures, Emerging Threats" >> Message-ID: >> <20090102170059.msjaa3up5w44csgc at mail.afferentsecurity.com> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; >> format="flowed" >> >> I was trying to research some hits on this rule: >> >> http://doc.bleedingthreats.net/bin/view/Main/2007575 >> >> but I couldn't really be sure if 2 squared was a fake antispyware or >> not. Does anybody on the list have a definitive ruling on this? Are >> they running a legit anti spyware product? >> >> jp > ---------------------------------------- >> @fferent Security Labs: Isolate/Insulate/Innovate >> http://www.afferentsecurity.com > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Jan 3 15:30:57 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 03 Jan 2009 15:30:57 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Dec-30-2008 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291B@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291B@webmail.latis.com> Message-ID: <495FCB01.3080108@jonkmans.com> Once again, thanks to stillsecure!!! Posted! Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *PHPmyGallery lang parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"PHPmyGallery lang parameter Local File Inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/_conf/core/common-tpl-vars.php?"; nocase; > uricontent:"lang="; nocase; pcre:"/(\.\.\/){1,}/U"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; > sid:508284; rev:1;) > > > > 2. *PHPmyGallery confdir parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"PHPmyGallery confdir parameter Remote File Inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/_conf/core/common-tpl-vars.php?"; nocase; > uricontent:"confdir="; nocase; > pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; > sid:508285; rev:1;) > > > > 3. *EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer > Overflow* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EasyMail > Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; > flow:to_client,established; content:"clsid"; nocase; > content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; distance:0; > content:"0x400000"; nocase; content:"CreateStore"; nocase; > classtype:web-application-attack; reference:bugtraq,32722; > reference:url,milw0rm.com/exploits/7402; sid:1000007; rev:1;) > > > > 4. *lcxBBportal Alpha portal_block.php phpbb_root_path parameter > Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"lcxBBportal Alpha portal_block.php phpbb_root_path parameter > Remote File Inclusion"; flow:established,to_server; content:"GET "; > depth:4; uricontent:"/portal_block.php?"; nocase; > uricontent:"phpbb_root_path="; nocase; > pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; > sid:508278; rev:1;) > > > > 5. *lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path > parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter > Remote File Inclusion"; flow:established,to_server; content:"GET "; > depth:4; uricontent:"/acp_lcxbbportal.php?"; nocase; > uricontent:"phpbb_root_path="; nocase; > pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; > sid:508279; rev:1;) > > > > 6. *ccTiddly index.php cct_base parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly > index.php cct_base parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index.php?"; nocase; uricontent:"cct_base="; nocase; > pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7336 > ; > reference:url,secunia.com/Advisories/32995/; sid:508269; rev:1;) > > > > 7. *ccTiddly proxy.php cct_base parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly > proxy.php cct_base parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/handle/proxy.php?"; nocase; uricontent:"cct_base="; nocase; > pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7336 > ; > reference:url,secunia.com/Advisories/32995/; sid:508270; rev:1;) > > > > 8. *ccTiddly header.php cct_base parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly > header.php cct_base parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/header.php?"; nocase; uricontent:"cct_base="; > nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7336 > ; > reference:url,secunia.com/Advisories/32995/; sid:508271; rev:1;) > > > > 9. *ccTiddly include.php cct_base parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly > include.php cct_base parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/include.php?"; nocase; uricontent:"cct_base="; > nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7336 > ; > reference:url,secunia.com/Advisories/32995/; sid:508272; rev:1;) > > > > 10. *ccTiddly workspace.php cct_base parameter Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly > workspace.php cct_base parameter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/workspace.php?"; nocase; uricontent:"cct_base="; > nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7336 > ; > reference:url,secunia.com/Advisories/32995/; sid:508273; rev:1;) > > Looking forward for your comments if any? > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sat Jan 3 16:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 3 Jan 2009 16:00:10 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090103210010.243AC4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 3 16:00:10 2009 [***] [+++] Added rules: [+++] 2008961 - ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008963 - ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2008964 - ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008965 - ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008966 - ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008967 - ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008968 - ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008969 - ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008970 - ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008982 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) [///] Modified active rules: [///] 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (emerging-virus.rules) 2007963 - ET TROJAN Vipdataend C&C Traffic - Status OK (emerging-virus.rules) 2007964 - ET TROJAN Vipdataend C&C Traffic - Server Status OK (emerging-virus.rules) 2007970 - ET TROJAN Vipdataend C&C Traffic - Checkin (XY) (emerging-virus.rules) 2008223 - ET TROJAN Vipdataend C&C Traffic - Checkin (FYWL) (emerging-virus.rules) 2008224 - ET TROJAN Vipdataend C&C Traffic - Checkin (XYLL) (emerging-virus.rules) 2008254 - ET TROJAN Vipdataend/Ceckno C&C Traffic - Checkin (emerging-virus.rules) 2008334 - ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller (emerging-virus.rules) 2008335 - ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (12): 2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722 2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (12): 2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722 2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (26): 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (26): 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org From emerging at emergingthreats.net Sat Jan 3 18:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 3 Jan 2009 18:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090103230008.AD1574501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 3 18:00:08 2009 [***] [+++] Added rules: [+++] 2008941 - ET MALWARE Suspicious User-Agent (HELLO) (emerging-malware.rules) 2008942 - ET POLICY Dlink Soho Router Config Page Access Attempt (emerging-policy.rules) 2008943 - ET TROJAN Lop_com or variant Checkin (9kgen_up) (emerging-virus.rules) 2008944 - ET TROJAN TDSServ or Tidserv variant Checkin (emerging-virus.rules) 2008945 - ET TROJAN dlink router access attempt (emerging-virus.rules) 2008946 - ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile (emerging-virus.rules) 2008947 - ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile (emerging-virus.rules) 2008948 - ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin (emerging.rules) 2008949 - ET TROJAN Win32.Small.yml or Related HTTP Checkin (emerging-virus.rules) 2008950 - ET TROJAN Trojan.Win32.Small.yml client registration (emerging-virus.rules) 2008951 - ET TROJAN Trojan.Win32.Small.yml client command (emerging-virus.rules) 2008952 - ET TROJAN Win32.Small.yml or Related HTTP Command (emerging-virus.rules) 2008953 - ET POLICY Possible MS CMD Shell opened on local system (emerging-attack_response.rules) 2008954 - ET TROJAN Mac User-Agent Typo - Likely Hostile/Trojan Infection (emerging-virus.rules) 2008955 - ET TROJAN Mac User-Agent Typo INBOUND - Likely Hostile (emerging-virus.rules) 2008956 - ET MALWARE Suspicious User-Agent (IE/1.0) (emerging-malware.rules) 2008958 - ET TROJAN Waledac Beacon Traffic Detected (emerging-virus.rules) 2008960 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan (emerging.rules) 2008961 - ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008963 - ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2008964 - ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008965 - ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008966 - ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008967 - ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008968 - ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008969 - ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008970 - ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008982 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (emerging-virus.rules) 2007963 - ET TROJAN Vipdataend C&C Traffic - Status OK (emerging-virus.rules) 2007964 - ET TROJAN Vipdataend C&C Traffic - Server Status OK (emerging-virus.rules) 2007970 - ET TROJAN Vipdataend C&C Traffic - Checkin (XY) (emerging-virus.rules) 2008223 - ET TROJAN Vipdataend C&C Traffic - Checkin (FYWL) (emerging-virus.rules) 2008224 - ET TROJAN Vipdataend C&C Traffic - Checkin (XYLL) (emerging-virus.rules) 2008254 - ET TROJAN Vipdataend/Ceckno C&C Traffic - Checkin (emerging-virus.rules) 2008334 - ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller (emerging-virus.rules) 2008335 - ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive (emerging-virus.rules) 2008802 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity (emerging.rules) 2008803 - ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location (emerging.rules) 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) 2008870 - ET WEB_ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation (emerging-web.rules) 2008880 - ET WEB_SPECIFIC PunBB Functions_navlinks.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008881 - ET WEB_SPECIFIC PunBB profile_send.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008882 - ET WEB_SPECIFIC PunBB viewtopic_PM-link.php pun_user[language] Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008914 - ET MALWARE Suspicious User-Agent (xr - Worm.Win32.VB.cj related) (emerging-malware.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008801 - ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): #for a windows cmd shell opened on a local box -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1408 # Generated 2009-01-03 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1408 # Generated 2009-01-03 00:03:02 EDT -> Added to emerging-policy.rules (2): #for access to a local dlink router's config page. Some trojans try to access this #re 20069714fc077fe197d3fc27fa905025 -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 -> Added to emerging-rbn.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 -> Added to emerging-sid-msg.map (146): 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008914 || ET MALWARE Suspicious User-Agent (xr - Worm.Win32.VB.cj related) 2008941 || ET MALWARE Suspicious User-Agent (HELLO) 2008942 || ET POLICY Dlink Soho Router Config Page Access Attempt 2008943 || ET TROJAN Lop_com or variant Checkin (9kgen_up) || url,www.threatexpert.com/reports.aspx?find=9kgen_up.int 2008944 || ET TROJAN TDSServ or Tidserv variant Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain 2008945 || ET TROJAN dlink router access attempt 2008946 || ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile || url,www.packetninjas.net 2008947 || ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile || url,www.packetninjas.net 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008949 || ET TROJAN Win32.Small.yml or Related HTTP Checkin 2008950 || ET TROJAN Trojan.Win32.Small.yml client registration 2008951 || ET TROJAN Trojan.Win32.Small.yml client command 2008952 || ET TROJAN Win32.Small.yml or Related HTTP Command 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008954 || ET TROJAN Mac User-Agent Typo - Likely Hostile/Trojan Infection 2008955 || ET TROJAN Mac User-Agent Typo INBOUND - Likely Hostile 2008956 || ET MALWARE Suspicious User-Agent (IE/1.0) 2008958 || ET TROJAN Waledac Beacon Traffic Detected || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722 2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406171 || ET RBN Known Russian Business Network Monitored Domains (172) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406172 || ET RBN Known Russian Business Network Monitored Domains (173) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406173 || ET RBN Known Russian Business Network Monitored Domains (174) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406174 || ET RBN Known Russian Business Network Monitored Domains (175) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406175 || ET RBN Known Russian Business Network Monitored Domains (176) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406176 || ET RBN Known Russian Business Network Monitored Domains (177) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406177 || ET RBN Known Russian Business Network Monitored Domains (178) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406178 || ET RBN Known Russian Business Network Monitored Domains (179) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406179 || ET RBN Known Russian Business Network Monitored Domains (180) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406180 || ET RBN Known Russian Business Network Monitored Domains (181) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406181 || ET RBN Known Russian Business Network Monitored Domains (182) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406182 || ET RBN Known Russian Business Network Monitored Domains (183) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406183 || ET RBN Known Russian Business Network Monitored Domains (184) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406184 || ET RBN Known Russian Business Network Monitored Domains (185) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406185 || ET RBN Known Russian Business Network Monitored Domains (186) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406186 || ET RBN Known Russian Business Network Monitored Domains (187) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406187 || ET RBN Known Russian Business Network Monitored Domains (188) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406188 || ET RBN Known Russian Business Network Monitored Domains (189) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406189 || ET RBN Known Russian Business Network Monitored Domains (190) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406190 || ET RBN Known Russian Business Network Monitored Domains (191) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406191 || ET RBN Known Russian Business Network Monitored Domains (192) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406192 || ET RBN Known Russian Business Network Monitored Domains (193) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406193 || ET RBN Known Russian Business Network Monitored Domains (194) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406194 || ET RBN Known Russian Business Network Monitored Domains (195) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406195 || ET RBN Known Russian Business Network Monitored Domains (196) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406196 || ET RBN Known Russian Business Network Monitored Domains (197) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406197 || ET RBN Known Russian Business Network Monitored Domains (198) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406198 || ET RBN Known Russian Business Network Monitored Domains (199) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407171 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407172 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407173 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407174 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407175 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407176 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407177 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407178 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407179 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407180 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407181 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407182 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407183 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407184 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407185 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407186 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407187 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407188 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407189 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407190 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407191 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407192 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407193 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407194 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407195 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407196 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407197 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407198 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (146): 2008802 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008914 || ET MALWARE Suspicious User-Agent (xr - Worm.Win32.VB.cj related) 2008941 || ET MALWARE Suspicious User-Agent (HELLO) 2008942 || ET POLICY Dlink Soho Router Config Page Access Attempt 2008943 || ET TROJAN Lop_com or variant Checkin (9kgen_up) || url,www.threatexpert.com/reports.aspx?find=9kgen_up.int 2008944 || ET TROJAN TDSServ or Tidserv variant Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain 2008945 || ET TROJAN dlink router access attempt 2008946 || ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile || url,www.packetninjas.net 2008947 || ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile || url,www.packetninjas.net 2008948 || ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin || url,www.threatexpert.com/reports.aspx?find=help.rar 2008949 || ET TROJAN Win32.Small.yml or Related HTTP Checkin 2008950 || ET TROJAN Trojan.Win32.Small.yml client registration 2008951 || ET TROJAN Trojan.Win32.Small.yml client command 2008952 || ET TROJAN Win32.Small.yml or Related HTTP Command 2008953 || ET POLICY Possible MS CMD Shell opened on local system 2008954 || ET TROJAN Mac User-Agent Typo - Likely Hostile/Trojan Infection 2008955 || ET TROJAN Mac User-Agent Typo INBOUND - Likely Hostile 2008956 || ET MALWARE Suspicious User-Agent (IE/1.0) 2008958 || ET TROJAN Waledac Beacon Traffic Detected || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 2008960 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan || url,isc.sans.org/diary.html?storyid=5599 2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722 2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341 2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2406170 || ET RBN Known Russian Business Network Monitored Domains (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406171 || ET RBN Known Russian Business Network Monitored Domains (172) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406172 || ET RBN Known Russian Business Network Monitored Domains (173) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406173 || ET RBN Known Russian Business Network Monitored Domains (174) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406174 || ET RBN Known Russian Business Network Monitored Domains (175) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406175 || ET RBN Known Russian Business Network Monitored Domains (176) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406176 || ET RBN Known Russian Business Network Monitored Domains (177) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406177 || ET RBN Known Russian Business Network Monitored Domains (178) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406178 || ET RBN Known Russian Business Network Monitored Domains (179) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406179 || ET RBN Known Russian Business Network Monitored Domains (180) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406180 || ET RBN Known Russian Business Network Monitored Domains (181) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406181 || ET RBN Known Russian Business Network Monitored Domains (182) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406182 || ET RBN Known Russian Business Network Monitored Domains (183) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406183 || ET RBN Known Russian Business Network Monitored Domains (184) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406184 || ET RBN Known Russian Business Network Monitored Domains (185) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406185 || ET RBN Known Russian Business Network Monitored Domains (186) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406186 || ET RBN Known Russian Business Network Monitored Domains (187) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406187 || ET RBN Known Russian Business Network Monitored Domains (188) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406188 || ET RBN Known Russian Business Network Monitored Domains (189) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406189 || ET RBN Known Russian Business Network Monitored Domains (190) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406190 || ET RBN Known Russian Business Network Monitored Domains (191) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406191 || ET RBN Known Russian Business Network Monitored Domains (192) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406192 || ET RBN Known Russian Business Network Monitored Domains (193) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406193 || ET RBN Known Russian Business Network Monitored Domains (194) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406194 || ET RBN Known Russian Business Network Monitored Domains (195) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406195 || ET RBN Known Russian Business Network Monitored Domains (196) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406196 || ET RBN Known Russian Business Network Monitored Domains (197) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406197 || ET RBN Known Russian Business Network Monitored Domains (198) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406198 || ET RBN Known Russian Business Network Monitored Domains (199) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407170 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407171 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407172 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407173 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407174 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407175 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407176 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407177 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407178 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407179 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407180 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407181 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407182 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407183 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407184 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407185 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407186 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407187 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407188 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407189 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407190 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407191 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407192 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407193 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407194 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407195 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407196 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407197 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407198 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500037 || ET COMPROMISED Known Compromised or Hostile Host Traffic (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500038 || ET COMPROMISED Known Compromised or Hostile Host Traffic (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500039 || ET COMPROMISED Known Compromised or Hostile Host Traffic (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500040 || ET COMPROMISED Known Compromised or Hostile Host Traffic (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500041 || ET COMPROMISED Known Compromised or Hostile Host Traffic (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500042 || ET COMPROMISED Known Compromised or Hostile Host Traffic (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500043 || ET COMPROMISED Known Compromised or Hostile Host Traffic (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500044 || ET COMPROMISED Known Compromised or Hostile Host Traffic (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500045 || ET COMPROMISED Known Compromised or Hostile Host Traffic (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500046 || ET COMPROMISED Known Compromised or Hostile Host Traffic (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500047 || ET COMPROMISED Known Compromised or Hostile Host Traffic (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500048 || ET COMPROMISED Known Compromised or Hostile Host Traffic (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500049 || ET COMPROMISED Known Compromised or Hostile Host Traffic (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500050 || ET COMPROMISED Known Compromised or Hostile Host Traffic (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500051 || ET COMPROMISED Known Compromised or Hostile Host Traffic (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500052 || ET COMPROMISED Known Compromised or Hostile Host Traffic (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500053 || ET COMPROMISED Known Compromised or Hostile Host Traffic (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500054 || ET COMPROMISED Known Compromised or Hostile Host Traffic (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500055 || ET COMPROMISED Known Compromised or Hostile Host Traffic (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500056 || ET COMPROMISED Known Compromised or Hostile Host Traffic (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500057 || ET COMPROMISED Known Compromised or Hostile Host Traffic (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500058 || ET COMPROMISED Known Compromised or Hostile Host Traffic (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500059 || ET COMPROMISED Known Compromised or Hostile Host Traffic (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500061 || ET COMPROMISED Known Compromised or Hostile Host Traffic (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500062 || ET COMPROMISED Known Compromised or Hostile Host Traffic (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500063 || ET COMPROMISED Known Compromised or Hostile Host Traffic (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510037 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (38) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510038 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (39) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510039 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (40) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510040 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (41) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510041 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (42) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510042 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (43) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510043 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (44) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510044 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (45) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510045 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (46) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510046 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (47) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510047 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (48) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510048 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (49) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510049 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (50) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510050 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (51) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510051 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (52) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510052 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (53) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510053 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510054 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (55) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510055 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (56) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510056 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (57) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510057 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (58) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510058 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (59) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510059 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (60) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510060 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (61) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510061 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (62) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510062 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (63) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510063 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (64) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (8): #by Dan Clemens of packetninjas.net #this is similar to 2008942, but this trojan doesn't add a host header #by Rob Grabowsky #by Rob Grabowsky #by shadowserver, steven #by victor Julien # Ikarus: Trojan.Win32.Small.yml, #re f01fd7ecfce8af65832a3a57d2789fa6 -> Added to emerging.rules (3): #by kevin ross #putting this in current events to see how badly it falses. # Looking for a simple thing, but the pws's use this pretty reliably, and hopefully it's not too common in the real world [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1401 # Generated 2008-12-27 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1401 # Generated 2008-12-27 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 95 # Updated 2008-12-24 16:58:38 -> Removed from emerging-rbn.rules (2): # VERSION 95 # Updated 2008-12-24 16:58:38 -> Removed from emerging-sid-msg.map (33): 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008914 || ET MALWARE Suspicious User-Agent (Worm.Win32.VB.cj related) 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (33): 2008801 || ET CURRENT_EVENTS Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008802 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Worm Activity || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008803 || ET CURRENT_EVENTS Possible Downaup/Conficker-A Infection Checking Geographical Location || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008804 || ET CURRENT_EVENTS Downaup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 2008914 || ET MALWARE Suspicious User-Agent (Worm.Win32.VB.cj related) 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org From inittab at jtan.com Sat Jan 3 18:15:29 2009 From: inittab at jtan.com (RPG) Date: Sat, 03 Jan 2009 18:15:29 -0500 Subject: [Emerging-Sigs] TROJAN Infection Checking Internet IP In-Reply-To: <495FCB01.3080108@jonkmans.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291B@webmail.latis.com> <495FCB01.3080108@jonkmans.com> Message-ID: <495FF191.9030501@jtan.com> Hello Everyone and Happy New Year! Referencing existing sid 2008803 I think it might be useful to either add the IP's for whatismyip.com to the sig, create a new sig with those IP's added or create an all new rule. It seems to be common for some nasties to check their exit Internet IP's. Obviously there are legitimate uses for these sites but having a sig like this might be a good marker for further research. Here is one search result concerning whatismyip.com: http://threatexpert.com/reports.aspx?find=whatismyip.com My first proposal is to create a new sig for just whatismyip.com, this is based on sid 2008803 with the IP's changed, a new msg and new reference: alert tcp $HOME_NET any -> [72.233.89.198,72.233.89.199,72.233.89.200] $HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP"; flow:to_server; classtype:trojan-activity; reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; threshold:type both, count 5, seconds 60, track by_src; sid:xxxxxxxx; rev:1;) My second proposal is to simply update sig 2008803, changed the description, updated the IP for www.whatsmyipaddress.com, updated the IP for getmyip.co.uk, added the IP's for whatismyip.com, and added a new reference, alert tcp $HOME_NET any -> [66.114.124.141,81.144.213.187, 75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70,72.233.89.198,72.233.89.199,72.233.89.200] $HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:3;) Lastly, and this is my preference, perhaps an all new rule would be best here, sigs based on IP's are obviously the most efficient but it's a moving target. What do ya'll think about making a rule using pcre that looks for all of those Host's? I know that pcre's are inefficient but maybe it's the best way to go here. I added an extra content search for "ip" since all the host's have that 2 letter string, perhaps that will lessen the load a bit. thoughts? Here is my proposal for that rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP"; flow:to_server,established; content:"Host|3A|"; nocase; content:"ip"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*(whatismyip\x2Ecom|checkip\x2Edyndns\x2Eorg|getmyip\x2Eorg|whatsmyipaddress\x2Ecom|getmyip\x2Eco\x2Euk)/smi"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXXX; rev:1;) Let me know what you think. Also, are there other common ip-checking sites that should be added? Cheers! Bob From jonkman at jonkmans.com Sun Jan 4 07:25:32 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 04 Jan 2009 07:25:32 -0500 Subject: [Emerging-Sigs] TROJAN Infection Checking Internet IP In-Reply-To: <495FF191.9030501@jtan.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291B@webmail.latis.com> <495FCB01.3080108@jonkmans.com> <495FF191.9030501@jtan.com> Message-ID: <4960AABC.30806@jonkmans.com> I really like the idea of sigs for the IP checking sites. There are a bunch, but I think it'd be manageable to get the major ones used by the majority of malware. Is anyone aware of legitimate apps that use these sites? Other than home users, tech support guys, etc. Any reason these sigs would false positive more than they'd be useful? Matt RPG wrote: > Hello Everyone and Happy New Year! > > Referencing existing sid 2008803 I think it might be useful to either > add the IP's for whatismyip.com to the sig, create a new sig with those > IP's added or create an all new rule. It seems to be common for some > nasties to check their exit Internet IP's. Obviously there are > legitimate uses for these sites but having a sig like this might be a > good marker for further research. Here is one search result concerning > whatismyip.com: > http://threatexpert.com/reports.aspx?find=whatismyip.com > > > My first proposal is to create a new sig for just whatismyip.com, this > is based on sid 2008803 with the IP's changed, a new msg and new reference: > > alert tcp $HOME_NET any -> > [72.233.89.198,72.233.89.199,72.233.89.200] $HTTP_PORTS > (msg:"ET TROJAN Possible Infection Obtaining Internet IP"; > flow:to_server; classtype:trojan-activity; > reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; > threshold:type both, count 5, seconds 60, track by_src; > sid:xxxxxxxx; rev:1;) > > > My second proposal is to simply update sig 2008803, > changed the description, > updated the IP for www.whatsmyipaddress.com, > updated the IP for getmyip.co.uk, > added the IP's for whatismyip.com, > and added a new reference, > > alert tcp $HOME_NET any -> [66.114.124.141,81.144.213.187, > 75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70,72.233.89.198,72.233.89.199,72.233.89.200] > $HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP"; > flow:to_server; classtype:trojan-activity; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; > reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; > reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; > threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:3;) > > Lastly, and this is my preference, perhaps an all new rule would be best > here, sigs based on IP's are obviously the most efficient but it's a > moving target. What do ya'll think about making a rule using pcre that > looks for all of those Host's? I know that pcre's are inefficient but > maybe it's the best way to go here. I added an extra content search for > "ip" since all the host's have that 2 letter string, perhaps that will > lessen the load a bit. thoughts? > > Here is my proposal for that rule: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Possible Infection Obtaining Internet IP"; > flow:to_server,established; > content:"Host|3A|"; nocase; content:"ip"; distance:0; nocase; > pcre:"/^Host\x3a[^\r\n]*(whatismyip\x2Ecom|checkip\x2Edyndns\x2Eorg|getmyip\x2Eorg|whatsmyipaddress\x2Ecom|getmyip\x2Eco\x2Euk)/smi"; > reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; > reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; > reference:url,threatexpert.com/reports.aspx?find=whatismyip.com; > classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXXX; rev:1;) > > Let me know what you think. Also, are there other common ip-checking > sites that should be added? > > Cheers! > Bob > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sun Jan 4 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 4 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090104210009.5F4194501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Jan 4 16:00:09 2009 [***] [+++] Added rules: [+++] 2008962 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008972 - ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin (emerging-virus.rules) 2008973 - ET MALWARE onmuz.com Infection Activity (emerging-virus.rules) 2008974 - ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) (emerging-malware.rules) 2008975 - ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity (emerging-virus.rules) [---] Removed rules: [---] 2008982 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (33): 2008962 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008972 || ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin 2008973 || ET MALWARE onmuz.com Infection Activity 2008974 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) 2008975 || ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (33): 2008962 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008972 || ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin 2008973 || ET MALWARE onmuz.com Infection Activity 2008974 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) 2008975 || ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #by victort julien [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 -> Removed from emerging-sid-msg.map.txt (1): 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 From signatures at stillsecure.com Mon Jan 5 04:14:49 2009 From: signatures at stillsecure.com (signatures) Date: Mon, 5 Jan 2009 02:14:49 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-5-2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291C@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. phpAddEdit editform parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpAddEdit editform parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/addedit-render.php?"; nocase; uricontent:"editform="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; sid:508289; rev:1;) 2. Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0; content:"Open"; nocase; content:".avi"; nocase; distance:0; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7431 ; reference:bugtraq,32613; sid:508293; rev:1;) 3. Multiple Membership Script id parameter SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Multiple Membership Script id parameter SQL injection"; content:"GET "; depth:4; uricontent:"/sitepage.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33019/; reference:url,milw0rm.com/exploits/7346; sid:2008199; rev:1;) 4. CF_Calendar calid parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CF_Calendar calid parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/calendarevent.cfm?"; nocase; uricontent:"calid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; sid:2008205; rev:1;) 5. Simple Text-File Login script slogin_path parameter remote file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path="; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; sid:2008217; rev:1;) 6. WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user_menu.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; sid:2008005; rev:1;) 7. WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/resim.asp?"; nocase; uricontent:"islem=altkat"; nocase; uricontent:"kat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33199/; reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; sid:2008003; rev:1;) 8. WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; distance:0; nocase; content:"RemoteAddress"; nocase; classtype:web-application-attack; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460 ; sid:2008128; rev:1;) 9. WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; distance:0; nocase; content:"SetID"; nocase; classtype:web-application-attack; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505 ; sid:2008129; rev:1;) 10. WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/news.php?"; nocase; content:"pid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7541 ; reference:bugtraq,32962; sid:2008016; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090105/a4d5c556/attachment-0001.html From scheidell at secnap.net Mon Jan 5 13:48:04 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Mon, 05 Jan 2009 13:48:04 -0500 Subject: [Emerging-Sigs] [Fwd: alert: New event: ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55)] Message-ID: <496255E4.9070904@secnap.net> ip on two different block lists. 01/05-13:36:23 TCP 216.188.26.235:80 --> 192.168.200.118:2968 [1:2407053:96] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) [Classification: Misc Attack] [Priority: 2] 01/05-13:36:23 TCP 216.188.26.235:80 --> 192.168.200.118:2968 [1:2407054:96] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) [Classification: Misc Attack] [Priority: 2] -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090105/a73155f1/attachment.html From jonkman at jonkmans.com Mon Jan 5 13:58:02 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 05 Jan 2009 13:58:02 -0500 Subject: [Emerging-Sigs] [Fwd: alert: New event: ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55)] In-Reply-To: <496255E4.9070904@secnap.net> References: <496255E4.9070904@secnap.net> Message-ID: <4962583A.4000408@jonkmans.com> Got it, thanks. Had a /24 that encompassed that individual. Fixed up. Thanks for the note! Matt Michael Scheidell wrote: > ip on two different block lists. > > 01/05-13:36:23 TCP 216.188.26.235:80 --> 192.168.200.118:2968 > [1:2407053:96] ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (54) > [Classification: Misc Attack] [Priority: 2] > > 01/05-13:36:23 TCP 216.188.26.235:80 --> 192.168.200.118:2968 > [1:2407054:96] ET RBN Known Russian Business Network Monitored Domains - > BLOCKING (55) > [Classification: Misc Attack] [Priority: 2] > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * King of Spam Filters, SC Magazine 2008 > * Information Security Award 2008, Info Security Products Guide > * CRN Magazine Top 40 Emerging Security Vendors > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Jan 5 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 5 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090105210009.66DBB4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Jan 5 16:00:09 2009 [***] [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 98 # Updated 2009-01-05 13:57:13 -> Added to emerging-rbn.rules (2): # VERSION 98 # Updated 2009-01-05 13:57:13 -> Added to emerging-sid-msg.map (4): 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (4): 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 -> Removed from emerging-rbn.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 From phatbuckett at gmail.com Tue Jan 6 03:31:48 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Tue, 6 Jan 2009 01:31:48 -0700 Subject: [Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data Message-ID: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> Searching through proxy logs for a compromised host I encountered activity that seems to be tied to the trojan in the following rules: #by Philipp Bescht alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384; rev:2;) Client requests: hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 With the 'ver' parameter being variable we should get more matches if it's loosened a bit: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384; rev:3;) Any common naming of the trojan? -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Tue Jan 6 12:06:13 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 06 Jan 2009 12:06:13 -0500 Subject: [Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data In-Reply-To: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> References: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> Message-ID: <49638F85.1030808@jonkmans.com> I agree, those changes should be reliable. I'll get them posted now. As for a name on the trojan, here's about as standard as we get: Trj/Downloader.UUP TR/VB.djc Trojan.VB.djc Trojan:Win32/Piptea.A avariant of Win32/Kryptik.DQ InformationStealer Heuristic.Crypted Sus/Behav-273 Pick the one you like best. :) It is remaining stable though, so I'll move these sigs over to the main ruleset. Thanks Darren!! Matt Darren Spruell wrote: > Searching through proxy logs for a compromised host I encountered > activity that seems to be tied to the trojan in the following rules: > > #by Philipp Bescht > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384; > rev:2;) > > Client requests: > > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > > With the 'ver' parameter being variable we should get more matches if > it's loosened a bit: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384; > rev:3;) > > Any common naming of the trojan? > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Jan 6 12:11:11 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 06 Jan 2009 12:11:11 -0500 Subject: [Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data In-Reply-To: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> References: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> Message-ID: <496390AF.5000602@jonkmans.com> Also noticed in our samples (as in below) that every id starts with 1-1. Adding that to eliminate and FPs. Matt Darren Spruell wrote: > Searching through proxy logs for a compromised host I encountered > activity that seems to be tied to the trojan in the following rules: > > #by Philipp Bescht > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384; > rev:2;) > > Client requests: > > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > > With the 'ver' parameter being variable we should get more matches if > it's loosened a bit: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384; > rev:3;) > > Any common naming of the trojan? > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Jan 6 12:19:37 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 06 Jan 2009 12:19:37 -0500 Subject: [Emerging-Sigs] CURRENT_EVENTS Gicia.info Related Trojan Checkin additional data In-Reply-To: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> References: <839aec700901060031h3bfed2bfp879d1d59e59e4b81@mail.gmail.com> Message-ID: <496392A9.1070201@jonkmans.com> Gone with this, look right? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (1)"; flow:established,to_server; uricontent:"/cd/cd.php?id="; uricontent:"&ver="; pcre:"/\/cd\/cd\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity; sid:2008382; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (2)"; flow:established,to_server; uricontent:"/cd/un2.php?id="; uricontent:"&ver="; pcre:"/\/cd\/un2\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity; sid:2008383; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; uricontent:"/cd/un.php?id="; uricontent:"&ver="; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; classtype:trojan-activity; sid:2008384; rev:3;) Darren Spruell wrote: > Searching through proxy logs for a compromised host I encountered > activity that seems to be tied to the trojan in the following rules: > > #by Philipp Bescht > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383; > rev:2;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384; > rev:2;) > > Client requests: > > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://netsecurityupdates.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://updatesabout.com/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > hxxp://winwupdates.cn/cd/cd.php?id=1-1C9644A8D954FA0&ver=kk1 > > With the 'ver' parameter being variable we should get more matches if > it's loosened a bit: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; > flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008382; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; > flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008383; > rev:3;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; > flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; > uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2008384; > rev:3;) > > Any common naming of the trojan? > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Jan 6 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 6 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090106210009.B339E45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Jan 6 16:00:09 2009 [***] [+++] Added rules: [+++] 2008382 - ET TROJAN Piptea.a Related Trojan Checkin (1) (emerging-virus.rules) 2008383 - ET TROJAN Piptea.a Related Trojan Checkin (2) (emerging-virus.rules) 2008384 - ET TROJAN Piptea.a Related Trojan Checkin (3) (emerging-virus.rules) 2008976 - ET TROJAN Vundo Variant reporting to Controller via HTTP (1) (emerging-virus.rules) 2008977 - ET TROJAN Vundo Variant reporting to Controller via HTTP (2) (emerging-virus.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2001219 - ET SCAN Potential SSH Scan (emerging-scan.rules) 2003068 - ET SCAN Potential SSH Scan OUTBOUND (emerging-scan.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2008382 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) (emerging.rules) 2008383 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) (emerging.rules) 2008384 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 100 # Updated 2009-01-06 11:49:54 -> Added to emerging-rbn.rules (2): # VERSION 100 # Updated 2009-01-06 11:49:54 -> Added to emerging-sid-msg.map (25): 2008382 || ET TROJAN Piptea.a Related Trojan Checkin (1) 2008383 || ET TROJAN Piptea.a Related Trojan Checkin (2) 2008384 || ET TROJAN Piptea.a Related Trojan Checkin (3) 2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008977 || ET TROJAN Vundo Variant reporting to Controller via HTTP (2) 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2406199 || ET RBN Known Russian Business Network Monitored Domains (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406200 || ET RBN Known Russian Business Network Monitored Domains (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406201 || ET RBN Known Russian Business Network Monitored Domains (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406202 || ET RBN Known Russian Business Network Monitored Domains (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406203 || ET RBN Known Russian Business Network Monitored Domains (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406204 || ET RBN Known Russian Business Network Monitored Domains (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406205 || ET RBN Known Russian Business Network Monitored Domains (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407199 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407200 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407201 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407202 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407203 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407204 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407205 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (25): 2008382 || ET TROJAN Piptea.a Related Trojan Checkin (1) 2008383 || ET TROJAN Piptea.a Related Trojan Checkin (2) 2008384 || ET TROJAN Piptea.a Related Trojan Checkin (3) 2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008977 || ET TROJAN Vundo Variant reporting to Controller via HTTP (2) 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2406199 || ET RBN Known Russian Business Network Monitored Domains (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406200 || ET RBN Known Russian Business Network Monitored Domains (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406201 || ET RBN Known Russian Business Network Monitored Domains (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406202 || ET RBN Known Russian Business Network Monitored Domains (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406203 || ET RBN Known Russian Business Network Monitored Domains (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406204 || ET RBN Known Russian Business Network Monitored Domains (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406205 || ET RBN Known Russian Business Network Monitored Domains (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407199 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407200 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407201 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407202 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407203 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407204 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407205 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (2): #by Philipp Bescht, updates by Darren Spruel #by Netmonk [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 98 # Updated 2009-01-05 13:57:13 -> Removed from emerging-rbn.rules (2): # VERSION 98 # Updated 2009-01-05 13:57:13 -> Removed from emerging-sid-msg.map (3): 2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) 2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) 2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) -> Removed from emerging-sid-msg.map.txt (3): 2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) 2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) 2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) From jonkman at jonkmans.com Wed Jan 7 13:30:12 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 07 Jan 2009 13:30:12 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs Message-ID: <4964F4B4.4020504@jonkmans.com> A common thing many of the malware samples we see do it hit whatismyip.com to get their external ip address. There are a few other sites, but whatismyip.com/net/org is by far the most prevalent as they are automation friendly and don't make it difficult to scrape the IP. There are a few others, I've put together the following sigs to get the ones we see in malware. These aren't all of the ip lookup sites, there are hundreds. But these are very commonly used. And to be clear: We do mean to imply these sites are bad or complicit with any of the bots out there. Just unexpected access to these in your net is something you should check out. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection"; flow:established,to_server; uricontent:"/automation/n09230945.asp"; classtype:attempted-recon; sid:2008985; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".whatismyip."; within:15; classtype:attempted-recon; sid:2008986; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".showip."; within:15; classtype:attempted-recon; sid:2008987; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".cmyip."; within:12; classtype:attempted-recon; sid:2008988; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".showmyip."; within:15; classtype:attempted-recon; sid:2008989; rev:1;) -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 7 13:32:47 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 07 Jan 2009 13:32:47 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <4964F4B4.4020504@jonkmans.com> References: <4964F4B4.4020504@jonkmans.com> Message-ID: <4964F54F.7020403@jonkmans.com> Forgot to ask, anyone know of other sites that are commonly used by malware? These are 95% of what we see in the sandnet. matt Matt Jonkman wrote: > A common thing many of the malware samples we see do it hit > whatismyip.com to get their external ip address. There are a few other > sites, but whatismyip.com/net/org is by far the most prevalent as they > are automation friendly and don't make it difficult to scrape the IP. > > There are a few others, I've put together the following sigs to get the > ones we see in malware. These aren't all of the ip lookup sites, there > are hundreds. But these are very commonly used. > > And to be clear: We do mean to imply these sites are bad or complicit > with any of the bots out there. Just unexpected access to these in your > net is something you should check out. > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via whatismyip.com Automation Page > - Possible Infection"; flow:established,to_server; > uricontent:"/automation/n09230945.asp"; classtype:attempted-recon; > sid:2008985; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via whatismyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".whatismyip."; within:15; > classtype:attempted-recon; sid:2008986; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via showip.net - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".showip."; within:15; > classtype:attempted-recon; sid:2008987; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via cmyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".cmyip."; within:12; > classtype:attempted-recon; sid:2008988; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via showmyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".showmyip."; within:15; > classtype:attempted-recon; sid:2008989; rev:1;) > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From cunningpike at gmail.com Wed Jan 7 15:31:49 2009 From: cunningpike at gmail.com (CunningPike) Date: Wed, 07 Jan 2009 12:31:49 -0800 Subject: [Emerging-Sigs] [Fwd: ARIN receives 2 new /8 blocks] Message-ID: <1231360309.11982.10.camel@arodgers-panasonic> -------- Forwarded Message -------- > From: Member Services > To: nanog at nanog.org > Subject: ARIN receives 2 new /8 blocks > Date: Tue, 30 Dec 2008 16:35:22 -0500 > > ARIN received the IPv4 address blocks 108.0.0.0/8 and 184.0.0.0/8 from > the IANA on Dec. 22, 2008. We will begin making allocations of /20 and > shorter prefixes from these blocks in the near future in accordance with > ARIN's minimum allocation policy. > > Network operators may wish to adjust any filters in place accordingly. > > For informational purposes, a list of ARIN's currently administered IP > address blocks can be found at: > > http://www.arin.net/reference/ip_blocks.html > > Regards, > > Leslie Nobile > Director, Registration Services > American Registry for Internet Numbers (ARIN) > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090107/bc64aac7/attachment.bin From emerging at emergingthreats.net Wed Jan 7 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 7 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090107210009.9387D4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Jan 7 16:00:09 2009 [***] [+++] Added rules: [+++] 2008983 - ET MALWARE Suspicious User Agent (BlackSun) (emerging-malware.rules) 2008984 - ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report (emerging-virus.rules) 2008985 - ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection (emerging-policy.rules) 2008986 - ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection (emerging-policy.rules) 2008987 - ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection (emerging-policy.rules) 2008988 - ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection (emerging-policy.rules) 2008989 - ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection (emerging-policy.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): # these services aren't bad inherently, but are often used by trojans to get their external IP -> Added to emerging-sid-msg.map (12): 2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1) 2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report 2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection 2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection 2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection 2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection 2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (12): 2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1) 2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report 2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection 2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection 2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection 2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection 2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html -> Removed from emerging-sid-msg.map.txt (1): 2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html From scheidell at secnap.net Wed Jan 7 16:30:48 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Wed, 07 Jan 2009 16:30:48 -0500 Subject: [Emerging-Sigs] anything yet for av2009? Message-ID: <49651F08.4000803@secnap.net> comes in via web, uses java, installs itself? http://www.google.com/search?q=av2009 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090107/3ee2a54f/attachment.html From jonkman at jonkmans.com Wed Jan 7 16:37:21 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 07 Jan 2009 16:37:21 -0500 Subject: [Emerging-Sigs] [Fwd: ARIN receives 2 new /8 blocks] In-Reply-To: <1231360309.11982.10.camel@arodgers-panasonic> References: <1231360309.11982.10.camel@arodgers-panasonic> Message-ID: <49652091.3010207@jonkmans.com> Thanks pike, will update the bogon sigs. Matt CunningPike wrote: > -------- Forwarded Message -------- >> From: Member Services >> To: nanog at nanog.org >> Subject: ARIN receives 2 new /8 blocks >> Date: Tue, 30 Dec 2008 16:35:22 -0500 >> >> ARIN received the IPv4 address blocks 108.0.0.0/8 and 184.0.0.0/8 from >> the IANA on Dec. 22, 2008. We will begin making allocations of /20 and >> shorter prefixes from these blocks in the near future in accordance with >> ARIN's minimum allocation policy. >> >> Network operators may wish to adjust any filters in place accordingly. >> >> For informational purposes, a list of ARIN's currently administered IP >> address blocks can be found at: >> >> http://www.arin.net/reference/ip_blocks.html >> >> Regards, >> >> Leslie Nobile >> Director, Registration Services >> American Registry for Internet Numbers (ARIN) >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Wed Jan 7 16:47:34 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 07 Jan 2009 16:47:34 -0500 Subject: [Emerging-Sigs] anything yet for av2009? In-Reply-To: <49651F08.4000803@secnap.net> References: <49651F08.4000803@secnap.net> Message-ID: <496522F6.9040201@jonkmans.com> Yes in fact. We have about 6 versions of that in the sandnet. The following sigs hit on the one I looked at: 2406173 ET RBN Known Russian Business Network Monitored Domains (174) TCP 89.149.226.24:80 2008152 ET TROJAN Pakes/Cutwall/Kobcka Checkin URL TCP 89.149.226.24:80 2007854 ET MALWARE Suspicious User Agent - Possible Spyware Related (Mozilla) TCP 89.149.226.24:80 It hits a url of: GET http:// antivirus-database.com/firstrun.php?product=AV9&aff=&update=0207/av200 9&time=10:50:22%20PM With the UA "Mozilla" Should stick out like a sore thumb. You have one that isn't getting detected? Matt Michael Scheidell wrote: > comes in via web, uses java, installs itself? > > http://www.google.com/search?q=av2009 > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * King of Spam Filters, SC Magazine 2008 > * Information Security Award 2008, Info Security Products Guide > * CRN Magazine Top 40 Emerging Security Vendors > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Thu Jan 8 10:33:10 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 08 Jan 2009 09:33:10 -0600 Subject: [Emerging-Sigs] clear text passwords Message-ID: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> I found a set of applications that were passing login credentials in the clear. Strangely enough we did not have a rule for spotting this shabby developer practice: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login credentials being passed in POST data"; flow:to_server,established; content:"&username="; nocase; content:"&password="; nocase; classtype:policy-violation; sid:1048480; rev:1;) I have taken the assumption that username and password are the given fieldnames, but in reality they could be anything. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From emerging at cyclohexane.net Thu Jan 8 07:20:40 2009 From: emerging at cyclohexane.net (James) Date: Thu, 8 Jan 2009 12:20:40 -0000 Subject: [Emerging-Sigs] MyWebSearch Toolbar Traffic (Agent) Message-ID: <717FBDFFE66F430C8AEE4CA7C979CC55@UEA.AC.UK> Hi, I've received several hundred false-positives for one of my users on this signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:" MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:9;) It turns out a cookie on the BBC news website contains "; myway=default" at the end. Let me know if you need more info than that. Thanks James From jonkman at jonkmans.com Thu Jan 8 10:53:14 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 08 Jan 2009 10:53:14 -0500 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-5-2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291C@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291C@webmail.latis.com> Message-ID: <4966216A.3090803@jonkmans.com> All posted, thanks! That also puts us to sid 2009000. Another thousand up there!! Matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below:** > > 1. *phpAddEdit editform parameter Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"phpAddEdit editform parameter Local File Inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/addedit-render.php?"; nocase; uricontent:"editform="; > nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; > sid:508289; rev:1;) > > > > 2. *Microsoft Visual Basic Common AVI ActiveX Control File Parsing > Buffer Overflow* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft > Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0; > content:"Open"; nocase; content:".avi"; nocase; distance:0; > classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7431 > ; reference:bugtraq,32613; > sid:508293; rev:1;) > > 3. *Multiple Membership Script id parameter SQL injection > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Multiple > Membership Script id parameter SQL injection"; content:"GET "; depth:4; > uricontent:"/sitepage.php?"; nocase; uricontent:"id="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/33019/; > reference:url,milw0rm.com/exploits/7346; sid:2008199; rev:1;) > > > > 4. *CF_Calendar calid parameter SQL Injection > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS > (msg:"CF_Calendar calid parameter SQL Injection"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/calendarevent.cfm?"; nocase; uricontent:"calid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/33074/; > reference:url,milw0rm.com/exploits/7413; sid:2008205; rev:1;) > > > > 5. *Simple Text-File Login script slogin_path parameter remote > file inclusion > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple > Text-File Login script slogin_path parameter remote file inclusion"; > flow:established,to_server; content:"GET "; depth:4; > uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path="; > nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; > classtype:web-application-attack; reference:bugtraq,32811; > reference:url,milw0rm.com/exploits/7444; sid:2008217; rev:1;) > > > > 6. *WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > icash Click&BaneX user_menu.asp ID parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/user_menu.asp?"; nocase; uricontent:"ID="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; > sid:2008005; rev:1;) > > > > 7. *WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/resim.asp?"; nocase; uricontent:"islem=altkat"; nocase; > uricontent:"kat_id="; nocase; uricontent:"UNION"; nocase; > uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/33199/; > reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; > sid:2008003; rev:1;) > > > > 8. *WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow > *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > EvansFTP EvansFTP.ocx Remote Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; distance:0; nocase; > content:"RemoteAddress"; nocase; classtype:web-application-attack; > reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460 > ; sid:2008128; rev:1;) > > > > 9. *WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote > Buffer Overflow > *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; > flow:to_client,established; content:"CLSID"; nocase; > content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; distance:0; nocase; > content:"SetID"; nocase; classtype:web-application-attack; > reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505 > ; sid:2008129; rev:1;) > > > > 10. *WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection > *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > RSS Simple News news.php pid parameter Remote SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/news.php?"; nocase; content:"pid="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,www.milw0rm.com/exploits/7541 > ; reference:bugtraq,32962; > sid:2008016; rev:1;) > > Looking forward for your comments if any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 8 11:00:23 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 08 Jan 2009 11:00:23 -0500 Subject: [Emerging-Sigs] MyWebSearch Toolbar Traffic (Agent) In-Reply-To: <717FBDFFE66F430C8AEE4CA7C979CC55@UEA.AC.UK> References: <717FBDFFE66F430C8AEE4CA7C979CC55@UEA.AC.UK> Message-ID: <49662317.7080305@jonkmans.com> Hmmm, that's a bad FP. And looking at that sig, I think we're best dropping it. The current versions of MyWay use a distinct user-agent which we do have a sig for. I'll remove the sig. It's obsolete. Thanks for the report!! Matt James wrote: > Hi, > > I've received several hundred false-positives for one of my users on this > signature: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE > MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:" > MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:9;) > > It turns out a cookie on the BBC news website contains "; myway=default" at > the end. > > Let me know if you need more info than that. > > Thanks > James > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 8 11:02:29 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 08 Jan 2009 11:02:29 -0500 Subject: [Emerging-Sigs] clear text passwords In-Reply-To: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> References: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> Message-ID: <49662395.1060203@jonkmans.com> Good idea, should be interesting. I'll drop this into policy. Matt Jack Pepper wrote: > I found a set of applications that were passing login credentials in > the clear. Strangely enough we did not have a rule for spotting this > shabby developer practice: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login > credentials being passed in POST data"; flow:to_server,established; > content:"&username="; nocase; content:"&password="; nocase; > classtype:policy-violation; sid:1048480; rev:1;) > > I have taken the assumption that username and password are the given > fieldnames, but in reality they could be anything. > > jp > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 8 11:06:43 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 08 Jan 2009 11:06:43 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <4964F4B4.4020504@jonkmans.com> References: <4964F4B4.4020504@jonkmans.com> Message-ID: <49662493.5050808@jonkmans.com> That was of course supposed to say "we do NOT mean to imply these sites are bad" Nice typo... Matt Matt Jonkman wrote: > A common thing many of the malware samples we see do it hit > whatismyip.com to get their external ip address. There are a few other > sites, but whatismyip.com/net/org is by far the most prevalent as they > are automation friendly and don't make it difficult to scrape the IP. > > There are a few others, I've put together the following sigs to get the > ones we see in malware. These aren't all of the ip lookup sites, there > are hundreds. But these are very commonly used. > > And to be clear: We do mean to imply these sites are bad or complicit > with any of the bots out there. Just unexpected access to these in your > net is something you should check out. > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via whatismyip.com Automation Page > - Possible Infection"; flow:established,to_server; > uricontent:"/automation/n09230945.asp"; classtype:attempted-recon; > sid:2008985; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via whatismyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".whatismyip."; within:15; > classtype:attempted-recon; sid:2008986; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via showip.net - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".showip."; within:15; > classtype:attempted-recon; sid:2008987; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via cmyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".cmyip."; within:12; > classtype:attempted-recon; sid:2008988; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Internal Host Retrieving External IP via showmyip.com - Possible > Infection"; flow:established,to_server; content:"GET "; depth:4; > content:"|0d 0a|Host\: "; content:".showmyip."; within:15; > classtype:attempted-recon; sid:2008989; rev:1;) > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From lists at inliniac.net Thu Jan 8 11:34:01 2009 From: lists at inliniac.net (Victor Julien) Date: Thu, 08 Jan 2009 17:34:01 +0100 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-5-2009 In-Reply-To: <4966216A.3090803@jonkmans.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291C@webmail.latis.com> <4966216A.3090803@jonkmans.com> Message-ID: <49662AF9.6040300@inliniac.net> Matt Jonkman wrote: > That also puts us to sid 2009000. Another thousand up there!! Cool, congrats Matt! I think I speak for many if I say: thank you! Cheers, Victor From emerging at emergingthreats.net Thu Jan 8 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 8 Jan 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090108210008.973E145026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Jan 8 16:00:08 2009 [***] [+++] Added rules: [+++] 200900 - ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2008990 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 (emerging.rules) 2008991 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check (emerging.rules) 2008992 - ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008993 - ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow (emerging-web.rules) 2008994 - ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection (emerging-web_sql_injection.rules) 2008995 - ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection (emerging-web_sql_injection.rules) 2008996 - ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion (emerging-web_sql_injection.rules) 2008997 - ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection (emerging-web_sql_injection.rules) 2008998 - ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection (emerging-web_sql_injection.rules) 2008999 - ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow (emerging-web.rules) 2009000 - ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2009001 - ET POLICY Login Credentials Possibly Passed in URI (emerging-policy.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2001662 - ET MALWARE MyWebSearch Toolbar Traffic (Agent) (emerging-malware.rules) 2001663 - ET MALWARE MyWebSearch Toolbar Traffic (host) (emerging-malware.rules) 2002818 - ET MALWARE MyWebSearch Toolbar Traffic (general download) (emerging-malware.rules) 2002819 - ET MALWARE MyWebSearch Toolbar Traffic (bin download) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #by jack pepper -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 101 # Updated 2009-01-08 09:33:27 -> Added to emerging-rbn.rules (2): # VERSION 101 # Updated 2009-01-08 09:33:27 -> Added to emerging-sid-msg.map (21): 200900 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2008992 || ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion || bugtraq,32774 || url,milw0rm.com/exploits/7417 2008993 || ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow || bugtraq,32613 || url,www.milw0rm.com/exploits/7431 2008994 || ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection || url,milw0rm.com/exploits/7346 || url,secunia.com/advisories/33019/ 2008995 || ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection || url,milw0rm.com/exploits/7413 || url,secunia.com/advisories/33074/ 2008996 || ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion || url,milw0rm.com/exploits/7444 || bugtraq,32811 2008997 || ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection || bugtraq,32856 || url,milw0rm.com/exploits/7484 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2008999 || ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow || url,www.milw0rm.com/exploits/7460 || bugtraq,32814 2009000 || ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection || bugtraq,32962 || url,www.milw0rm.com/exploits/7541 2009001 || ET POLICY Login Credentials Possibly Passed in URI 2406206 || ET RBN Known Russian Business Network Monitored Domains (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406207 || ET RBN Known Russian Business Network Monitored Domains (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406208 || ET RBN Known Russian Business Network Monitored Domains (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407206 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407207 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407208 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (21): 200900 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2008992 || ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion || bugtraq,32774 || url,milw0rm.com/exploits/7417 2008993 || ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow || bugtraq,32613 || url,www.milw0rm.com/exploits/7431 2008994 || ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection || url,milw0rm.com/exploits/7346 || url,secunia.com/advisories/33019/ 2008995 || ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection || url,milw0rm.com/exploits/7413 || url,secunia.com/advisories/33074/ 2008996 || ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion || url,milw0rm.com/exploits/7444 || bugtraq,32811 2008997 || ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection || bugtraq,32856 || url,milw0rm.com/exploits/7484 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2008999 || ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow || url,www.milw0rm.com/exploits/7460 || bugtraq,32814 2009000 || ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection || bugtraq,32962 || url,www.milw0rm.com/exploits/7541 2009001 || ET POLICY Login Credentials Possibly Passed in URI 2406206 || ET RBN Known Russian Business Network Monitored Domains (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406207 || ET RBN Known Russian Business Network Monitored Domains (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406208 || ET RBN Known Russian Business Network Monitored Domains (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407206 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407207 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407208 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging.rules (4): # New variant by Frank Knobbe # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport # and GET /nonexistenshit # Just using /bin/msgimport for simplicity [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 100 # Updated 2009-01-06 11:49:54 -> Removed from emerging-rbn.rules (2): # VERSION 100 # Updated 2009-01-06 11:49:54 -> Removed from emerging-sid-msg.map (4): 2001662 || ET MALWARE MyWebSearch Toolbar Traffic (Agent) 2001663 || ET MALWARE MyWebSearch Toolbar Traffic (host) 2002818 || ET MALWARE MyWebSearch Toolbar Traffic (general download) 2002819 || ET MALWARE MyWebSearch Toolbar Traffic (bin download) -> Removed from emerging-sid-msg.map.txt (4): 2001662 || ET MALWARE MyWebSearch Toolbar Traffic (Agent) 2001663 || ET MALWARE MyWebSearch Toolbar Traffic (host) 2002818 || ET MALWARE MyWebSearch Toolbar Traffic (general download) 2002819 || ET MALWARE MyWebSearch Toolbar Traffic (bin download) From frank at knobbe.us Thu Jan 8 18:33:59 2009 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 08 Jan 2009 17:33:59 -0600 Subject: [Emerging-Sigs] clear text passwords In-Reply-To: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> References: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> Message-ID: <1231457639.56475.2.camel@localhost> On Thu, 2009-01-08 at 09:33 -0600, Jack Pepper wrote: > I found a set of applications that were passing login credentials in > the clear. Strangely enough we did not have a rule for spotting this > shabby developer practice: > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login > credentials being passed in POST data"; flow:to_server,established; > content:"&username="; nocase; content:"&password="; nocase; > classtype:policy-violation; sid:1048480; rev:1;) Why not also create a sister rule that checks for POST requests with username= and password= int he URL rather than the POST data blob? I'd also remove the & from the matches and just use username and password... just in case one of them is the first element. -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090108/b02bec0c/attachment.bin From david.glosser at gmail.com Thu Jan 8 22:48:50 2009 From: david.glosser at gmail.com (David Glosser) Date: Thu, 8 Jan 2009 22:48:50 -0500 Subject: [Emerging-Sigs] mod security Message-ID: There are scripts to create mod security rules from snort rules (http://www.modsecurity.org/documentation/converted-snort-rules.html). Does anyone know of this being done for ET snort rules? Anyone think it would be useful for the more stable ET rules? Or, the other way around, creating snort rules based on mod_security rules? From lists at inliniac.net Fri Jan 9 01:41:16 2009 From: lists at inliniac.net (Victor Julien) Date: Fri, 09 Jan 2009 07:41:16 +0100 Subject: [Emerging-Sigs] mod security In-Reply-To: References: Message-ID: <4966F18C.7070807@inliniac.net> David Glosser wrote: > There are scripts to create mod security rules from snort rules > (http://www.modsecurity.org/documentation/converted-snort-rules.html). > Does anyone know of this being done for ET snort rules? Anyone think > it would be useful for the more stable ET rules? > > Or, the other way around, creating snort rules based on mod_security rules? The script you're linking to doesn't support the current 2.x branch of MSc, which you really want to be running. I've started work on creating a new conversion script quite a while ago, but never really completed it. One thing that made performance really bad is that every Snort content match was converted to regex in MSc. Performance went below zero. Nowadays MSc has a real pattern matcher as well, so maybe using that would work better. I've never seen a script that does MSc -> Snort conversions... Cheers, Victor From nate+emerging at richmond-family.org Fri Jan 9 09:35:19 2009 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Fri, 9 Jan 2009 09:35:19 -0500 (EST) Subject: [Emerging-Sigs] ET TROJAN HTTP Post with Double Accept header; sid 2008975 In-Reply-To: <20090109034942.66E2EA40B2@medusa.richmond-family.org> References: <20090109034942.66E2EA40B2@medusa.richmond-family.org> Message-ID: <20090109143519.46506A4050@medusa.richmond-family.org> FYI, With regard to this alert, in at least some instances it seems to be associated with DRM. I've seen it trigger because of double accept headers going to drm.cbtnuggets.com, get.zune.net and wmdrm.windowsmedia.com. The User-Agent has been Windows-Media-DRM of one version or another, e.g. "Windows-Media-DRM/11.0.5721.5145". alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Accept\: Accept\: "; within:200; classtype:trojan-activity; sid:2008975; rev:1;) Nate From jeff-kell at utc.edu Fri Jan 9 09:44:51 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 09 Jan 2009 09:44:51 -0500 Subject: [Emerging-Sigs] ET TROJAN HTTP Post with Double Accept header; sid 2008975 In-Reply-To: <20090109143519.46506A4050@medusa.richmond-family.org> References: <20090109034942.66E2EA40B2@medusa.richmond-family.org> <20090109143519.46506A4050@medusa.richmond-family.org> Message-ID: <496762E3.7050507@utc.edu> Nathaniel Richmond wrote: > FYI, > > With regard to this alert, in at least some instances it seems to be > associated with DRM. I've seen it trigger because of double accept > headers going to drm.cbtnuggets.com, get.zune.net and > wmdrm.windowsmedia.com. The User-Agent has been Windows-Media-DRM of > one version or another, e.g. "Windows-Media-DRM/11.0.5721.5145". Ditto here. Jeff From jonkman at jonkmans.com Fri Jan 9 10:13:52 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 09 Jan 2009 10:13:52 -0500 Subject: [Emerging-Sigs] ET TROJAN HTTP Post with Double Accept header; sid 2008975 In-Reply-To: <496762E3.7050507@utc.edu> References: <20090109034942.66E2EA40B2@medusa.richmond-family.org> <20090109143519.46506A4050@medusa.richmond-family.org> <496762E3.7050507@utc.edu> Message-ID: <496769B0.9090905@jonkmans.com> My fault. I stripped a pcre victor had in there originally to generalize it more. Still strange though that even an MS product would have the double accept header. That's definitely not a common mistake to make. Posting this in it's place: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malformed Accept header - Likely Trojan-PWS.Win32.QQPass"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Accept\: Accept\: "; pcre:"/^Accept\x3A\sAccept\x3A[^\r\n]*\d+,\s/[A-z0-9\.]+,\s[A-z0-9\.]+/smi"; classtype:trojan-activity; sid:2008975; rev:1;) Matt Jeff Kell wrote: > Nathaniel Richmond wrote: >> FYI, >> >> With regard to this alert, in at least some instances it seems to be >> associated with DRM. I've seen it trigger because of double accept >> headers going to drm.cbtnuggets.com, get.zune.net and >> wmdrm.windowsmedia.com. The User-Agent has been Windows-Media-DRM of >> one version or another, e.g. "Windows-Media-DRM/11.0.5721.5145". > > Ditto here. > > Jeff > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Jan 9 14:37:35 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 09 Jan 2009 14:37:35 -0500 Subject: [Emerging-Sigs] clear text passwords In-Reply-To: <1231457639.56475.2.camel@localhost> References: <20090108093310.cm7i69twqskogcw8@mail.afferentsecurity.com> <1231457639.56475.2.camel@localhost> Message-ID: <4967A77F.5000804@jonkmans.com> Frank Knobbe wrote: >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login >> credentials being passed in POST data"; flow:to_server,established; >> content:"&username="; nocase; content:"&password="; nocase; >> classtype:policy-violation; sid:1048480; rev:1;) > > Why not also create a sister rule that checks for POST requests with > username= and password= int he URL rather than the POST data blob? Good idea, will put one up now. > > I'd also remove the & from the matches and just use username and > password... just in case one of them is the first element. > Also a good idea. Doing so. Thanks Frank Matt > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From scheidell at secnap.net Fri Jan 9 15:35:59 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Fri, 09 Jan 2009 15:35:59 -0500 Subject: [Emerging-Sigs] [Fwd: RE: alert: New event: ET TROJAN Srizbi registering with controller] Message-ID: <4967B52F.6050105@secnap.net> ES folks: wondering if the original link which shows the target port to be 4099 is still true, or did this morph? the original link: http://www.secureworks.com/research/threats/ronpaul/ shows these two sigs: .. it seems the rev4 sig we have not doesn't look for port 4099 only, and may be prone to FP's. alert udp any 1024: -> any 4099 (msg:"Trojan.Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/srizbispam; sid:100000001; rev:1;) alert tcp any any -> any 4099 (msg:"Trojan.Srizbi requesting template"; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"| 0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url.www.secureworks.com/research/threats/srizbispam; sid:100000002; rev:1;) current sig: (as you see from our log, the target port is 1033... not 4099.. and in fact, this sorta looks like MAYBE 1033 is the source (>1024) port and 4743 is the target. /etc/snort/rules/emerging-virus.rules:alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/ronpaul/; sid:2007711; rev:4;) /etc/snort/rules/sid-msg.map:2007711 || ET TROJAN Srizbi registering with controller || url,www.secureworks.com/research/threats/ronpaul/ 01/09-14:51:28 UDP 192.168.200.103:4737 --> 12.149.76.125:1033 [1:2007711:4] ET TROJAN Srizbi registering with controller [Classification: A Network Trojan was detected] [Priority: 1] -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090109/29eebbde/attachment.html From emerging at emergingthreats.net Fri Jan 9 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 9 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090109210009.87FE845026@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Jan 9 16:00:09 2009 [***] [+++] Added rules: [+++] 2009002 - ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2009003 - ET TROJAN Win32/Korklic.A (emerging-virus.rules) 2009004 - ET POLICY Login Credentials Possibly Passed in POST Data (emerging-policy.rules) [///] Modified active rules: [///] 2008975 - ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass (emerging-virus.rules) 2008998 - ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection (emerging-web_sql_injection.rules) 2009001 - ET POLICY Login Credentials Possibly Passed in URI (emerging-policy.rules) [---] Removed rules: [---] 200900 - ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2008844 - ET TROJAN Mydoom.O at mm HTTP Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #disabled by default for possiblity of false positives. Use only if needed -> Added to emerging-sid-msg.map (7): 2008975 || ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2009002 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2009003 || ET TROJAN Win32/Korklic.A 2009004 || ET POLICY Login Credentials Possibly Passed in POST Data 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (7): 2008975 || ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2009002 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2009003 || ET TROJAN Win32/Korklic.A 2009004 || ET POLICY Login Credentials Possibly Passed in POST Data 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #by pedro Marinho [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 200900 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008975 || ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ -> Removed from emerging-sid-msg.map.txt (4): 200900 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008975 || ET TROJAN HTTP Post with Double Accept header - Likely Trojan Activity 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ From scheidell at secnap.net Fri Jan 9 16:44:24 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Fri, 09 Jan 2009 16:44:24 -0500 Subject: [Emerging-Sigs] famatech/radmin on RBN list? Message-ID: <4967C538.1030400@secnap.net> owners of the legitimate administration tool 'radmin' are not associated with the RBN. I have had good conversations with their security folk up there in the past. 01/09-16:32:53 TCP 198.63.210.130:80 --> 192.168.100.188:4074 [1:2407012:101] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) host fam4.famatech.com fam4.famatech.com has address 198.63.210.130 I don't think they share a netblock with anyone. anyone using radmin and trying to get an update, might get blocked for a day: (and it looks like you have it in two lists?) 13 and 14? grep 198.63.210 /etc/snort/rules/* /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip [195.42.103.91,195.5.116.0/24,195.5.117.0/24,195.64.140.0/23,195.64.162.0/23,195.64.190.1,195.66.132.0/24,195.95.218.0/23,196.2.198.240,198.63.210.0/24] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2407012; rev:101; fwsam: src, 24 hours;) /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip [198.63.210.123,198.63.211.208,198.63.211.8,199.237.229.158,200.115.160.0/20,200.155.17.172,200.46.83.245,200.63.42.136,200.63.42.141,200.63.42.81] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2407013; rev:101; fwsam: src, 24 hours;) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From jonkman at jonkmans.com Fri Jan 9 16:50:57 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 09 Jan 2009 16:50:57 -0500 Subject: [Emerging-Sigs] famatech/radmin on RBN list? In-Reply-To: <4967C538.1030400@secnap.net> References: <4967C538.1030400@secnap.net> Message-ID: <4967C6C1.5080108@jonkmans.com> Pulling them off the list pending looking deeper into it. Thanks for the report! Matt Michael Scheidell wrote: > owners of the legitimate administration tool 'radmin' are not associated > with the RBN. I have had good conversations with their security folk up > there in the past. > > 01/09-16:32:53 TCP 198.63.210.130:80 > > --> 192.168.100.188:4074 > > [1:2407012:101] ET > RBN Known Russian Business Network Monitored Domains - BLOCKING (13) > > host fam4.famatech.com > fam4.famatech.com has address 198.63.210.130 > > I don't think they share a netblock with anyone. > > anyone using radmin and trying to get an update, might get blocked for a > day: (and it looks like you have it in two lists?) 13 and 14? > > grep 198.63.210 /etc/snort/rules/* > /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip > [195.42.103.91,195.5.116.0/24,195.5.117.0/24,195.64.140.0/23,195.64.162.0/23,195.64.190.1,195.66.132.0/24,195.95.218.0/23,196.2.198.240,198.63.210.0/24] > any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network > Monitored Domains - BLOCKING (13)"; > reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; > threshold: type limit, track by_src, seconds 60, count 1; > classtype:misc-attack; sid:2407012; rev:101; fwsam: src, 24 hours;) > > /etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip > [198.63.210.123,198.63.211.208,198.63.211.8,199.237.229.158,200.115.160.0/20,200.155.17.172,200.46.83.245,200.63.42.136,200.63.42.141,200.63.42.81] > any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network > Monitored Domains - BLOCKING (14)"; > reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; > threshold: type limit, track by_src, seconds 60, count 1; > classtype:misc-attack; sid:2407013; rev:101; fwsam: src, 24 hours;) > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From phatbuckett at gmail.com Fri Jan 9 19:43:40 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 9 Jan 2009 17:43:40 -0700 Subject: [Emerging-Sigs] 2008665 content match Message-ID: <839aec700901091643i5bf284b3gd824e09e1e1fc255@mail.gmail.com> Current rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obfiscator.vc or Related Infection Checkin"; flow:established,to_server; uricontent:"btn="; content:"|0d 0a|Pragma\: no-cache|0d 0a 0d 0a|SOFT"; classtype:trojan-activity; sid:2008665; rev:2;) I caught this request today which lacks the Pragma header but uses Cache-Control: ----------- POST /baasseulu/nehyaq.php?btn=pc1_00436655&q=mix3 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 3876373tr.org Content-Length: 564 Connection: Keep-Alive Cache-Control: no-cache SOFT,...?.?^M....???.???&?..... ----------- Maybe this rule works: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obfiscator.vc or Related Infection Checkin"; flow:established,to_server; uricontent:"btn="; uricontent:"q="; content:"|0d 0a 0d 0a|SOFT"; classtype:trojan-activity; sid:2008665; rev:3;) Also, is the above actually Zbot/Zeus? http://www.threatexpert.com/report.aspx?md5=623a5a90adb79e01b2b29fac13aef26f 2008661 identifies a very similar request as Zbot: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST "; depth:5; uricontent:".php?"; uricontent:"zip="; uricontent:"type="; uricontent:"name="; uricontent:"q="; uricontent:"item="; uricontent:"id="; uricontent:"rdp="; classtype:trojan-activity; sid:2008661; rev:1;) POST /baasseulu/nehyaq.php?zip=pc1_003c4571&type=0&name=16843776&q=mix3&item=281&id=0&rdp=0 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 3876373tr.org Content-Length: 0 Connection: Keep-Alive Pragma: no-cache -- Darren Spruell phatbuckett at gmail.com From emerging at emergingthreats.net Sat Jan 10 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 10 Jan 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090110210008.B470245026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 10 16:00:08 2009 [***] [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Added to emerging-rbn.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 101 # Updated 2009-01-08 09:33:27 -> Removed from emerging-rbn.rules (2): # VERSION 101 # Updated 2009-01-08 09:33:27 From emerging at emergingthreats.net Sat Jan 10 18:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 10 Jan 2009 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090110230009.ACA3545026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 10 18:00:09 2009 [***] [+++] Added rules: [+++] 2008382 - ET TROJAN Piptea.a Related Trojan Checkin (1) (emerging-virus.rules) 2008383 - ET TROJAN Piptea.a Related Trojan Checkin (2) (emerging-virus.rules) 2008384 - ET TROJAN Piptea.a Related Trojan Checkin (3) (emerging-virus.rules) 2008962 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2008972 - ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin (emerging-virus.rules) 2008973 - ET MALWARE onmuz.com Infection Activity (emerging-virus.rules) 2008974 - ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) (emerging-malware.rules) 2008975 - ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass (emerging-virus.rules) 2008976 - ET TROJAN Vundo Variant reporting to Controller via HTTP (1) (emerging-virus.rules) 2008977 - ET TROJAN Vundo Variant reporting to Controller via HTTP (2) (emerging-virus.rules) 2008983 - ET MALWARE Suspicious User Agent (BlackSun) (emerging-malware.rules) 2008984 - ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report (emerging-virus.rules) 2008985 - ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection (emerging-policy.rules) 2008986 - ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection (emerging-policy.rules) 2008987 - ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection (emerging-policy.rules) 2008988 - ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection (emerging-policy.rules) 2008989 - ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection (emerging-policy.rules) 2008990 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 (emerging.rules) 2008991 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check (emerging.rules) 2008992 - ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion (emerging-web_sql_injection.rules) 2008993 - ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow (emerging-web.rules) 2008994 - ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection (emerging-web_sql_injection.rules) 2008995 - ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection (emerging-web_sql_injection.rules) 2008996 - ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion (emerging-web_sql_injection.rules) 2008997 - ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection (emerging-web_sql_injection.rules) 2008998 - ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection (emerging-web_sql_injection.rules) 2008999 - ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow (emerging-web.rules) 2009000 - ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection (emerging-web_sql_injection.rules) 2009001 - ET POLICY Login Credentials Possibly Passed in URI (emerging-policy.rules) 2009002 - ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow (emerging-web.rules) 2009003 - ET TROJAN Win32/Korklic.A (emerging-virus.rules) 2009004 - ET POLICY Login Credentials Possibly Passed in POST Data (emerging-policy.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2001219 - ET SCAN Potential SSH Scan (emerging-scan.rules) 2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules) 2003068 - ET SCAN Potential SSH Scan OUTBOUND (emerging-scan.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2001662 - ET MALWARE MyWebSearch Toolbar Traffic (Agent) (emerging-malware.rules) 2001663 - ET MALWARE MyWebSearch Toolbar Traffic (host) (emerging-malware.rules) 2002818 - ET MALWARE MyWebSearch Toolbar Traffic (general download) (emerging-malware.rules) 2002819 - ET MALWARE MyWebSearch Toolbar Traffic (bin download) (emerging-malware.rules) 2008382 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) (emerging.rules) 2008383 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) (emerging.rules) 2008384 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) (emerging.rules) 2008844 - ET TROJAN Mydoom.O at mm HTTP Checkin (emerging-virus.rules) 2008982 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1415 # Generated 2009-01-10 00:03:03 EDT -> Added to emerging-drop.rules (2): # VERSION 1415 # Generated 2009-01-10 00:03:03 EDT -> Added to emerging-policy.rules (3): # these services aren't bad inherently, but are often used by trojans to get their external IP #by jack pepper #disabled by default for possiblity of false positives. Use only if needed -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Added to emerging-rbn.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Added to emerging-sid-msg.map (98): 2008382 || ET TROJAN Piptea.a Related Trojan Checkin (1) 2008383 || ET TROJAN Piptea.a Related Trojan Checkin (2) 2008384 || ET TROJAN Piptea.a Related Trojan Checkin (3) 2008962 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008972 || ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin 2008973 || ET MALWARE onmuz.com Infection Activity 2008974 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) 2008975 || ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass 2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1) 2008977 || ET TROJAN Vundo Variant reporting to Controller via HTTP (2) 2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report 2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection 2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection 2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection 2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection 2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2008992 || ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion || bugtraq,32774 || url,milw0rm.com/exploits/7417 2008993 || ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow || bugtraq,32613 || url,www.milw0rm.com/exploits/7431 2008994 || ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection || url,milw0rm.com/exploits/7346 || url,secunia.com/advisories/33019/ 2008995 || ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection || url,milw0rm.com/exploits/7413 || url,secunia.com/advisories/33074/ 2008996 || ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion || url,milw0rm.com/exploits/7444 || bugtraq,32811 2008997 || ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection || bugtraq,32856 || url,milw0rm.com/exploits/7484 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2008999 || ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow || url,www.milw0rm.com/exploits/7460 || bugtraq,32814 2009000 || ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection || bugtraq,32962 || url,www.milw0rm.com/exploits/7541 2009001 || ET POLICY Login Credentials Possibly Passed in URI 2009002 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2009003 || ET TROJAN Win32/Korklic.A 2009004 || ET POLICY Login Credentials Possibly Passed in POST Data 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2406199 || ET RBN Known Russian Business Network Monitored Domains (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406200 || ET RBN Known Russian Business Network Monitored Domains (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406201 || ET RBN Known Russian Business Network Monitored Domains (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406202 || ET RBN Known Russian Business Network Monitored Domains (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406203 || ET RBN Known Russian Business Network Monitored Domains (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406204 || ET RBN Known Russian Business Network Monitored Domains (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406205 || ET RBN Known Russian Business Network Monitored Domains (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406206 || ET RBN Known Russian Business Network Monitored Domains (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406207 || ET RBN Known Russian Business Network Monitored Domains (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406208 || ET RBN Known Russian Business Network Monitored Domains (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407199 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407200 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407201 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407202 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407203 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407204 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407205 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407206 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407207 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407208 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (98): 2008382 || ET TROJAN Piptea.a Related Trojan Checkin (1) 2008383 || ET TROJAN Piptea.a Related Trojan Checkin (2) 2008384 || ET TROJAN Piptea.a Related Trojan Checkin (3) 2008962 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 2008972 || ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin 2008973 || ET MALWARE onmuz.com Infection Activity 2008974 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible)) 2008975 || ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass 2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1) 2008977 || ET TROJAN Vundo Variant reporting to Controller via HTTP (2) 2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report 2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection 2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection 2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection 2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection 2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection 2008990 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 || url,isc.sans.org/diary.html?storyid=5599 2008991 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check || url,isc.sans.org/diary.html?storyid=5599 2008992 || ET WEB_SPECIFIC phpAddEdit editform parameter Local File Inclusion || bugtraq,32774 || url,milw0rm.com/exploits/7417 2008993 || ET WEB_ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow || bugtraq,32613 || url,www.milw0rm.com/exploits/7431 2008994 || ET WEB_SPECIFIC Multiple Membership Script id parameter SQL injection || url,milw0rm.com/exploits/7346 || url,secunia.com/advisories/33019/ 2008995 || ET WEB_SPECIFIC CF_Calendar calid parameter SQL Injection || url,milw0rm.com/exploits/7413 || url,secunia.com/advisories/33074/ 2008996 || ET WEB_SPECIFIC Simple Text-File Login script slogin_path parameter remote file inclusion || url,milw0rm.com/exploits/7444 || bugtraq,32811 2008997 || ET WEB_SPECIFIC icash Click&BaneX user_menu.asp ID parameter SQL Injection || bugtraq,32856 || url,milw0rm.com/exploits/7484 2008998 || ET WEB_SPECIFIC EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,secunia.com/advisories/33199/ 2008999 || ET WEB_ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow || url,www.milw0rm.com/exploits/7460 || bugtraq,32814 2009000 || ET WEB_SPECIFIC RSS Simple News news.php pid parameter Remote SQL Injection || bugtraq,32962 || url,www.milw0rm.com/exploits/7541 2009001 || ET POLICY Login Credentials Possibly Passed in URI 2009002 || ET WEB_ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || url,www.milw0rm.com/exploits/7505 || bugtraq,32901 2009003 || ET TROJAN Win32/Korklic.A 2009004 || ET POLICY Login Credentials Possibly Passed in POST Data 2404006 || ET DROP Known Bot C&C Server Traffic (group 7) || url,www.shadowserver.org 2404007 || ET DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2404008 || ET DROP Known Bot C&C Server Traffic (group 9) || url,www.shadowserver.org 2404009 || ET DROP Known Bot C&C Server Traffic (group 10) || url,www.shadowserver.org 2404010 || ET DROP Known Bot C&C Server Traffic (group 11) || url,www.shadowserver.org 2404011 || ET DROP Known Bot C&C Server Traffic (group 12) || url,www.shadowserver.org 2404012 || ET DROP Known Bot C&C Server Traffic (group 13) || url,www.shadowserver.org 2404013 || ET DROP Known Bot C&C Server Traffic (group 14) || url,www.shadowserver.org 2404014 || ET DROP Known Bot C&C Server Traffic (group 15) || url,www.shadowserver.org 2404015 || ET DROP Known Bot C&C Server Traffic (group 16) || url,www.shadowserver.org 2404016 || ET DROP Known Bot C&C Server Traffic (group 17) || url,www.shadowserver.org 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org 2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org 2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org 2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org 2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org 2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org 2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org 2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org 2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org 2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org 2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org 2406199 || ET RBN Known Russian Business Network Monitored Domains (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406200 || ET RBN Known Russian Business Network Monitored Domains (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406201 || ET RBN Known Russian Business Network Monitored Domains (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406202 || ET RBN Known Russian Business Network Monitored Domains (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406203 || ET RBN Known Russian Business Network Monitored Domains (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406204 || ET RBN Known Russian Business Network Monitored Domains (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406205 || ET RBN Known Russian Business Network Monitored Domains (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406206 || ET RBN Known Russian Business Network Monitored Domains (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406207 || ET RBN Known Russian Business Network Monitored Domains (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406208 || ET RBN Known Russian Business Network Monitored Domains (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407199 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407200 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407201 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407202 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407203 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407204 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407205 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407206 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407207 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407208 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500065 || ET COMPROMISED Known Compromised or Hostile Host Traffic (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500066 || ET COMPROMISED Known Compromised or Hostile Host Traffic (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500067 || ET COMPROMISED Known Compromised or Hostile Host Traffic (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500068 || ET COMPROMISED Known Compromised or Hostile Host Traffic (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500069 || ET COMPROMISED Known Compromised or Hostile Host Traffic (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500070 || ET COMPROMISED Known Compromised or Hostile Host Traffic (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500074 || ET COMPROMISED Known Compromised or Hostile Host Traffic (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510065 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (66) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510066 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (67) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510067 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (68) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510068 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (69) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510069 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (70) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510070 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (71) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510073 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (74) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510074 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (75) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (4): #by victort julien #by pedro Marinho #by Philipp Bescht, updates by Darren Spruel #by Netmonk -> Added to emerging.rules (4): # New variant by Frank Knobbe # GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport # and GET /nonexistenshit # Just using /bin/msgimport for simplicity [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1408 # Generated 2009-01-03 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1408 # Generated 2009-01-03 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 -> Removed from emerging-rbn.rules (2): # VERSION 96 # Updated 2008-12-29 11:46:50 -> Removed from emerging-sid-msg.map (9): 2001662 || ET MALWARE MyWebSearch Toolbar Traffic (Agent) 2001663 || ET MALWARE MyWebSearch Toolbar Traffic (host) 2002818 || ET MALWARE MyWebSearch Toolbar Traffic (general download) 2002819 || ET MALWARE MyWebSearch Toolbar Traffic (bin download) 2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) 2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) 2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 -> Removed from emerging-sid-msg.map.txt (9): 2001662 || ET MALWARE MyWebSearch Toolbar Traffic (Agent) 2001663 || ET MALWARE MyWebSearch Toolbar Traffic (host) 2002818 || ET MALWARE MyWebSearch Toolbar Traffic (general download) 2002819 || ET MALWARE MyWebSearch Toolbar Traffic (bin download) 2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) 2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) 2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) 2008844 || ET TROJAN Mydoom.O at mm HTTP Checkin 2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392 From scheidell at secnap.net Sun Jan 11 05:34:41 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sun, 11 Jan 2009 05:34:41 -0500 Subject: [Emerging-Sigs] [Fwd: alert: New event: ET COMPROMISED Known Compromised or Hostile Host Traffic (25)] Message-ID: <4969CB41.8030307@secnap.net> ip 202.103.0.117 is on list 25 and 26. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090111/47216a43/attachment.html -------------- next part -------------- An embedded message was scrubbed... From: Success-AZ Alert Subject: alert: New event: ET COMPROMISED Known Compromised or Hostile Host Traffic (25) Date: Sun, 11 Jan 2009 03:31:29 -0700 (MST) Size: 2403 Url: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090111/47216a43/ETCOMPROMISEDKnownCompromisedorHostileHostTraffic25.eml -------------- next part -------------- An embedded message was scrubbed... From: Success-nj Alert Subject: alert: New event: ET COMPROMISED Known Compromised or Hostile Host Traffic (26) Date: Sun, 11 Jan 2009 05:29:38 -0500 (EST) Size: 2415 Url: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090111/47216a43/ETCOMPROMISEDKnownCompromisedorHostileHostTraffic26.eml From jonkman at jonkmans.com Sun Jan 11 09:39:22 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 11 Jan 2009 09:39:22 -0500 Subject: [Emerging-Sigs] [Fwd: alert: New event: ET COMPROMISED Known Compromised or Hostile Host Traffic (25)] In-Reply-To: <4969CB41.8030307@secnap.net> References: <4969CB41.8030307@secnap.net> Message-ID: <496A049A.6020909@jonkmans.com> Hmmm, I'm not seeing that, but it may have been in yesterday's list and gone today. What rev were you on there? Matt Michael Scheidell wrote: > ip 202.103.0.117 > > > is on list 25 and 26. > > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * King of Spam Filters, SC Magazine 2008 > * Information Security Award 2008, Info Security Products Guide > * CRN Magazine Top 40 Emerging Security Vendors > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > Subject: > alert: New event: ET COMPROMISED Known Compromised or Hostile Host > Traffic (25) > From: > Success-AZ Alert > Date: > Sun, 11 Jan 2009 03:31:29 -0700 (MST) > To: > security-alert at success-az.hackertrap.net > > To: > security-alert at success-az.hackertrap.net > > > 01/11-03:31:01 UDP 202.103.0.117:53 > > --> 10.4.30.205:51107 > > [1:2500024:1389] ET > COMPROMISED Known Compromised or Hostile Host Traffic (25) > [Classification: Misc Attack] [Priority: 2] > ------------------------------------------------------------------------ > > Subject: > alert: New event: ET COMPROMISED Known Compromised or Hostile Host > Traffic (26) > From: > Success-nj Alert > Date: > Sun, 11 Jan 2009 05:29:38 -0500 (EST) > To: > security-alert at success-nj.hackertrap.net > > To: > security-alert at success-nj.hackertrap.net > > > 01/11-05:15:30 UDP 202.103.0.117:53 > > --> 170.224.103.142:50813 > > [1:2500025:1391] ET > COMPROMISED Known Compromised or Hostile Host Traffic (26) > [Classification: Misc Attack] [Priority: 2] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun Jan 11 10:00:34 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 11 Jan 2009 10:00:34 -0500 Subject: [Emerging-Sigs] 2008665 content match In-Reply-To: <839aec700901091643i5bf284b3gd824e09e1e1fc255@mail.gmail.com> References: <839aec700901091643i5bf284b3gd824e09e1e1fc255@mail.gmail.com> Message-ID: <496A0992.5000402@jonkmans.com> Darren Spruell wrote: > > ----------- > POST /baasseulu/nehyaq.php?btn=pc1_00436655&q=mix3 HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > Host: 3876373tr.org > Content-Length: 564 > Connection: Keep-Alive > Cache-Control: no-cache > > SOFT,...?.?^M....???.???&?..... > ----------- > > Maybe this rule works: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Obfiscator.vc or Related Infection Checkin"; > flow:established,to_server; uricontent:"btn="; uricontent:"q="; > content:"|0d 0a 0d 0a|SOFT"; classtype:trojan-activity; sid:2008665; > rev:3;) Agreed, good change, thanks Darren. Posting now. > > Also, is the above actually Zbot/Zeus? > > http://www.threatexpert.com/report.aspx?md5=623a5a90adb79e01b2b29fac13aef26f > > 2008661 identifies a very similar request as Zbot: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST "; > depth:5; uricontent:".php?"; uricontent:"zip="; uricontent:"type="; > uricontent:"name="; uricontent:"q="; uricontent:"item="; > uricontent:"id="; uricontent:"rdp="; classtype:trojan-activity; > sid:2008661; rev:1;) It's possible, but there are enough dissimilarities that make you wonder. But either way, we have sigs for both. Break out the AV! :) Matt > > POST /baasseulu/nehyaq.php?zip=pc1_003c4571&type=0&name=16843776&q=mix3&item=281&id=0&rdp=0 > HTTP/1.0 > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > Host: 3876373tr.org > Content-Length: 0 > Connection: Keep-Alive > Pragma: no-cache > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sun Jan 11 10:11:54 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 11 Jan 2009 10:11:54 -0500 Subject: [Emerging-Sigs] [Fwd: RE: alert: New event: ET TROJAN Srizbi registering with controller] In-Reply-To: <4967B52F.6050105@secnap.net> References: <4967B52F.6050105@secnap.net> Message-ID: <496A0C3A.8040005@jonkmans.com> Michael Scheidell wrote: > wondering if the original link which shows the target port to be 4099 is > still true, or did this morph? Yes, it's definitely using other ports now. Here's the sig active now: alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/ronpaul/; sid:2007711; rev:4;) > > alert udp any 1024: -> any 4099 (msg:"Trojan.Srizbi registering with > controller"; > dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; > within:1; > classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/srizbispam; > sid:100000001; > rev:1;) Are you seeing FPs? Thanks! Matt > > > alert tcp any any -> any 4099 (msg:"Trojan.Srizbi requesting template"; > content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; > within:200; content:"| > 0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; > reference:url.www.secureworks.com/research/threats/srizbispam; > sid:100000002; > rev:1;) > > > current sig: (as you see from our log, the target port is 1033... not > 4099.. and in fact, this sorta looks like MAYBE 1033 is the source > (>1024) port and 4743 is the target. > > /etc/snort/rules/emerging-virus.rules:alert udp $HOME_NET 1024: -> > $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; > dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; > within:1; classtype:trojan-activity; > reference:url,www.secureworks.com/research/threats/ronpaul/; > sid:2007711; rev:4;) > /etc/snort/rules/sid-msg.map:2007711 || ET TROJAN Srizbi registering > with controller || url,www.secureworks.com/research/threats/ronpaul/ > > 01/09-14:51:28 UDP 192.168.200.103:4737 > > --> 12.149.76.125:1033 > > [1:2007711:4] ET > TROJAN Srizbi registering with controller > [Classification: A Network Trojan was detected] [Priority: 1] > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * King of Spam Filters, SC Magazine 2008 > * Information Security Award 2008, Info Security Products Guide > * CRN Magazine Top 40 Emerging Security Vendors > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Sun Jan 11 10:16:37 2009 From: dxp2532 at gmail.com (dxp) Date: Sun, 11 Jan 2009 10:16:37 -0500 Subject: [Emerging-Sigs] Detecting Windows executables In-Reply-To: References: <1227060562.29786.3.camel@kinta> Message-ID: <1231686997.6418.11.camel@kinta> Small update. SO rule has been running for a while now without any problems and has picked up Exe's where I didn't expect to see them. If anyone used it I'd appreciate comments on your experience. Text rule, small descritption http://dxp2532.blogspot.com/2009/01/pe-offsets-within-malware.html To avoid implementing individual rules a catchall could be: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE under 128)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,<,128,58,relative,little; content:"PE|00 00|"; rawbytes; within:130; sid:XXXXXX; rev:1;) And two more to make sure we cover offsets above 128: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; sid:XXXXXX; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; sid:XXXXXX; rev:1;) - -=[ dxp ]=- 0xA3F3C6E3 On Tue, 2008-11-18 at 21:40 -0600, Martin Holste wrote: > Wow, very helpful findings! Thanks for checking that out. I updated > all of my executable sigs to allow for more depth between the MZ and > the PE (I cranked it all the way to the MTU, though that's probably > overkill based on your findings). I look forward to incorporating > your SO rules when you think they're ready. > > It sounds like it would be worth alerting on any exe that has a PE > header before 128 bytes, though I'm sure a few legit files would pop > out of the woodwork. Mega bonus points for an SO rule that can alert > based on the amount of entropy of the file sections! > > --Martin > > > On Tue, Nov 18, 2008 at 8:09 PM, dxp wrote: > > Changed "flow_depth" from 0 to 50 and the SO rule failed to > alert on executables within ports specified in the > preprocessor. It appears then that the SO rules have the same > properties as regular rules but with more detection > flexability. > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Tue, 2008-11-18 at 13:15 -0600, Martin Holste wrote: > > > > On a related note, check out the possible evasion technique > > of padding the PE header 512 bytes from this rogue > > anti-virus download (MD5 :b1186e40473ebfe57d2738b02504eea1). > > > > 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d > > HTTP/1.1 200 OK. > > 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 38 20 > > 4e .Date: Tue, 18 N > > 6f 76 20 32 30 30 38 20 31 33 3a 30 33 3a 35 33 ov > > 2008 13:03:53 > > 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 > > GMT..Server: Ap > > 61 63 68 65 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 > > ache..Last-Modif > > 69 65 64 3a 20 54 75 65 2c 20 31 38 20 4e 6f 76 ied: > > Tue, 18 Nov > > 20 32 30 30 38 20 31 30 3a 33 37 3a 32 39 20 47 > > 2008 10:37:29 G > > 4d 54 0d 0a 45 54 61 67 3a 20 22 37 38 66 66 39 > > MT..ETag: "78ff9 > > 2d 32 38 30 30 30 2d 34 35 62 66 34 34 38 33 64 > > -28000-45bf4483d > > 63 63 34 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 > > cc40"..Accept-Ra > > 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e > > nges: bytes..Con > > 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 > > tent-Length: 163 > > 38 34 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a > > 840..Keep-Alive: > > 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d > > timeout=5, max= > > 34 39 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a > > 499..Connection: > > 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e > > Keep-Alive..Con > > 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 > > tent-Type: appli > > 63 61 74 69 6f 6e 2f 78 2d 6d 73 64 6f 77 6e 6c > > cation/x-msdownl > > 6f 61 64 0d 0a 0d 0a 4d 5a 50 00 02 00 00 00 04 > > oad....MZP...... > > 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 > > 40 ...............@ > > 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd > > 21 ...............! > > b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f > > 67 ..L.!..This prog > > 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 ram > > must be run > > 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 08 95 00 > > under Win32..... > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 ................ > > 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 > > 84 .......PE..L.... > > > > > > > > Or this one padded to 256 bytes (MD5: > > 174685c2d8e38d34dfbe522faadceed4) > > > > 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 > > |MZP.............| > > 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 > > |........ at .......| > > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 > > |................| > > 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 > > |........!..L.!..| > > 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 > > |This program mus| > > 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 > > |t be run under W| > > 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 > > |in32..$7........| > > 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > |................| > > * > > 00000100 50 45 00 00 4c 01 03 00 19 5e 42 2a 00 00 00 00 > > |PE..L....^B*....| > > > > Is the magic byte offset due to the packer being used, or is > > this a deliberate attempt to evade detection? Now here's > > another thought: if this comes via HTTP and you're running > > the HTTP preprocessor, what is your server flow depth set > > at? If it's not at 0, there's a good chance you're missing > > a lot of this. And with no stream reassembly on HTTP > > preprocessed packets, good luck detecting anything padded > > over your MTU. So, does anyone know if using the dynamic SO > > rules would preempt the HTTP preprocessor and mitigate this > > problem? > > > > --Martin > > > > _______________________________________________ > > Emerging-sigs mailing list > > > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090111/5894d590/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090111/5894d590/attachment-0001.bin From emerging at emergingthreats.net Sun Jan 11 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 11 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090111210009.241C145026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Jan 11 16:00:09 2009 [***] [+++] Added rules: [+++] 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2008665 - ET TROJAN Obfiscator.vc or Related Infection Checkin (emerging-virus.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 103 # Updated 2009-01-10 21:59:57 -> Added to emerging-rbn.rules (2): # VERSION 103 # Updated 2009-01-10 21:59:57 -> Added to emerging-sid-msg.map (10): 2406209 || ET RBN Known Russian Business Network Monitored Domains (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406210 || ET RBN Known Russian Business Network Monitored Domains (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406211 || ET RBN Known Russian Business Network Monitored Domains (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406212 || ET RBN Known Russian Business Network Monitored Domains (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407209 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407210 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407211 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407212 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (10): 2406209 || ET RBN Known Russian Business Network Monitored Domains (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406210 || ET RBN Known Russian Business Network Monitored Domains (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406211 || ET RBN Known Russian Business Network Monitored Domains (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406212 || ET RBN Known Russian Business Network Monitored Domains (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407209 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407210 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407211 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407212 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #by matt jonkman, updated by darren spruell [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Removed from emerging-rbn.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Removed from emerging-sid-msg.map (4): 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (4): 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org From r.fulton at auckland.ac.nz Sun Jan 11 21:50:31 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Mon, 12 Jan 2009 15:50:31 +1300 Subject: [Emerging-Sigs] ET TROJAN Blink.com related Backdoor Checkin Message-ID: I have a few machines triggering this rule and I am trying to find out just what sort of threat this is. It would seem that Blink.com is some sort of "enhanced web search" facility but I can't find any thing that indicates that there are any threats related to it. No references in the sig either... Here is what I'm seeing: GET /?vn=65562&partner=seekeen&ptag=SeeFreez&cid=55788f374f1 84260b143cd7cd7135f00&initial_install=1&b=Seekeen&se=1&au=1& am=0&pver=1&retries=0 HTTP/1.0..User-Agent: Mozilla/4.0 (com patible; MSIE 7.0; Windows NT 6.0)..Host: upgrade.seekeen.co m..Pragma: no-cache.... Russell -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4125 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/07b769ef/smime.bin From signatures at stillsecure.com Mon Jan 12 04:13:25 2009 From: signatures at stillsecure.com (signatures) Date: Mon, 12 Jan 2009 02:13:25 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-12 - 2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291D@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP ClaSS export.php ftype parameter Information Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/scripts/export.php?"; nocase; content:"ftype="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; sid:2008014; rev:1;) 2. WEB-PHP Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/books/getConfig.php?"; nocase; content:"book_id="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7543 ; reference:bugtraq,32966; sid:2008015; rev:1;) 3. WEB-PHP Rematic CMS referenzdetail.php id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Rematic CMS referenzdetail.php id parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/referenzdetail.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; sid:2008232; rev:1;) 4. WEB-PHP Rematic CMS produkte.php id parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Rematic CMS produkte.php id parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/produkte.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; sid:2008233; rev:1;) 5. WEB-PHP WebPhotoPro art.php idm Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebPhotoPro art.php idm Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/art.php"; nocase; uricontent:"idm="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; sid:2008224; rev:1;) 6. WEB-PHP WebPhotoPro rub.php idr Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebPhotoPro rub.php idr Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rub.php"; nocase; uricontent:"idr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; sid:2008225; rev:1;) 7. WEB-PHP WebPhotoPro galeri_info.php ida Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebPhotoPro galeri_info.php ida Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/galeri_info.php?"; nocase; uricontent:"ida="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; sid:2008226; rev:1;) 8. WEB-PHP WebPhotoPro galeri_info.php lang Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebPhotoPro galeri_info.php lang Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/galeri_info.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; sid:2008226; rev:1;) 9. WEB-PHP WebPhotoPro rubrika.php idr Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebPhotoPro rubrika.php idr Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rubrika.php?"; nocase; uricontent:"idr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; sid:2008227; rev:1;) 10. WEB-PHP Text Lines Rearrange Script filename parameter File Disclosure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/download.php?"; nocase; uricontent:"filename="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; sid:2008571; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/7c6cd2d3/attachment-0001.html From jim.mcquaid at gmail.com Mon Jan 12 06:56:25 2009 From: jim.mcquaid at gmail.com (James McQuaid) Date: Mon, 12 Jan 2009 06:56:25 -0500 Subject: [Emerging-Sigs] blink.com Message-ID: In the past, blink.com was responsible for desktop pop up ads, and an Internet Explorer toolbar that delivered ads. James > From: Russell Fulton > Subject: [Emerging-Sigs] ET TROJAN Blink.com related Backdoor Checkin > To: Emerging Threats Signatures > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > > I have a few machines triggering this rule and I am trying to find out > just what sort of threat this is. It would seem that Blink.com is > some sort of "enhanced web search" facility but I can't find any thing > that indicates that there are any threats related to it. > > No references in the sig either... > > Here is what I'm seeing: > > GET /?vn=65562&partner=seekeen&ptag=SeeFreez&cid=55788f374f1 > 84260b143cd7cd7135f00&initial_install=1&b=Seekeen&se=1&au=1& > am=0&pver=1&retries=0 HTTP/1.0..User-Agent: Mozilla/4.0 (com > patible; MSIE 7.0; Windows NT 6.0)..Host: upgrade.seekeen.co > m..Pragma: no-cache.... > > > Russell > -- James McQuaid http://www.jamesmcquaid.com From inittab at jtan.com Mon Jan 12 08:39:28 2009 From: inittab at jtan.com (RPG) Date: Mon, 12 Jan 2009 08:39:28 -0500 Subject: [Emerging-Sigs] SIMBAR In-Reply-To: References: Message-ID: <496B4810.3090006@jtan.com> We're observing a User-Agent of "SIMBAR" from some systems that are visiting some dubious websites including some in the RBN. Is anyone else seeing this or knows more about it? Here's one log entry as an example: 10.10.10.1 - - [11/Jan/2009:21:13:40 +0000] "GET http://interplusclickDOTcom/v/we-content.php?cid=7614&uid=17925987307215260044&rnd=6492 HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TB Newsbar; SIMBAR={5CD00AFD-B724-4030-967C-7794EF25D5A2}; InfoPath.1; .NET CLR 2.0.50727)" I'm not finding too much about SIMBAR on the web. Unless someone can tell me that this is of friendly nature I propose adding the following signature to the emerging-malware.rules. The "reference" might be a little weak but it's a starting point. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar User-Agent detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"SIMBAR="; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; threshold:type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXX; rev:1;) From jonkman at jonkmans.com Mon Jan 12 10:05:46 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 12 Jan 2009 10:05:46 -0500 Subject: [Emerging-Sigs] SIMBAR In-Reply-To: <496B4810.3090006@jtan.com> References: <496B4810.3090006@jtan.com> Message-ID: <496B5C4A.5000207@jonkmans.com> Wow, interesting. Simbar was a spyware package from way back. If I recall right it was dying out when we FIRST started writing spyware signatures. Hence no rule for it. That's been 6 years, I wonder why the sudden revival? Anyway, your sig looks good. I have another reference to add and will post it. http://vil.nai.com/vil/content/v_131206.htm Thanks!! Matt RPG wrote: > We're observing a User-Agent of "SIMBAR" from some systems that are > visiting some dubious websites including some in the RBN. Is anyone > else seeing this or knows more about it? > > Here's one log entry as an example: > 10.10.10.1 - - [11/Jan/2009:21:13:40 +0000] "GET > http://interplusclickDOTcom/v/we-content.php?cid=7614&uid=17925987307215260044&rnd=6492 > HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TB > Newsbar; SIMBAR={5CD00AFD-B724-4030-967C-7794EF25D5A2}; InfoPath.1; .NET > CLR 2.0.50727)" > > I'm not finding too much about SIMBAR on the web. Unless someone can > tell me that this is of friendly nature I propose adding the following > signature to the emerging-malware.rules. The "reference" might be a > little weak but it's a starting point. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET MALWARE Simbar User-Agent detected"; > flow:established,to_server; content:"|0d 0a|User-Agent\: "; > content:"SIMBAR="; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/"; > reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; > threshold:type limit, count 1, seconds 60, track by_src; > classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXX; rev:1;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Jan 12 10:15:36 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 12 Jan 2009 10:15:36 -0500 Subject: [Emerging-Sigs] blink.com In-Reply-To: References: Message-ID: <496B5E98.1000001@jonkmans.com> The sigs are written not necessarily for the exact spyware site, but for the package. Sorry there's no reference there, many of them haven't much when we write the sigs. I remember this one, we've seen the same code/server communication method used is at least 20 other spyware setups. They change the lure from free screensavers to flash games, free mp3's, whatever. Now we're in the days of fake search engines. The domains change of course but the code and method of communication stays the same. Seekeen.com is definitely bad news. http://www.prevx.com/filenames/X250485662624026297-X1/SEEKEEN2EEXE.html http://www.spywaredoctorhelp.com/seekeenexe-removal/ http://www.greatis.com/appdata/d/s/seekeen.dll_Removal.htm You definitely have infections. Matt James McQuaid wrote: > In the past, blink.com was responsible for desktop pop up ads, and an > Internet Explorer toolbar that delivered ads. > > James > >> From: Russell Fulton >> Subject: [Emerging-Sigs] ET TROJAN Blink.com related Backdoor Checkin >> To: Emerging Threats Signatures >> Message-ID: >> Content-Type: text/plain; charset="us-ascii" >> >> >> I have a few machines triggering this rule and I am trying to find out >> just what sort of threat this is. It would seem that Blink.com is >> some sort of "enhanced web search" facility but I can't find any thing >> that indicates that there are any threats related to it. >> >> No references in the sig either... >> >> Here is what I'm seeing: >> >> GET /?vn=65562&partner=seekeen&ptag=SeeFreez&cid=55788f374f1 >> 84260b143cd7cd7135f00&initial_install=1&b=Seekeen&se=1&au=1& >> am=0&pver=1&retries=0 HTTP/1.0..User-Agent: Mozilla/4.0 (com >> patible; MSIE 7.0; Windows NT 6.0)..Host: upgrade.seekeen.co >> m..Pragma: no-cache.... >> >> >> Russell >> > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Jan 12 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 12 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090112210009.2693145026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Jan 12 16:00:09 2009 [***] [+++] Added rules: [+++] 2009005 - ET TROJAN Simbar Spyware/Trojan User-Agent Detected (emerging-virus.rules) 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 (emerging.rules) 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (8): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (8): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-virus.rules (1): #by RPG From scheidell at secnap.net Mon Jan 12 21:44:46 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Mon, 12 Jan 2009 21:44:46 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] Message-ID: <496C001E.5020507@secnap.net> -------- Original Message -------- Subject: HackerTrap Alert: FATAL ERROR Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) From: root at success-ae.hackertrap.net (Success-AE Root) To: maint at success-ae.hackertrap.net Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: rules/emerging.rules(147) => ParsePattern Got Null enclosed in quotation marks (")! -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/f66e2c76/attachment.html From scheidell at secnap.net Mon Jan 12 22:03:40 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Mon, 12 Jan 2009 22:03:40 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: <496C001E.5020507@secnap.net> Message-ID: > does Accept: need a \: ? > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt > 1"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php > HTTP/1."; nocase; content:"Accept: > ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; > classtype:attempted-admin; > reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006; rev:1;) > > > -------- Original Message -------- > Subject: HackerTrap Alert: FATAL ERROR > Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) > From: root at success-ae.hackertrap.net (Success-AE Root) > To: maint at success-ae.hackertrap.net > > Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: > rules/emerging.rules(147) => ParsePattern Got Null enclosed in quotation marks > (")! -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/a6e45cb4/attachment.html From jonkman at jonkmans.com Tue Jan 13 10:49:08 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 13 Jan 2009 10:49:08 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: References: Message-ID: <496CB7F4.3040001@jonkmans.com> Yes it does, why do you ask? :) Fixed up, thanks for letting me know! Matt Michael Scheidell wrote: > does Accept: need a \: ? > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt > 1"; flow:to_server,established; content:"POST > /roundcube/bin/html2text.php HTTP/1."; nocase; content:"Accept: > ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; > classtype:attempted-admin; > reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006; rev:1;) > > > -------- Original Message -------- > Subject: HackerTrap Alert: FATAL ERROR > Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) > From: root at success-ae.hackertrap.net (Success-AE Root) > To: maint at success-ae.hackertrap.net > > Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: > rules/emerging.rules(147) => ParsePattern Got Null enclosed in > quotation marks (")! > > > -- > Michael Scheidell, CTO >>|SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From scheidell at secnap.net Tue Jan 13 11:01:03 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Tue, 13 Jan 2009 11:01:03 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: <496CB7F4.3040001@jonkmans.com> Message-ID: > Yes it does, why do you ask? :) > > Fixed up, thanks for letting me know! > Sure wish there was a 'lint' mode on snort. Snort 2.4* will crash with bad rules (and make log entry), snort 2.6* will not do anything but disable the rule (no log, no error message, nothing) -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From eslerj at gmail.com Tue Jan 13 11:03:25 2009 From: eslerj at gmail.com (Joel Esler) Date: Tue, 13 Jan 2009 11:03:25 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: References: Message-ID: <73F7A1A4-B30A-486C-A62D-317E3DCD933A@gmail.com> Isn't that what -T is for? J On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote: >> Yes it does, why do you ask? :) >> >> Fixed up, thanks for letting me know! >> > Sure wish there was a 'lint' mode on snort. > > Snort 2.4* will crash with bad rules (and make log entry), snort > 2.6* will > not do anything but disable the rule (no log, no error message, > nothing) > > -- > Michael Scheidell, CTO >> |SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer > > > _________________________________________________________________________ > This email has been scanned and certified safe by SpammerTrap(r). > For Information please see http://www.secnap.com/products/spammertrap/ > _________________________________________________________________________ > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] From jonkman at jonkmans.com Tue Jan 13 11:13:39 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 13 Jan 2009 11:13:39 -0500 Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: <73F7A1A4-B30A-486C-A62D-317E3DCD933A@gmail.com> References: <73F7A1A4-B30A-486C-A62D-317E3DCD933A@gmail.com> Message-ID: <496CBDB3.70502@jonkmans.com> To a degree, but it doesn't give a bad exit status when it finds a bad sig, so not real useful in automation. Matt Joel Esler wrote: > Isn't that what -T is for? > > J > > On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote: > >>> Yes it does, why do you ask? :) >>> >>> Fixed up, thanks for letting me know! >>> >> Sure wish there was a 'lint' mode on snort. >> >> Snort 2.4* will crash with bad rules (and make log entry), snort >> 2.6* will >> not do anything but disable the rule (no log, no error message, >> nothing) >> >> -- >> Michael Scheidell, CTO >>> |SECNAP Network Security >> Winner 2008 Network Products Guide Hot Companies >> FreeBSD SpamAssassin Ports maintainer >> >> >> _________________________________________________________________________ >> This email has been scanned and certified safe by SpammerTrap(r). >> For Information please see http://www.secnap.com/products/spammertrap/ >> _________________________________________________________________________ >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From vms at nulluser.com Tue Jan 13 11:15:27 2009 From: vms at nulluser.com (VMS) Date: Tue, 13 Jan 2009 10:15:27 -0600 (CST) Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] In-Reply-To: References: Message-ID: Interesting, 2.8 also will crash with bad rules; making -T worth gold. -McB 8<... > > Snort 2.4* will crash with bad rules (and make log entry), snort 2.6* > will > not do anything but disable the rule (no log, no error message, > nothing) > > -- > Michael Scheidell, CTO >>|SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer ... From wolvee_x at yahoo.com Tue Jan 13 11:49:52 2009 From: wolvee_x at yahoo.com (Mahesh Yelsani) Date: Tue, 13 Jan 2009 08:49:52 -0800 (PST) Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 14, Issue 21 In-Reply-To: Message-ID: <280472.38255.qm@web59610.mail.ac4.yahoo.com> How to run a snort in 'lint'? mode... ? Thanks, Mahesh.. --- On Tue, 1/13/09, emerging-sigs-request at emergingthreats.net wrote: From: emerging-sigs-request at emergingthreats.net Subject: Emerging-sigs Digest, Vol 14, Issue 21 To: emerging-sigs at emergingthreats.net Date: Tuesday, January 13, 2009, 4:13 PM Send Emerging-sigs mailing list submissions to emerging-sigs at emergingthreats.net To subscribe or unsubscribe via the World Wide Web, visit http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs or, via email, send a message with subject or body 'help' to emerging-sigs-request at emergingthreats.net You can reach the person managing the list at emerging-sigs-owner at emergingthreats.net When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..." Today's Topics: 1. Emerging Threats Daily Signature Changes (emerging at emergingthreats.net) 2. [Fwd: SNORT FATAL ERROR] (Michael Scheidell) 3. Re: [Fwd: SNORT FATAL ERROR] (Michael Scheidell) 4. Re: [Fwd: SNORT FATAL ERROR] (Matt Jonkman) 5. Re: [Fwd: SNORT FATAL ERROR] (Michael Scheidell) 6. Re: [Fwd: SNORT FATAL ERROR] (Joel Esler) 7. Re: [Fwd: SNORT FATAL ERROR] (Matt Jonkman) ---------------------------------------------------------------------- Message: 1 Date: Mon, 12 Jan 2009 16:00:09 -0500 (EST) From: emerging at emergingthreats.net Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes To: emerging-sigs at emergingthreats.net Message-ID: <20090112210009.2693145026 at goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Jan 12 16:00:09 2009 [***] [+++] Added rules: [+++] 2009005 - ET TROJAN Simbar Spyware/Trojan User-Agent Detected (emerging-virus.rules) 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 (emerging.rules) 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (8): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (8): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2404017 || ET DROP Known Bot C&C Server Traffic (group 18) || url,www.shadowserver.org 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-virus.rules (1): #by RPG ------------------------------ Message: 2 Date: Mon, 12 Jan 2009 21:44:46 -0500 From: Michael Scheidell Subject: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: emerging-sigs at emergingthreats.net Message-ID: <496C001E.5020507 at secnap.net> Content-Type: text/plain; charset="iso-8859-1" -------- Original Message -------- Subject: HackerTrap Alert: FATAL ERROR Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) From: root at success-ae.hackertrap.net (Success-AE Root) To: maint at success-ae.hackertrap.net Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: rules/emerging.rules(147) => ParsePattern Got Null enclosed in quotation marks (")! -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/f66e2c76/attachment-0001.html ------------------------------ Message: 3 Date: Mon, 12 Jan 2009 22:03:40 -0500 From: Michael Scheidell Subject: Re: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: Message-ID: Content-Type: text/plain; charset="us-ascii" > does Accept: need a \: ? > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt > 1"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php > HTTP/1."; nocase; content:"Accept: > ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; > classtype:attempted-admin; > reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006; rev:1;) > > > -------- Original Message -------- > Subject: HackerTrap Alert: FATAL ERROR > Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) > From: root at success-ae.hackertrap.net (Success-AE Root) > To: maint at success-ae.hackertrap.net > > Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: > rules/emerging.rules(147) => ParsePattern Got Null enclosed in quotation marks > (")! -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/a6e45cb4/attachment-0001.html ------------------------------ Message: 4 Date: Tue, 13 Jan 2009 10:49:08 -0500 From: Matt Jonkman Subject: Re: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: Michael Scheidell Cc: emerging-sigs at emergingthreats.net Message-ID: <496CB7F4.3040001 at jonkmans.com> Content-Type: text/plain; charset=ISO-8859-1 Yes it does, why do you ask? :) Fixed up, thanks for letting me know! Matt Michael Scheidell wrote: > does Accept: need a \: ? > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt > 1"; flow:to_server,established; content:"POST > /roundcube/bin/html2text.php HTTP/1."; nocase; content:"Accept: > ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; > classtype:attempted-admin; > reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006; rev:1;) > > > -------- Original Message -------- > Subject: HackerTrap Alert: FATAL ERROR > Date: Tue, 13 Jan 2009 03:10:58 +0100 (CET) > From: root at success-ae.hackertrap.net (Success-AE Root) > To: maint at success-ae.hackertrap.net > > Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: > rules/emerging.rules(147) => ParsePattern Got Null enclosed in > quotation marks (")! > > > -- > Michael Scheidell, CTO >>|SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------ Message: 5 Date: Tue, 13 Jan 2009 11:01:03 -0500 From: Michael Scheidell Subject: Re: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: Message-ID: Content-Type: text/plain; charset="US-ASCII" > Yes it does, why do you ask? :) > > Fixed up, thanks for letting me know! > Sure wish there was a 'lint' mode on snort. Snort 2.4* will crash with bad rules (and make log entry), snort 2.6* will not do anything but disable the rule (no log, no error message, nothing) -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ ------------------------------ Message: 6 Date: Tue, 13 Jan 2009 11:03:25 -0500 From: Joel Esler Subject: Re: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: Michael Scheidell Cc: emerging-sigs at emergingthreats.net Message-ID: <73F7A1A4-B30A-486C-A62D-317E3DCD933A at gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Isn't that what -T is for? J On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote: >> Yes it does, why do you ask? :) >> >> Fixed up, thanks for letting me know! >> > Sure wish there was a 'lint' mode on snort. > > Snort 2.4* will crash with bad rules (and make log entry), snort > 2.6* will > not do anything but disable the rule (no log, no error message, > nothing) > > -- > Michael Scheidell, CTO >> |SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer > > > _________________________________________________________________________ > This email has been scanned and certified safe by SpammerTrap(r). > For Information please see http://www.secnap.com/products/spammertrap/ > _________________________________________________________________________ > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] ------------------------------ Message: 7 Date: Tue, 13 Jan 2009 11:13:39 -0500 From: Matt Jonkman Subject: Re: [Emerging-Sigs] [Fwd: SNORT FATAL ERROR] To: Joel Esler Cc: emerging-sigs at emergingthreats.net Message-ID: <496CBDB3.70502 at jonkmans.com> Content-Type: text/plain; charset=UTF-8 To a degree, but it doesn't give a bad exit status when it finds a bad sig, so not real useful in automation. Matt Joel Esler wrote: > Isn't that what -T is for? > > J > > On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote: > >>> Yes it does, why do you ask? :) >>> >>> Fixed up, thanks for letting me know! >>> >> Sure wish there was a 'lint' mode on snort. >> >> Snort 2.4* will crash with bad rules (and make log entry), snort >> 2.6* will >> not do anything but disable the rule (no log, no error message, >> nothing) >> >> -- >> Michael Scheidell, CTO >>> |SECNAP Network Security >> Winner 2008 Network Products Guide Hot Companies >> FreeBSD SpamAssassin Ports maintainer >> >> >> _________________________________________________________________________ >> This email has been scanned and certified safe by SpammerTrap(r). >> For Information please see http://www.secnap.com/products/spammertrap/ >> _________________________________________________________________________ >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------ _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs End of Emerging-sigs Digest, Vol 14, Issue 21 ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090113/1b813c17/attachment-0001.html From scheidell at secnap.net Tue Jan 13 12:21:59 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Tue, 13 Jan 2009 12:21:59 -0500 Subject: [Emerging-Sigs] [Fwd: ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) and 163. Message-ID: <496CCDB7.1070401@secnap.net> one ip, two lists: 01/13-12:18:35 ICMP 82.98.86.166 --> 192.168.164.21 [1:2407162:103] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) 01/13-12:18:35 ICMP 82.98.86.166 --> 192.168.164.21 [1:2407161:103] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090113/24e9fca8/attachment.html From jonkman at jonkmans.com Tue Jan 13 12:30:40 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 13 Jan 2009 12:30:40 -0500 Subject: [Emerging-Sigs] [Fwd: ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) and 163. In-Reply-To: <496CCDB7.1070401@secnap.net> References: <496CCDB7.1070401@secnap.net> Message-ID: <496CCFC0.2010409@jonkmans.com> Got it, thanks. Was integrated into a /24 Michael Scheidell wrote: > one ip, two lists: > > 01/13-12:18:35 ICMP 82.98.86.166 > > --> 192.168.164.21 > > [1:2407162:103] ET > RBN Known Russian Business Network Monitored Domains - BLOCKING (163) > > > 01/13-12:18:35 ICMP 82.98.86.166 > > --> 192.168.164.21 > > [1:2407161:103] ET > RBN Known Russian Business Network Monitored Domains - BLOCKING (162) > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * King of Spam Filters, SC Magazine 2008 > * Information Security Award 2008, Info Security Products Guide > * CRN Magazine Top 40 Emerging Security Vendors > > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Jan 13 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 13 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090113210009.6416B4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Jan 13 16:00:09 2009 [***] [///] Modified active rules: [///] 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 105 # Updated 2009-01-13 12:29:49 -> Added to emerging-rbn.rules (2): # VERSION 105 # Updated 2009-01-13 12:29:49 [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 103 # Updated 2009-01-10 21:59:57 -> Removed from emerging-rbn.rules (2): # VERSION 103 # Updated 2009-01-10 21:59:57 From r.fulton at auckland.ac.nz Tue Jan 13 22:48:22 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Wed, 14 Jan 2009 16:48:22 +1300 Subject: [Emerging-Sigs] lots of hits on ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Message-ID: <03B76B68-51D7-45BD-B8E0-031BAE1150D0@auckland.ac.nz> Just one host... META SID CID TimeStamp Signature Sig ID 6 24198529 2009-01-14 10:51:36 ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 2008990 Sensor Hostname Sensor Interface monitor-dmzo.isec.auckland.ac.nz dmz sensor IP Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum 24.213.90.168 130.216.33.129 4 5 0 227 37899 2 0 43 41779 Resolved Source Resolved Dest unknown.caratnetworks.com csivm1.cs.auckland.ac.nz TCP Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr 41933 80 1710443432 3511506871 8 0 24 54 53595 0 Options None Flags RB 1 RB 0 URG ACK PSH RST SYN FIN X X DATA GET /mail/bin/msgimport HTTP/1.1..User-Agent: Mozilla/5.0 (W indows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/20081201 22 Firefox/3.0.5..Host: 130.216.33.129..Accept: */*.... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4125 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090114/eab459c3/smime.bin From jonkman at jonkmans.com Wed Jan 14 13:12:39 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 14 Jan 2009 13:12:39 -0500 Subject: [Emerging-Sigs] lots of hits on ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 In-Reply-To: <03B76B68-51D7-45BD-B8E0-031BAE1150D0@auckland.ac.nz> References: <03B76B68-51D7-45BD-B8E0-031BAE1150D0@auckland.ac.nz> Message-ID: <496E2B17.6040700@jonkmans.com> Are you running roundcube? Do you have something at the uri? Interesting that you're getting hit heavily by one place... Russell Fulton wrote: > Just one host... > > META > SID CID TimeStamp Signature Sig ID > 6 24198529 2009-01-14 10:51:36 ET CURRENT_EVENTS Unknown > Roundcube Vulnerability Scan Variant 2 2008990 > Sensor Hostname Sensor Interface > monitor-dmzo.isec.auckland.ac.nz dmz sensor > IP > Source Address Dest Address Ver Hdr Len TOS length > ID flags offset TTL chksum > 24.213.90.168 130.216.33.129 4 5 0 227 37899 2 > 0 43 41779 > Resolved Source Resolved Dest > unknown.caratnetworks.com csivm1.cs.auckland.ac.nz > TCP > Source Port Dest Port Seq Ack Offset Reserved Flags > Window Checksum Urgent Ptr > 41933 80 1710443432 3511506871 8 0 24 54 53595 0 > Options > None > Flags > RB 1 RB 0 URG ACK PSH RST SYN FIN > X X > > DATA > > GET /mail/bin/msgimport HTTP/1.1..User-Agent: Mozilla/5.0 (W > indows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/20081201 > 22 Firefox/3.0.5..Host: 130.216.33.129..Accept: */*.... > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From inittab at jtan.com Wed Jan 14 16:53:45 2009 From: inittab at jtan.com (RPG) Date: Wed, 14 Jan 2009 16:53:45 -0500 Subject: [Emerging-Sigs] favicon's as executables Message-ID: <496E5EE9.6050209@jtan.com> We have seen a few instances of favicon.ico's coming down as executable files. In all instances so far the server reports "404 Not Found" when the browser requests the favicon.ico file yet it serves this little binary instead DST: HTTP/1.1 404 Not Found DST: Content-Length: 17416 DST: Content-Type: application/x-msdownload DST: Server: Microsoft-IIS/6.0 DST: X-Powered-By: ASP.NET DST: Date: Wed, 14 Jan 2009 21:20:27 GMT DST: DST: MZ...................... at ...............................................!..L.!Th $ file favicon.ico favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit $ md5sum favicon.ico 74e81a65879ffe881a7af525a0254ad8 favicon.ico Here's an example URL if you're curious: http://wwwDOTnjcarbuyerDOTcom/favicon.ico Donwload it safely and of course replace the DOT's. :) Virustotal comes up empty and so does threatexpert.com http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8 Can someone shed light on this little mystery? TIA RPG From frank at knobbe.us Wed Jan 14 19:01:49 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 14 Jan 2009 18:01:49 -0600 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-12 - 2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291D@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291D@webmail.latis.com> Message-ID: <1231977709.31870.2.camel@localhost> On Mon, 2009-01-12 at 02:13 -0700, signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: Committed with SIDs 2009009-2009018 Thanks, Frank From dokas at oitsec.umn.edu Wed Jan 14 22:21:11 2009 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Wed, 14 Jan 2009 21:21:11 -0600 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <4964F54F.7020403@jonkmans.com> References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> Message-ID: <496EABA7.2090204@oitsec.umn.edu> Matt Jonkman wrote: > Forgot to ask, anyone know of other sites that are commonly used by > malware? These are 95% of what we see in the sandnet. We've seen malware hit ipchicken.com. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From david.glosser at gmail.com Wed Jan 14 22:24:35 2009 From: david.glosser at gmail.com (David Glosser) Date: Wed, 14 Jan 2009 22:24:35 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <496EABA7.2090204@oitsec.umn.edu> References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> Message-ID: what would happen to the malware if these ip check-on sites were pointed to 127.0.0.1 or to a false address? On Wed, Jan 14, 2009 at 10:21 PM, Paul Dokas wrote: > Matt Jonkman wrote: >> Forgot to ask, anyone know of other sites that are commonly used by >> malware? These are 95% of what we see in the sandnet. > > We've seen malware hit ipchicken.com. > > Paul > -- > Paul Dokas dokas at oitsec.umn.edu > ====================================================================== > Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From william.metcalf at gmail.com Wed Jan 14 22:38:49 2009 From: william.metcalf at gmail.com (william metcalf) Date: Wed, 14 Jan 2009 21:38:49 -0600 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> Message-ID: <1231990729.24225.7.camel@localhost.localdomain> Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes... The dead rising from the grave! Human sacrifice, dogs and cats living together... mass hysteria! On Wed, 2009-01-14 at 22:24 -0500, David Glosser wrote: > > what would happen to the malware if these ip check-on sites were > pointed to 127.0.0.1 or to a false address? > > > On Wed, Jan 14, 2009 at 10:21 PM, Paul Dokas wrote: > > Matt Jonkman wrote: > >> Forgot to ask, anyone know of other sites that are commonly used by > >> malware? These are 95% of what we see in the sandnet. > > > > We've seen malware hit ipchicken.com. > > > > Paul > > -- > > Paul Dokas dokas at oitsec.umn.edu > > ====================================================================== > > Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090114/ee0cba7a/attachment.bin From david.glosser at gmail.com Wed Jan 14 22:45:27 2009 From: david.glosser at gmail.com (David Glosser) Date: Wed, 14 Jan 2009 22:45:27 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <1231990729.24225.7.camel@localhost.localdomain> References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> <1231990729.24225.7.camel@localhost.localdomain> Message-ID: my typical day at the office... On Wed, Jan 14, 2009 at 10:38 PM, william metcalf wrote: > Fire and brimstone coming down from the skies! Rivers and seas boiling! > Forty years of darkness! Earthquakes, volcanoes... > The dead rising from the grave! > Human sacrifice, dogs and cats living together... mass hysteria! > > > On Wed, 2009-01-14 at 22:24 -0500, David Glosser wrote: >> >> what would happen to the malware if these ip check-on sites were >> pointed to 127.0.0.1 or to a false address? >> >> >> On Wed, Jan 14, 2009 at 10:21 PM, Paul Dokas wrote: >> > Matt Jonkman wrote: >> >> Forgot to ask, anyone know of other sites that are commonly used by >> >> malware? These are 95% of what we see in the sandnet. >> > >> > We've seen malware hit ipchicken.com. >> > >> > Paul >> > -- >> > Paul Dokas dokas at oitsec.umn.edu >> > ====================================================================== >> > Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From eslerj at gmail.com Thu Jan 15 00:16:53 2009 From: eslerj at gmail.com (Joel Esler) Date: Thu, 15 Jan 2009 00:16:53 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> Message-ID: <9F0AE7D8-2EE5-4CD2-AB6E-0C938D005896@gmail.com> Probably how most malware should be handled at stage one. Joel On Jan 14, 2009, at 10:24 PM, David Glosser allegedly wrote: > > what would happen to the malware if these ip check-on sites were > pointed to 127.0.0.1 or to a false address? > > > On Wed, Jan 14, 2009 at 10:21 PM, Paul Dokas > wrote: >> Matt Jonkman wrote: >>> Forgot to ask, anyone know of other sites that are commonly used by >>> malware? These are 95% of what we see in the sandnet. >> >> We've seen malware hit ipchicken.com. >> >> Paul >> -- >> Paul Dokas dokas at >> oitsec.umn.edu >> = >> ===================================================================== >> Don Juan Matus: "an enigma wrapped in mystery wrapped in a >> tortilla." >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] From jonkman at jonkmans.com Thu Jan 15 10:46:46 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 15 Jan 2009 10:46:46 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> <1231990729.24225.7.camel@localhost.localdomain> Message-ID: <496F5A66.7040408@jonkmans.com> Haha. Seriously, it'd definitely be a good thing to do locally if you can afford not to have access to the ip check sites. I wouldn't say we ought to put them into the dnsbh as they're very useful in many cases. Matt David Glosser wrote: > my typical day at the office... > > > On Wed, Jan 14, 2009 at 10:38 PM, william metcalf > wrote: >> Fire and brimstone coming down from the skies! Rivers and seas boiling! >> Forty years of darkness! Earthquakes, volcanoes... >> The dead rising from the grave! >> Human sacrifice, dogs and cats living together... mass hysteria! >> >> >> On Wed, 2009-01-14 at 22:24 -0500, David Glosser wrote: >>> >>> what would happen to the malware if these ip check-on sites were >>> pointed to 127.0.0.1 or to a false address? >>> >>> >>> On Wed, Jan 14, 2009 at 10:21 PM, Paul Dokas wrote: >>>> Matt Jonkman wrote: >>>>> Forgot to ask, anyone know of other sites that are commonly used by >>>>> malware? These are 95% of what we see in the sandnet. >>>> We've seen malware hit ipchicken.com. >>>> >>>> Paul >>>> -- >>>> Paul Dokas dokas at oitsec.umn.edu >>>> ====================================================================== >>>> Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Thu Jan 15 10:50:01 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 15 Jan 2009 10:50:01 -0500 Subject: [Emerging-Sigs] Whatismyip Sigs In-Reply-To: <496EABA7.2090204@oitsec.umn.edu> References: <4964F4B4.4020504@jonkmans.com> <4964F54F.7020403@jonkmans.com> <496EABA7.2090204@oitsec.umn.edu> Message-ID: <496F5B29.5090806@jonkmans.com> I'll add something for that, I've seen it as well. Thanks paul! Matt Paul Dokas wrote: > Matt Jonkman wrote: >> Forgot to ask, anyone know of other sites that are commonly used by >> malware? These are 95% of what we see in the sandnet. > > We've seen malware hit ipchicken.com. > > Paul -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Thu Jan 15 15:02:54 2009 From: dxp2532 at gmail.com (dxp) Date: Thu, 15 Jan 2009 15:02:54 -0500 Subject: [Emerging-Sigs] Detecting web based exploit packs - Armitage Message-ID: <1232049774.6701.10.camel@kinta> This is the first set in a serires on exploit packs. Will post more soon. Some background on Armitage: http://dxp2532.blogspot.com/2009/01/armitage-10.html alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; sid:XXXXXX; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB Armitage Loader Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lds.php"; sid:XXXXXX; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB Armitage Exploit Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/bof.php"; sid:XXXXXX; rev:1;) - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/40f59bb0/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/40f59bb0/attachment.bin From inittab at jtan.com Thu Jan 15 15:47:02 2009 From: inittab at jtan.com (RPG) Date: Thu, 15 Jan 2009 15:47:02 -0500 Subject: [Emerging-Sigs] Detecting web based exploit packs - Armitage In-Reply-To: <1232049774.6701.10.camel@kinta> References: <1232049774.6701.10.camel@kinta> Message-ID: <496FA0C6.6030200@jtan.com> Good stuff! The first sig "/exe.php" should pick up a lot more junk than just Armitage me thinks. May get some falses on that one too. dxp wrote: > This is the first set in a serires on exploit packs. Will post more soon. > Some background on Armitage: > http://dxp2532.blogspot.com/2009/01/armitage-10.html > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB > Armitage Loader Request"; flow:established,to_server; content:"GET > "; depth:4; uricontent:"/exe.php"; sid:XXXXXX; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB > Armitage Loader Check-in"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"/lds.php"; sid:XXXXXX; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB > Armitage Exploit Request"; flow:established,to_server; > content:"GET "; depth:4; uricontent:"/bof.php"; sid:XXXXXX; rev:1;) > > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From emerging at emergingthreats.net Thu Jan 15 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 15 Jan 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090115210008.9205D45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Jan 15 16:00:08 2009 [***] [+++] Added rules: [+++] 2009009 - ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure (emerging-web_sql_injection.rules) 2009010 - ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure (emerging-web_sql_injection.rules) 2009011 - ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection (emerging-web_sql_injection.rules) 2009012 - ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection (emerging-web_sql_injection.rules) 2009013 - ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection (emerging-web_sql_injection.rules) 2009014 - ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection (emerging-web_sql_injection.rules) 2009015 - ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection (emerging-web_sql_injection.rules) 2009016 - ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection (emerging-web_sql_injection.rules) 2009017 - ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection (emerging-web_sql_injection.rules) 2009018 - ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure (emerging-web_sql_injection.rules) 2009019 - ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile (emerging-virus.rules) 2009020 - ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection (emerging-policy.rules) 2009021 - ET MALWARE Suspicious User Agent (IE_6.0) (emerging-malware.rules) [///] Modified active rules: [///] 2008940 - ET TROJAN DNSChanger.AT or related Infection Checkin Post (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (13): 2009009 || ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure || bugtraq,32929 || url,secunia.com/advisories/33222 2009010 || ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure || bugtraq,32966 || url,www.milw0rm.com/exploits/7543 2009011 || ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009012 || ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009013 || ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009014 || ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009015 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009016 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009017 || ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009018 || ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure || url,milw0rm.com/exploits/7542 || url,securityfocus.com/bid/32968 2009019 || ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile || url,www.packetninjas.net || url,www.vmprotect.ru 2009020 || ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html -> Added to emerging-sid-msg.map.txt (13): 2009009 || ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure || bugtraq,32929 || url,secunia.com/advisories/33222 2009010 || ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure || bugtraq,32966 || url,www.milw0rm.com/exploits/7543 2009011 || ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009012 || ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009013 || ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009014 || ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009015 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009016 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009017 || ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009018 || ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure || url,milw0rm.com/exploits/7542 || url,securityfocus.com/bid/32968 2009019 || ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile || url,www.packetninjas.net || url,www.vmprotect.ru 2009020 || ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html -> Added to emerging-web_sql_injection.rules (1): # From StillSecure [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org From phatbuckett at gmail.com Thu Jan 15 16:35:46 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 15 Jan 2009 14:35:46 -0700 Subject: [Emerging-Sigs] Hupigon sigs Message-ID: <839aec700901151335o6dfb36a7w434d7818b493cbe9@mail.gmail.com> Have come across these goodies: ----- ....HCS..25IE03DTXP15633....WinXP2527 MHz2004MB.............. 0000: 4500 00ba b754 4000 7806 a2a0 c73f 955d E..??T at .x.? ??.] 0010: 89a0 c20b 0702 2260 0635 7b8e 7787 b398 . ?..."`.5{.w.?. 0020: 5018 ffe0 8ad1 0000 0000 008e 3c47 523e P.??.?...... 0030: 4843 53d7 e93c 2f47 523e 3c49 4d3e 3235 HCS??25 0040: 3c2f 494d 3e3c 4e41 3e49 4530 3344 5458 IE03DTX 0050: 5031 3536 3333 3c2f 4e41 3e3c 4353 3ec4 P15633? 0060: dacd f83c 2f43 533e 3c4f 533e 5769 6e58 ???WinX 0070: 503c 2f4f 533e 3c43 5055 3e32 3532 3720 P2527 0080: 4d48 7a3c 2f43 5055 3e3c 4d45 4d3e 3230 MHz20 0090: 3034 4d42 3c2f 4d45 4d3e 3c53 503e cede 04MB?? 00a0: cad3 c6b5 3c2f 5350 3e3c 425a 3eb1 b8d7 ??????? 00b0: a2c4 dac8 dd3c 2f42 5a3e ????? ...sIE99LT4LD5T1S....WinXP225.50 MHz1013MB12..9.. 0000: 4500 009f 1f9c 0000 7706 9e13 ac1b 8de2 E.......w...?..? 0010: 89a0 c20b 0feb 1ff5 553c 91c4 a673 8cde . ?..?.?U<.??s.? 0020: 5018 ffe0 091e 0000 0000 0073 3c4e 4149 P.??.......sIE99LT4LD5T1S????WinXP225.50 0070: 4d48 7a3c 2f43 5055 493e 3c4d 454d 493e MHz 0080: 3130 3133 4d42 3c2f 4d45 4d49 3e3c 425a 1013MB12??9?? ----- I caught the documentation on this at http://doc.emergingthreats.net/bin/view/Main/TrojanDropper497. I see the malware identified as Hupigon from other sources. Looks like 2007918 is designed to match the first one: alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:""; content:"<"; distance:0; content:""; content:"<"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007918; rev:1;) ...although I have to wonder if the match would work correctly: wouldn't the 'content:""; content:"<"; distance:0;' matches only hit on '<' due to the distance:0? (i.e. empty tag value?) I've also extracted out the first 4 bytes of payload for each request in our pcaps and the fourth byte varies (counts included to illustrate frequency): 2120 00 00 00 8e 1815 00 00 00 8d 1463 00 00 00 8b 632 00 00 00 8c 209 00 00 00 8f 182 00 00 00 95 26 00 00 00 8a 11 00 00 00 94 I don't know if this means that the fourth byte is "too" variable to match on or if we can just pcre the values we've encountered above (or a range, or whatever). At any rate the existing sig doesn't catch any of the cases we've encountered. The second variant adds an "I" to the tag names and changes the first four bytes to |00 00 00 72|, |00 00 00 73|, and |00 00 00 74| for the communications we've seen. By frequency: 218 00 00 00 73 95 00 00 00 74 64 00 00 00 72 A single host sends packets with any of these values: 00 00 00 72 3c 4e 41 49 3e 49 45 39 39 4c 54 34 ...rIE99LT4 4c 44 35 54 31 53 3c 2f 4e 41 49 3e 3c 43 53 49 LD5T1S???? 57 69 6e 58 50 3c 2f 4f 53 49 3e 3c 43 50 55 49 WinXP46.59 MHz1013MB12??9?? 3c 2f 42 5a 49 3e 00 00 00 73 3c 4e 41 49 3e 49 45 39 39 4c 54 34 ...sIE99LT4 4c 44 35 54 31 53 3c 2f 4e 41 49 3e 3c 43 53 49 LD5T1S???? 57 69 6e 58 50 3c 2f 4f 53 49 3e 3c 43 50 55 49 WinXP368.23 MHz1013MB12??9? d5 3c 2f 42 5a 49 3e ? 00 00 00 74 3c 4e 41 49 3e 49 45 39 39 4c 54 34 ...tIE99LT4 4c 44 35 54 31 53 3c 2f 4e 41 49 3e 3c 43 53 49 LD5T1S???? 57 69 6e 58 50 3c 2f 4f 53 49 3e 3c 43 50 55 49 WinXP1181.07 MHz1013MB< 2f 4d 45 4d 49 3e 3c 42 5a 49 3e 31 32 d4 c2 39 /MEMI>12??9 c8 d5 3c 2f 42 5a 49 3e ?? So, do these work? alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:""; content:"<"; content:""; content:"<"; pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007918; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:""; content:"<"; content:""; content:"<"; pcre:"/^\x00\x00\x00(\x72|\x73|\x74)/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:XXXXXXX; rev:1;) -- Darren Spruell phatbuckett at gmail.com From frank at knobbe.us Thu Jan 15 18:50:44 2009 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 15 Jan 2009 17:50:44 -0600 Subject: [Emerging-Sigs] Hupigon sigs In-Reply-To: <839aec700901151335o6dfb36a7w434d7818b493cbe9@mail.gmail.com> References: <839aec700901151335o6dfb36a7w434d7818b493cbe9@mail.gmail.com> Message-ID: <1232063444.17526.2.camel@localhost> On Thu, 2009-01-15 at 14:35 -0700, Darren Spruell wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN > Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; > content:"|00 00 00 83|"; depth:4; content:""; content:"<"; > distance:0; content:""; content:"<"; distance:0; > ...although I have to wonder if the match would work correctly: > wouldn't the 'content:""; content:"<"; distance:0;' matches > only hit on '<' due to the distance:0? (i.e. empty tag > value?) Yeah, I think there is a "within" missing that gives enough room for actual data between and :) > alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN > Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; > content:"|00 00 00|"; depth:3; content:""; content:"<"; > content:""; content:"<"; > pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; > sid:2007918; rev:2;) I'd rather use: content:""; content:"<"; distance:0; within:27; content:""; content:"<"; distance:0; within:27; (20 chars for MEM and CPU values) Thoughts? Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. From cunningpike at gmail.com Thu Jan 15 18:58:17 2009 From: cunningpike at gmail.com (CunningPike) Date: Thu, 15 Jan 2009 15:58:17 -0800 Subject: [Emerging-Sigs] favicon's as executables In-Reply-To: <496E5EE9.6050209@jtan.com> References: <496E5EE9.6050209@jtan.com> Message-ID: <1232063897.8281.10.camel@arodgers-panasonic> I have noticed quite a few of these as well. In all our cases, the executable turned out to be a copy of aspnet_isapi.dll. I have a feeling that there is some misconfiguration in IIS/ASP.NET that causes this behavior. CP On Wed, 2009-01-14 at 16:53 -0500, RPG wrote: > We have seen a few instances of favicon.ico's coming down as executable > files. In all instances so far the server reports "404 Not Found" > when the browser requests the favicon.ico file yet it serves this little > binary instead > > DST: HTTP/1.1 404 Not Found > DST: Content-Length: 17416 > DST: Content-Type: application/x-msdownload > DST: Server: Microsoft-IIS/6.0 > DST: X-Powered-By: ASP.NET > DST: Date: Wed, 14 Jan 2009 21:20:27 GMT > DST: > DST: > MZ...................... at ...............................................!..L.!Th > > $ file favicon.ico > favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit > > $ md5sum favicon.ico > 74e81a65879ffe881a7af525a0254ad8 favicon.ico > > Here's an example URL if you're curious: > http://wwwDOTnjcarbuyerDOTcom/favicon.ico > Donwload it safely and of course replace the DOT's. :) > > Virustotal comes up empty and so does threatexpert.com > http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a > http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8 > > Can someone shed light on this little mystery? TIA > > RPG > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/4a795a9b/attachment.bin From phatbuckett at gmail.com Thu Jan 15 19:56:52 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 15 Jan 2009 17:56:52 -0700 Subject: [Emerging-Sigs] Hupigon sigs In-Reply-To: <1232063444.17526.2.camel@localhost> References: <839aec700901151335o6dfb36a7w434d7818b493cbe9@mail.gmail.com> <1232063444.17526.2.camel@localhost> Message-ID: <839aec700901151656u44235e71p179fbac986521668@mail.gmail.com> On Thu, Jan 15, 2009 at 4:50 PM, Frank Knobbe wrote: > On Thu, 2009-01-15 at 14:35 -0700, Darren Spruell wrote: >> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN >> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; >> content:"|00 00 00 83|"; depth:4; content:""; content:"<"; >> distance:0; content:""; content:"<"; distance:0; > >> ...although I have to wonder if the match would work correctly: >> wouldn't the 'content:""; content:"<"; distance:0;' matches >> only hit on '<' due to the distance:0? (i.e. empty tag >> value?) > > Yeah, I think there is a "within" missing that gives enough room for > actual data between and :) > >> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN >> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; >> content:"|00 00 00|"; depth:3; content:""; content:"<"; >> content:""; content:"<"; >> pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/"; >> classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; >> sid:2007918; rev:2;) > > > I'd rather use: > content:""; content:"<"; distance:0; within:27; > content:""; content:"<"; distance:0; within:27; > > (20 chars for MEM and CPU values) > > Thoughts? Yep. I was hoping someone would chime in with something to tighten them down a bit more. :) -- Darren Spruell phatbuckett at gmail.com From jonkman at jonkmans.com Thu Jan 15 23:39:19 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 15 Jan 2009 23:39:19 -0500 Subject: [Emerging-Sigs] favicon's as executables In-Reply-To: <1232063897.8281.10.camel@arodgers-panasonic> References: <496E5EE9.6050209@jtan.com> <1232063897.8281.10.camel@arodgers-panasonic> Message-ID: <49700F77.1050707@jonkmans.com> That seems a pretty significant misconfig... Are you sure what came was not hostile? matt CunningPike wrote: > I have noticed quite a few of these as well. In all our cases, the > executable turned out to be a copy of aspnet_isapi.dll. > > I have a feeling that there is some misconfiguration in IIS/ASP.NET that > causes this behavior. > > CP > > On Wed, 2009-01-14 at 16:53 -0500, RPG wrote: >> We have seen a few instances of favicon.ico's coming down as executable >> files. In all instances so far the server reports "404 Not Found" >> when the browser requests the favicon.ico file yet it serves this little >> binary instead >> >> DST: HTTP/1.1 404 Not Found >> DST: Content-Length: 17416 >> DST: Content-Type: application/x-msdownload >> DST: Server: Microsoft-IIS/6.0 >> DST: X-Powered-By: ASP.NET >> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT >> DST: >> DST: >> MZ...................... at ...............................................!..L.!Th >> >> $ file favicon.ico >> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit >> >> $ md5sum favicon.ico >> 74e81a65879ffe881a7af525a0254ad8 favicon.ico >> >> Here's an example URL if you're curious: >> http://wwwDOTnjcarbuyerDOTcom/favicon.ico >> Donwload it safely and of course replace the DOT's. :) >> >> Virustotal comes up empty and so does threatexpert.com >> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a >> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8 >> >> Can someone shed light on this little mystery? TIA >> >> RPG >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From dxp2532 at gmail.com Thu Jan 15 23:34:21 2009 From: dxp2532 at gmail.com (dxp) Date: Thu, 15 Jan 2009 23:34:21 -0500 Subject: [Emerging-Sigs] New UAS seen in Zlob Message-ID: <1232080461.6498.4.camel@kinta> UAS "securityinternet" isn't in the current ruleset. Data on the sample: http://www.virustotal.com/analisis/67376ebda71496562f026d6ade7e876d Connects to 92.241.163.63 on tcp/80. GET /image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;1312;1801 HTTP/1.1 User-Agent: securityinternet Also, the IP should be added to the RBN list. - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/c233d16a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/c233d16a/attachment.bin From david.glosser at gmail.com Fri Jan 16 07:22:24 2009 From: david.glosser at gmail.com (David Glosser) Date: Fri, 16 Jan 2009 07:22:24 -0500 Subject: [Emerging-Sigs] FP:: netbackup Message-ID: Net Backup False Positive: 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 Banner on Local Port [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453 Yeah, I have to talk to the backup guy and figure out why he's not using the backup network :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/18c3cdf8/attachment.html From inittab at jtan.com Fri Jan 16 07:46:32 2009 From: inittab at jtan.com (RPG) Date: Fri, 16 Jan 2009 07:46:32 -0500 Subject: [Emerging-Sigs] favicon's as executables In-Reply-To: <1232063897.8281.10.camel@arodgers-panasonic> References: <496E5EE9.6050209@jtan.com> <1232063897.8281.10.camel@arodgers-panasonic> Message-ID: <497081A8.4080408@jtan.com> Interesting, yes I should have looked a little closer at the file, it does "advertise" itself as aspnet_isapi.dll $ strings favicon.ico | head aspnet_isapi.dll GetExtensionVersion HttpExtensionProc InstallStateService RegisterISAPI RegisterISAPIEx TerminateExtension UnregisterISAPI Y__^[ t8WVS However, and FWIW, the one aspnet_isapi.dll file that I do have doesn't look similar. Perhaps it's a different version. $ strings aspnet_isapi.dll | head CRequestEntry zFtmHelper g_AspTypelibLock ActivitiesPoolLock AspDispatchHelper zCFreeBufferList::g_lLock CCPUEntry None the less, if this truly is a "misconfiguration" of IIS/ASP.NET, I wonder what it would take to have it serve up other binaries in this fashion. CunningPike wrote: > I have noticed quite a few of these as well. In all our cases, the > executable turned out to be a copy of aspnet_isapi.dll. > > I have a feeling that there is some misconfiguration in IIS/ASP.NET that > causes this behavior. > > CP > > On Wed, 2009-01-14 at 16:53 -0500, RPG wrote: >> We have seen a few instances of favicon.ico's coming down as executable >> files. In all instances so far the server reports "404 Not Found" >> when the browser requests the favicon.ico file yet it serves this little >> binary instead >> >> DST: HTTP/1.1 404 Not Found >> DST: Content-Length: 17416 >> DST: Content-Type: application/x-msdownload >> DST: Server: Microsoft-IIS/6.0 >> DST: X-Powered-By: ASP.NET >> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT >> DST: >> DST: >> MZ...................... at ...............................................!..L.!Th >> >> $ file favicon.ico >> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit >> >> $ md5sum favicon.ico >> 74e81a65879ffe881a7af525a0254ad8 favicon.ico >> >> Here's an example URL if you're curious: >> http://wwwDOTnjcarbuyerDOTcom/favicon.ico >> Donwload it safely and of course replace the DOT's. :) >> >> Virustotal comes up empty and so does threatexpert.com >> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a >> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8 >> >> Can someone shed light on this little mystery? TIA >> >> RPG >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From eslerj at gmail.com Fri Jan 16 11:26:11 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 16 Jan 2009 11:26:11 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: References: Message-ID: On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: > Net Backup False Positive: > > 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 > Banner on Local Port [**] [Classification: Detection of a non- > standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 - > > 192.168.xx.xx:2453 > > Yeah, I have to talk to the backup guy and figure out why he's not > using the backup network :) So, it's not a false positive. The alert triggered on what you wanted it to trigger on, and even more it helped you find a system that is operating incorrectly. I guess I don't see how it's a false positive. My point is, and not picking on you David, but people say False positive a lot in this industry and I think they are just using the wrong terminology. Pedantic I know. J -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/c30a10a7/attachment-0001.html From david.glosser at gmail.com Fri Jan 16 11:47:09 2009 From: david.glosser at gmail.com (David Glosser) Date: Fri, 16 Jan 2009 11:47:09 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: References: Message-ID: yeah, you are right. Is there a list or database of known "false positives" (this time in quotes) or known applications which trip on certain rules? On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler wrote: > > On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: > > Net Backup False Positive: > > 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 Banner > on Local Port [**] [Classification: Detection of a non-standard protocol or > event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453 > > Yeah, I have to talk to the backup guy and figure out why he's not using > the backup network :) > > > So, it's not a false positive. The alert triggered on what you wanted it > to trigger on, and even more it helped you find a system that is operating > incorrectly. > > I guess I don't see how it's a false positive. My point is, and not > picking on you David, but people say False positive a lot in this industry > and I think they are just using the wrong terminology. > > Pedantic I know. > > J > > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/84ccd064/attachment.html From phatbuckett at gmail.com Fri Jan 16 12:49:56 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 16 Jan 2009 10:49:56 -0700 Subject: [Emerging-Sigs] New UAS seen in Zlob In-Reply-To: <1232080461.6498.4.camel@kinta> References: <1232080461.6498.4.camel@kinta> Message-ID: <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> On Thu, Jan 15, 2009 at 9:34 PM, dxp wrote: > Connects to 92.241.163.63 on tcp/80. > > GET /image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;1312;1801 HTTP/1.1 > User-Agent: securityinternet Confirming from our side as well; couple of scripts at that site: Sat Jan 10 15:42:56 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;666;1855 Sat Jan 10 15:43:15 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855 Sat Jan 10 15:43:23 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1 Sat Jan 10 15:43:42 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1 Sat Jan 10 15:44:07 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855 Sat Jan 10 15:44:13 2009 x.x.8.55 securityinternet GET hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452; # mod of 2003632 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent (securityinternet)"; flow:established,to_server; content:"User-Agent\: securityinternet"; classtype:trojan-activity; sid:XXXXXXX; rev:1;) -- Darren Spruell phatbuckett at gmail.com From eslerj at gmail.com Fri Jan 16 14:39:02 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 16 Jan 2009 14:39:02 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: References: Message-ID: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> When VRT rules are written and reported on, there is a document included with every single signature in the database. In this documentation file, there is a field called false positives. All of this documentation is available on the Snort.org website easily by searching for rule number on the left hand side of the page. J On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote: > yeah, you are right. Is there a list or database of known "false > positives" (this time in quotes) or known applications which trip on > certain rules? > > > On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler wrote: > > On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: > >> Net Backup False Positive: >> >> 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 >> Banner on Local Port [**] [Classification: Detection of a non- >> standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 - >> > 192.168.xx.xx:2453 >> >> Yeah, I have to talk to the backup guy and figure out why he's not >> using the backup network :) > > So, it's not a false positive. The alert triggered on what you > wanted it to trigger on, and even more it helped you find a system > that is operating incorrectly. > > I guess I don't see how it's a false positive. My point is, and not > picking on you David, but people say False positive a lot in this > industry and I think they are just using the wrong terminology. > > Pedantic I know. > > J > > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/16e48edb/attachment.html From david.glosser at gmail.com Fri Jan 16 15:06:32 2009 From: david.glosser at gmail.com (David Glosser) Date: Fri, 16 Jan 2009 15:06:32 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> References: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> Message-ID: Something liek this for ET rules would be interesting... On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler wrote: > When VRT rules are written and reported on, there is a document included > with every single signature in the database. In this documentation file, > there is a field called false positives. > All of this documentation is available on the Snort.org website easily by > searching for rule number on the left hand side of the page. > > J > > On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote: > > yeah, you are right. Is there a list or database of known "false positives" > (this time in quotes) or known applications which trip on certain rules? > > > On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler wrote: > >> >> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: >> >> Net Backup False Positive: >> >> 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 Banner >> on Local Port [**] [Classification: Detection of a non-standard protocol or >> event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453 >> >> Yeah, I have to talk to the backup guy and figure out why he's not using >> the backup network :) >> >> >> So, it's not a false positive. The alert triggered on what you wanted it >> to trigger on, and even more it helped you find a system that is operating >> incorrectly. >> >> I guess I don't see how it's a false positive. My point is, and not >> picking on you David, but people say False positive a lot in this industry >> and I think they are just using the wrong terminology. >> >> Pedantic I know. >> >> J >> >> >> >> -- >> Joel Esler >> ? http://www.joelesler.net >> ? http://www.twitter.com/joelesler >> [m] >> >> > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/551f84db/attachment.html From eslerj at gmail.com Fri Jan 16 15:09:22 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 16 Jan 2009 15:09:22 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: References: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> Message-ID: <33FE6151-733E-43B5-B0B8-29D99C39F437@gmail.com> That's something worth discussing... J On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote: > Something liek this for ET rules would be interesting... > > On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler wrote: > When VRT rules are written and reported on, there is a document > included with every single signature in the database. In this > documentation file, there is a field called false positives. > > All of this documentation is available on the Snort.org website > easily by searching for rule number on the left hand side of the page. > > J > > On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote: > >> yeah, you are right. Is there a list or database of known "false >> positives" (this time in quotes) or known applications which trip >> on certain rules? >> >> >> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler >> wrote: >> >> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: >> >>> Net Backup False Positive: >>> >>> 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE Suspicious 220 >>> Banner on Local Port [**] [Classification: Detection of a non- >>> standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 >>> -> 192.168.xx.xx:2453 >>> >>> Yeah, I have to talk to the backup guy and figure out why he's not >>> using the backup network :) >> >> So, it's not a false positive. The alert triggered on what you >> wanted it to trigger on, and even more it helped you find a system >> that is operating incorrectly. >> >> I guess I don't see how it's a false positive. My point is, and >> not picking on you David, but people say False positive a lot in >> this industry and I think they are just using the wrong terminology. >> >> Pedantic I know. >> >> J >> >> >> >> -- >> Joel Esler >> ? http://www.joelesler.net >> ? http://www.twitter.com/joelesler >> [m] >> >> > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > -- Joel Esler ? http://www.joelesler.net ? http://www.twitter.com/joelesler [m] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/ccc86c19/attachment-0001.html From jonkman at jonkmans.com Fri Jan 16 16:12:37 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 16 Jan 2009 16:12:37 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: <33FE6151-733E-43B5-B0B8-29D99C39F437@gmail.com> References: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> <33FE6151-733E-43B5-B0B8-29D99C39F437@gmail.com> Message-ID: <4970F845.10800@jonkmans.com> We have the wiki for this purpose. FPs, TPs, issues, etc. http://doc.emergingthreats.net or http://doc.emergingthreats.net/2003055 Everything available is there. :) Matt Joel Esler wrote: > That's something worth discussing... > > J > > On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote: > >> Something liek this for ET rules would be interesting... >> >> On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler > > wrote: >> >> When VRT rules are written and reported on, there is a document >> included with every single signature in the database. In this >> documentation file, there is a field called false positives. >> >> All of this documentation is available on the Snort.org website >> easily by searching for rule number on the left hand side of the page. >> >> J >> >> On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote: >> >>> yeah, you are right. Is there a list or database of known "false >>> positives" (this time in quotes) or known applications which trip >>> on certain rules? >>> >>> >>> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler >> > wrote: >>> >>> >>> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: >>> >>>> Net Backup False Positive: >>>> >>>> 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE >>>> Suspicious 220 Banner on Local Port [**] [Classification: >>>> Detection of a non-standard protocol or event] [Priority: 2] >>>> {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453 >>>> >>>> Yeah, I have to talk to the backup guy and figure out why >>>> he's not using the backup network :) >>> >>> So, it's not a false positive. The alert triggered on what >>> you wanted it to trigger on, and even more it helped you find >>> a system that is operating incorrectly. >>> >>> I guess I don't see how it's a false positive. My point is, >>> and not picking on you David, but people say False positive >>> a lot in this industry and I think they are just using the >>> wrong terminology. >>> >>> Pedantic I know. >>> >>> J >>> >>> >>> >>> -- >>> Joel Esler >>> ? http://www.joelesler.net >>> ? http://www.twitter.com/joelesler >>> [m] >>> >>> >> >> >> -- >> Joel Esler >> ? http://www.joelesler.net >> ? http://www.twitter.com/joelesler >> [m] >> >> > > > -- > Joel Esler > ? http://www.joelesler.net > ? http://www.twitter.com/joelesler > [m] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Fri Jan 16 15:53:45 2009 From: david.glosser at gmail.com (David Glosser) Date: Fri, 16 Jan 2009 15:53:45 -0500 Subject: [Emerging-Sigs] FP:: netbackup In-Reply-To: <4970F845.10800@jonkmans.com> References: <3A414432-570F-4DFB-92A8-21C6C1276906@gmail.com> <33FE6151-733E-43B5-B0B8-29D99C39F437@gmail.com> <4970F845.10800@jonkmans.com> Message-ID: great! just added to it.... On Fri, Jan 16, 2009 at 4:12 PM, Matt Jonkman wrote: > We have the wiki for this purpose. FPs, TPs, issues, etc. > > http://doc.emergingthreats.net > > or > > http://doc.emergingthreats.net/2003055 > > Everything available is there. :) > > Matt > > Joel Esler wrote: > > That's something worth discussing... > > > > J > > > > On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote: > > > >> Something liek this for ET rules would be interesting... > >> > >> On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler >> > wrote: > >> > >> When VRT rules are written and reported on, there is a document > >> included with every single signature in the database. In this > >> documentation file, there is a field called false positives. > >> > >> All of this documentation is available on the Snort.org website > >> easily by searching for rule number on the left hand side of the > page. > >> > >> J > >> > >> On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote: > >> > >>> yeah, you are right. Is there a list or database of known "false > >>> positives" (this time in quotes) or known applications which trip > >>> on certain rules? > >>> > >>> > >>> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler >>> > wrote: > >>> > >>> > >>> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote: > >>> > >>>> Net Backup False Positive: > >>>> > >>>> 1/15-20:41:50.368405 [**] [1:2003055:4] ET MALWARE > >>>> Suspicious 220 Banner on Local Port [**] [Classification: > >>>> Detection of a non-standard protocol or event] [Priority: 2] > >>>> {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453 > >>>> > >>>> Yeah, I have to talk to the backup guy and figure out why > >>>> he's not using the backup network :) > >>> > >>> So, it's not a false positive. The alert triggered on what > >>> you wanted it to trigger on, and even more it helped you find > >>> a system that is operating incorrectly. > >>> > >>> I guess I don't see how it's a false positive. My point is, > >>> and not picking on you David, but people say False positive > >>> a lot in this industry and I think they are just using the > >>> wrong terminology. > >>> > >>> Pedantic I know. > >>> > >>> J > >>> > >>> > >>> > >>> -- > >>> Joel Esler > >>> ? http://www.joelesler.net > >>> ? http://www.twitter.com/joelesler > >>> [m] > >>> > >>> > >> > >> > >> -- > >> Joel Esler > >> ? http://www.joelesler.net > >> ? http://www.twitter.com/joelesler > >> [m] > >> > >> > > > > > > -- > > Joel Esler > > ? http://www.joelesler.net > > ? http://www.twitter.com/joelesler > > [m] > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/e54a73f6/attachment.html From emerging at emergingthreats.net Fri Jan 16 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 16 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090116210009.9344E4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Jan 16 16:00:09 2009 [***] [+++] Added rules: [+++] 2009005 - ET MALWARE Simbar Spyware User-Agent Detected (emerging-malware.rules) [---] Removed rules: [---] 2009005 - ET TROJAN Simbar Spyware/Trojan User-Agent Detected (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #by RPG -> Added to emerging-sid-msg.map (3): 2009005 || ET MALWARE Simbar Spyware User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (3): 2009005 || ET MALWARE Simbar Spyware User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2404018 || ET DROP Known Bot C&C Server Traffic (group 19) || url,www.shadowserver.org 2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 -> Removed from emerging-sid-msg.map.txt (1): 2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 -> Removed from emerging-virus.rules (1): #by RPG From inittab at jtan.com Fri Jan 16 16:44:37 2009 From: inittab at jtan.com (RPG) Date: Fri, 16 Jan 2009 16:44:37 -0500 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? Message-ID: <4970FFC5.6050501@jtan.com> Does anyone have any recommendations for a signature based on the following analysis, the current sid, 2008804, doesn't match. http://www.f-secure.com/weblog/archives/00001584.html From inittab at jtan.com Fri Jan 16 18:20:02 2009 From: inittab at jtan.com (RPG) Date: Fri, 16 Jan 2009 18:20:02 -0500 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <4970FFC5.6050501@jtan.com> References: <4970FFC5.6050501@jtan.com> Message-ID: <49711622.8040406@jtan.com> how about something like this? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:XXXXXXXXXXXXXXXXX; rev:1;) RPG wrote: > Does anyone have any recommendations for a signature based on the > following analysis, the current sid, 2008804, doesn't match. > > http://www.f-secure.com/weblog/archives/00001584.html > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From frank at knobbe.us Fri Jan 16 18:58:12 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 16 Jan 2009 17:58:12 -0600 Subject: [Emerging-Sigs] New UAS seen in Zlob In-Reply-To: <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> References: <1232080461.6498.4.camel@kinta> <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> Message-ID: <1232150292.11912.0.camel@localhost> On Fri, 2009-01-16 at 10:49 -0700, Darren Spruell wrote: > # mod of 2003632 > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS > Zlob User Agent (securityinternet)"; flow:established,to_server; > content:"User-Agent\: > securityinternet"; classtype:trojan-activity; sid:XXXXXXX; rev:1;) Committed with SID 2009022. Thanks, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. From frank at knobbe.us Fri Jan 16 19:00:40 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 16 Jan 2009 18:00:40 -0600 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <49711622.8040406@jtan.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> Message-ID: <1232150440.11912.3.camel@localhost> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote: > how about something like this? > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; > flow:to_server,established; content:"/search?q="; > pcre:"/\/search\?q\=[0-9]{1,3}/mi"; > content:!".google.com"; > classtype:trojan-activity; > reference:url,www.f-secure.com/weblog/archives/00001584.html; > sid:XXXXXXXXXXXXXXXXX; rev:1;) Can you run that for a while and report on rate of false positives? :) I thought we had tried a rule like that (only "search?q=") but got way too many FP's. -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. From inittab at jtan.com Fri Jan 16 20:09:38 2009 From: inittab at jtan.com (RPG) Date: Fri, 16 Jan 2009 20:09:38 -0500 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <1232150440.11912.3.camel@localhost> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> Message-ID: <49712FD2.1030701@jtan.com> Well, I think this might be ok. Here's a modification to the pcre to look for white space after the 1,2 or 3 digit number. pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; Frank Knobbe wrote: > On Fri, 2009-01-16 at 18:20 -0500, RPG wrote: >> how about something like this? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; >> flow:to_server,established; content:"/search?q="; >> pcre:"/\/search\?q\=[0-9]{1,3}/mi"; >> content:!".google.com"; >> classtype:trojan-activity; >> reference:url,www.f-secure.com/weblog/archives/00001584.html; >> sid:XXXXXXXXXXXXXXXXX; rev:1;) > > Can you run that for a while and report on rate of false positives? :) > I thought we had tried a rule like that (only "search?q=") but got way > too many FP's. > > -Frank > > From jonkman at jonkmans.com Fri Jan 16 23:34:22 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 16 Jan 2009 23:34:22 -0500 Subject: [Emerging-Sigs] New UAS seen in Zlob In-Reply-To: <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> References: <1232080461.6498.4.camel@kinta> <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> Message-ID: <49715FCE.7050500@jonkmans.com> Committed. Thanks all!! Matt Darren Spruell wrote: > On Thu, Jan 15, 2009 at 9:34 PM, dxp wrote: >> Connects to 92.241.163.63 on tcp/80. >> >> GET /image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;1312;1801 HTTP/1.1 >> User-Agent: securityinternet > > Confirming from our side as well; couple of scripts at that site: > > Sat Jan 10 15:42:56 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;666;1855 > Sat Jan 10 15:43:15 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855 > Sat Jan 10 15:43:23 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1 > Sat Jan 10 15:43:42 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1 > Sat Jan 10 15:44:07 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855 > Sat Jan 10 15:44:13 2009 x.x.8.55 securityinternet GET > hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452; > > # mod of 2003632 > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS > Zlob User Agent (securityinternet)"; flow:established,to_server; > content:"User-Agent\: > securityinternet"; classtype:trojan-activity; sid:XXXXXXX; rev:1;) > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Fri Jan 16 23:43:21 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 16 Jan 2009 22:43:21 -0600 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <1232150440.11912.3.camel@localhost> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> Message-ID: <20090116224321.9x0eeq1ykkg0cogw@mail.afferentsecurity.com> I have been testing a ruleset with the generated domain names. No hits, yet, but maybe that's good, eh? Help yourself: http://www.autoshun.org/downloads/conficker.rules I'll try to remember to update the list when the domains run out on Jan 31st. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Fri Jan 16 23:46:17 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 16 Jan 2009 22:46:17 -0600 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <1232150440.11912.3.camel@localhost> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> Message-ID: <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> Since all the samples on the f-secure site were using http/1.0, maybe this will improve the FP ratio: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,4} http/1.0/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:XXXXXXXXXXXXXXXXX; rev:1;) That would look for a numeric-only value for q, plus I upped it to 4 digits since f-secure is showing some of those. jp Quoting Frank Knobbe : > On Fri, 2009-01-16 at 18:20 -0500, RPG wrote: >> how about something like this? >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; >> flow:to_server,established; content:"/search?q="; >> pcre:"/\/search\?q\=[0-9]{1,3}/mi"; >> content:!".google.com"; >> classtype:trojan-activity; >> reference:url,www.f-secure.com/weblog/archives/00001584.html; >> sid:XXXXXXXXXXXXXXXXX; rev:1;) > > Can you run that for a while and report on rate of false positives? :) > I thought we had tried a rule like that (only "search?q=") but got way > too many FP's. > > -Frank > -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Fri Jan 16 23:59:52 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 16 Jan 2009 22:59:52 -0600 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> Message-ID: <20090116225952.v5q4buvzks0g84o0@mail.afferentsecurity.com> Botched the PCRE on the previous post: Quoting Jack Pepper : > Since all the samples on the f-secure site were using http/1.0, maybe > this will improve the FP ratio: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,4}\s+http\/1\.0/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:XXXXXXXXXXXXXXXXX; rev:1;) > > That would look for a numeric-only value for q, plus I upped it to 4 > digits since f-secure is showing some of those. > > jp > > > > > Quoting Frank Knobbe : > >> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote: >>> how about something like this? >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; >>> flow:to_server,established; content:"/search?q="; >>> pcre:"/\/search\?q\=[0-9]{1,3}/mi"; >>> content:!".google.com"; >>> classtype:trojan-activity; >>> reference:url,www.f-secure.com/weblog/archives/00001584.html; >>> sid:XXXXXXXXXXXXXXXXX; rev:1;) >> >> Can you run that for a while and report on rate of false positives? :) >> I thought we had tried a rule like that (only "search?q=") but got way >> too many FP's. >> >> -Frank >> > > -- > > Framework? I don't need no stinking framework! > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From frank at knobbe.us Sat Jan 17 00:41:26 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 16 Jan 2009 23:41:26 -0600 Subject: [Emerging-Sigs] New UAS seen in Zlob In-Reply-To: <49715FCE.7050500@jonkmans.com> References: <1232080461.6498.4.camel@kinta> <839aec700901160949g3dae0389mad97dcc31b962161@mail.gmail.com> <49715FCE.7050500@jonkmans.com> Message-ID: <1232170886.27595.1.camel@localhost> On Fri, 2009-01-16 at 23:34 -0500, Matt Jonkman wrote: > Committed. Thanks all!! Was already committed as 2009022. :) I'm gonna remove the dupe and add your CR/LF before the user agent. -Frank From frank at knobbe.us Sat Jan 17 00:57:13 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 16 Jan 2009 23:57:13 -0600 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <20090116225952.v5q4buvzks0g84o0@mail.afferentsecurity.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> <20090116225952.v5q4buvzks0g84o0@mail.afferentsecurity.com> Message-ID: <1232171833.27595.3.camel@localhost> On Fri, 2009-01-16 at 22:59 -0600, Jack Pepper wrote: > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; > flow:to_server,established; content:"/search?q="; > pcre:"/\/search\?q\=[0-9]{1,4}\s+http\/1\.0/mi"; > content:!".google.com"; > classtype:trojan-activity; > reference:url,www.f-secure.com/weblog/archives/00001584.html; > sid:XXXXXXXXXXXXXXXXX; rev:1;) Committed. Thanks guys. -Frank From bojan.isc at gmail.com Sat Jan 17 06:23:29 2009 From: bojan.isc at gmail.com (Bojan Zdrnja (SANS ISC)) Date: Sat, 17 Jan 2009 12:23:29 +0100 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> Message-ID: <9d6a1ae60901170323l2e0b2c3cwfacb21228993683e@mail.gmail.com> On Sat, Jan 17, 2009 at 5:46 AM, Jack Pepper wrote: > Since all the samples on the f-secure site were using http/1.0, maybe > this will improve the FP ratio: They are, but there are HTTP/1.1 samples as well (I got access to like 20 GB of logs). So this works as well "GET /search?q=0 HTTP/1.1" which means you can't use HTTP/1.0 to anchor this :/ Bojan From emerging at emergingthreats.net Sat Jan 17 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 17 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090117210009.96C8C45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 17 16:00:09 2009 [***] [+++] Added rules: [+++] 2009022 - ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) (emerging-virus.rules) 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting (emerging.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 -> Added to emerging-rbn.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 -> Added to emerging-sid-msg.map (2): 2009022 || ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html -> Added to emerging-sid-msg.map.txt (2): 2009022 || ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html -> Added to emerging-virus.rules (1): # By Darren Spruell and dxp -> Added to emerging.rules (1): # By RPG and Jack Pepper [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 105 # Updated 2009-01-13 12:29:49 -> Removed from emerging-rbn.rules (2): # VERSION 105 # Updated 2009-01-13 12:29:49 From emerging at emergingthreats.net Sat Jan 17 18:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 17 Jan 2009 18:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090117230009.28B5A45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Jan 17 18:00:09 2009 [***] [+++] Added rules: [+++] 2009005 - ET MALWARE Simbar Spyware User-Agent Detected (emerging-malware.rules) 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 (emerging.rules) 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 (emerging.rules) 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 (emerging.rules) 2009009 - ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure (emerging-web_sql_injection.rules) 2009010 - ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure (emerging-web_sql_injection.rules) 2009011 - ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection (emerging-web_sql_injection.rules) 2009012 - ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection (emerging-web_sql_injection.rules) 2009013 - ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection (emerging-web_sql_injection.rules) 2009014 - ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection (emerging-web_sql_injection.rules) 2009015 - ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection (emerging-web_sql_injection.rules) 2009016 - ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection (emerging-web_sql_injection.rules) 2009017 - ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection (emerging-web_sql_injection.rules) 2009018 - ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure (emerging-web_sql_injection.rules) 2009019 - ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile (emerging-virus.rules) 2009020 - ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection (emerging-policy.rules) 2009021 - ET MALWARE Suspicious User Agent (IE_6.0) (emerging-malware.rules) 2009022 - ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) (emerging-virus.rules) 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting (emerging.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2008665 - ET TROJAN Obfiscator.vc or Related Infection Checkin (emerging-virus.rules) 2008940 - ET TROJAN DNSChanger.AT or related Infection Checkin Post (emerging-virus.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2008804 - ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008 (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1422 # Generated 2009-01-17 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1422 # Generated 2009-01-17 00:03:02 EDT -> Added to emerging-malware.rules (1): #by RPG -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 -> Added to emerging-rbn.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 -> Added to emerging-sid-msg.map (29): 2009005 || ET MALWARE Simbar Spyware User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009009 || ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure || bugtraq,32929 || url,secunia.com/advisories/33222 2009010 || ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure || bugtraq,32966 || url,www.milw0rm.com/exploits/7543 2009011 || ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009012 || ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009013 || ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009014 || ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009015 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009016 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009017 || ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009018 || ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure || url,milw0rm.com/exploits/7542 || url,securityfocus.com/bid/32968 2009019 || ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile || url,www.packetninjas.net || url,www.vmprotect.ru 2009020 || ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009022 || ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2406209 || ET RBN Known Russian Business Network Monitored Domains (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406210 || ET RBN Known Russian Business Network Monitored Domains (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406211 || ET RBN Known Russian Business Network Monitored Domains (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406212 || ET RBN Known Russian Business Network Monitored Domains (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407209 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407210 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407211 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407212 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (29): 2009005 || ET MALWARE Simbar Spyware User-Agent Detected || url,vil.nai.com/vil/content/v_131206.htm || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1 || url,isc.sans.org/diary.html?storyid=5599 2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2 || url,isc.sans.org/diary.html?storyid=5599 2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3 || url,isc.sans.org/diary.html?storyid=5599 2009009 || ET WEB_SPECIFIC ClaSS export.php ftype parameter Information Disclosure || bugtraq,32929 || url,secunia.com/advisories/33222 2009010 || ET WEB_SPECIFIC Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure || bugtraq,32966 || url,www.milw0rm.com/exploits/7543 2009011 || ET WEB_SPECIFIC Rematic CMS referenzdetail.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009012 || ET WEB_SPECIFIC Rematic CMS produkte.php id parameter SQL Injection || url,milw0rm.com/exploits/7502 || url,secunia.com/advisories/33208/ 2009013 || ET WEB_SPECIFIC WebPhotoPro art.php idm Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009014 || ET WEB_SPECIFIC WebPhotoPro rub.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009015 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php ida Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009016 || ET WEB_SPECIFIC WebPhotoPro galeri_info.php lang Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009017 || ET WEB_SPECIFIC WebPhotoPro rubrika.php idr Parameter SQL Injection || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || bugtraq,32829 2009018 || ET WEB_SPECIFIC Text Lines Rearrange Script filename parameter File Disclosure || url,milw0rm.com/exploits/7542 || url,securityfocus.com/bid/32968 2009019 || ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile || url,www.packetninjas.net || url,www.vmprotect.ru 2009020 || ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009022 || ET VIRUS Zlob User Agent - Likely Zlob (securityinternet) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 2009024 || ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html 2406209 || ET RBN Known Russian Business Network Monitored Domains (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406210 || ET RBN Known Russian Business Network Monitored Domains (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406211 || ET RBN Known Russian Business Network Monitored Domains (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406212 || ET RBN Known Russian Business Network Monitored Domains (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407209 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407210 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407211 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407212 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500075 || ET COMPROMISED Known Compromised or Hostile Host Traffic (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510075 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (76) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (2): #by matt jonkman, updated by darren spruell # By Darren Spruell and dxp -> Added to emerging-web_sql_injection.rules (1): # From StillSecure -> Added to emerging.rules (1): # By RPG and Jack Pepper [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1415 # Generated 2009-01-10 00:03:03 EDT -> Removed from emerging-drop.rules (2): # VERSION 1415 # Generated 2009-01-10 00:03:03 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 -> Removed from emerging-rbn.rules (2): # VERSION 102 # Updated 2009-01-09 16:52:41 From jonkman at jonkmans.com Sat Jan 17 22:34:12 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 17 Jan 2009 22:34:12 -0500 Subject: [Emerging-Sigs] new Downadup/Conficker-A sig? In-Reply-To: <49712FD2.1030701@jtan.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <49712FD2.1030701@jtan.com> Message-ID: <4972A334.7030908@jonkmans.com> Updated, thanks all! RPG wrote: > Well, I think this might be ok. Here's a modification to the pcre to > look for white space after the 1,2 or 3 digit number. > > pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; > > Frank Knobbe wrote: >> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote: >>> how about something like this? >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; >>> flow:to_server,established; content:"/search?q="; >>> pcre:"/\/search\?q\=[0-9]{1,3}/mi"; >>> content:!".google.com"; >>> classtype:trojan-activity; >>> reference:url,www.f-secure.com/weblog/archives/00001584.html; >>> sid:XXXXXXXXXXXXXXXXX; rev:1;) >> Can you run that for a while and report on rate of false positives? :) >> I thought we had tried a rule like that (only "search?q=") but got way >> too many FP's. >> >> -Frank >> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Sat Jan 17 22:56:52 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 17 Jan 2009 22:56:52 -0500 Subject: [Emerging-Sigs] favicon's as executables In-Reply-To: <497081A8.4080408@jtan.com> References: <496E5EE9.6050209@jtan.com> <1232063897.8281.10.camel@arodgers-panasonic> <497081A8.4080408@jtan.com> Message-ID: <4972A884.4050000@jonkmans.com> OK, so I see two good sigs out of this idea. 1. favicon requested and an exe returned Unfortunately to do that we'd have to set a flowbit I think to flag a request for favico, then look for the return. Might be too high load for the benefit? 2. 404 with an exe in it.... This we can do: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:0; classtype:attempted-admin; sid:2009028; rev:1;) Look good to all? Matt RPG wrote: > Interesting, yes I should have looked a little closer at the file, it > does "advertise" itself as aspnet_isapi.dll > > $ strings favicon.ico | head > aspnet_isapi.dll > GetExtensionVersion > HttpExtensionProc > InstallStateService > RegisterISAPI > RegisterISAPIEx > TerminateExtension > UnregisterISAPI > Y__^[ > t8WVS > > However, and FWIW, the one aspnet_isapi.dll file that I do have doesn't > look similar. Perhaps it's a different version. > > $ strings aspnet_isapi.dll | head > CRequestEntry > zFtmHelper > g_AspTypelibLock > ActivitiesPoolLock > AspDispatchHelper > zCFreeBufferList::g_lLock > CCPUEntry > > > None the less, if this truly is a "misconfiguration" of IIS/ASP.NET, I > wonder what it would take to have it serve up other binaries in this > fashion. > > > CunningPike wrote: >> I have noticed quite a few of these as well. In all our cases, the >> executable turned out to be a copy of aspnet_isapi.dll. >> >> I have a feeling that there is some misconfiguration in IIS/ASP.NET that >> causes this behavior. >> >> CP >> >> On Wed, 2009-01-14 at 16:53 -0500, RPG wrote: >>> We have seen a few instances of favicon.ico's coming down as executable >>> files. In all instances so far the server reports "404 Not Found" >>> when the browser requests the favicon.ico file yet it serves this little >>> binary instead >>> >>> DST: HTTP/1.1 404 Not Found >>> DST: Content-Length: 17416 >>> DST: Content-Type: application/x-msdownload >>> DST: Server: Microsoft-IIS/6.0 >>> DST: X-Powered-By: ASP.NET >>> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT >>> DST: >>> DST: >>> MZ...................... at ...............................................!..L.!Th >>> >>> $ file favicon.ico >>> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit >>> >>> $ md5sum favicon.ico >>> 74e81a65879ffe881a7af525a0254ad8 favicon.ico >>> >>> Here's an example URL if you're curious: >>> http://wwwDOTnjcarbuyerDOTcom/favicon.ico >>> Donwload it safely and of course replace the DOT's. :) >>> >>> Virustotal comes up empty and so does threatexpert.com >>> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a >>> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8 >>> >>> Can someone shed light on this little mystery? TIA >>> >>> RPG >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Sun Jan 18 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 18 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090118210009.6AF3745026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Jan 18 16:00:09 2009 [***] [+++] Added rules: [+++] 2009025 - ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) (emerging-virus.rules) 2009026 - ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) (emerging-virus.rules) 2009027 - ET MALWARE Suspicious User Agent (FileDownloader) (emerging-malware.rules) 2009028 - ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop (emerging-policy.rules) [///] Modified active rules: [///] 2009021 - ET MALWARE Suspicious User Agent (IE_6.0) (emerging-malware.rules) 2009024 - ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (5): 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) 2009028 || ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop -> Added to emerging-sid-msg.map.txt (5): 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) 2009025 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 2) 2009026 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) 2009027 || ET MALWARE Suspicious User Agent (FileDownloader) 2009028 || ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html -> Removed from emerging-sid-msg.map.txt (1): 2009021 || ET MALWARE Suspicious User Agent (IE_6.0) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html From dxp2532 at gmail.com Sun Jan 18 23:24:42 2009 From: dxp2532 at gmail.com (dxp) Date: Sun, 18 Jan 2009 23:24:42 -0500 Subject: [Emerging-Sigs] False Positive - ET MALWARE SOCKSv4 Inbound... Message-ID: <1232339082.6545.36.camel@kinta> Looks like a FP on 2003283 "ET MALWARE SOCKSv4 Inbound Connect Request (Linux Source)" Here's the payload: 000 : 04 01 20 48 CD 8A B7 FE 10 7E 55 DD .. H.....~U. Destination was a user's workstation running Linux without any open ports. According to one of the links in the sig "Simple extension to SOCKS 4 Protocol" the first 2 bytes match, however the last byte should be NULL which is not the case here. - -=[ dxp ]=- 0xA3F3C6E3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090118/1085fcfe/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090118/1085fcfe/attachment.bin From signatures at stillsecure.com Mon Jan 19 07:36:45 2009 From: signatures at stillsecure.com (signatures) Date: Mon, 19 Jan 2009 05:36:45 -0700 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - Jan-19-2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C291E@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP cfagcms right.php title Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP cfagcms right.php title Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/right.php"; nocase; uricontent:"title="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483; sid:2008222; rev:1;) 2. WEB-PHP BloofoxCMS dialog.php lang parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BloofoxCMS dialog.php lang parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"lang="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013; sid:2008020; rev:1;) 3. WEB-PHP BloofoxCMS dialog.php theme parameter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BloofoxCMS dialog.php theme parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"theme="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013; sid:2008021; rev:1;) 4. WEB-ATTACKS Chilkat Socket Activex Remote Arbitrary File Overwrite 1 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; content:"CLSID"; nocase; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; distance:0; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; sid:2008025; rev:1;) 5. WEB-PHP eDreamers eDNews lg Parameter Local File Include alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP eDreamers eDNews lg Parameter Local File Include"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/eDNews_archive.php?"; nocase; uricontent:"lg="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7603; reference:bugtraq,33027; sid:2008026; rev:1;) 6. WEB-ATTACKS SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Get"; nocase; classtype:web-application-attack; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; sid:2008031; rev:1;) 7. WEB-PHP Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/deptdisplay.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040; sid:2008027; rev:1;) 8. WEB-PHP RealtyListings type.asp iType Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RealtyListings type.asp iType Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/type.asp?"; nocase; uricontent:"iType="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; sid:2008559; rev:1;) 9. WEB-PHP RealtyListings detail.asp iPro Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; sid:2008560; rev:1;) 10. WEB-PHP PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/DB_adodb.class.php?"; nocase; uricontent:"PHPOF_INCLUDE_PATH="; nocase; pcre:"/PHPOF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,25541; sid:2008029; rev:1;) Looking forward for your comments if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090119/da98c793/attachment-0001.html From inittab at jtan.com Mon Jan 19 11:38:34 2009 From: inittab at jtan.com (RPG) Date: Mon, 19 Jan 2009 11:38:34 -0500 Subject: [Emerging-Sigs] DNS single dot ddos amplifier In-Reply-To: <9d6a1ae60901170323l2e0b2c3cwfacb21228993683e@mail.gmail.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> <9d6a1ae60901170323l2e0b2c3cwfacb21228993683e@mail.gmail.com> Message-ID: <4974AC8A.9070404@jtan.com> My proposed rule for this little nasty (see reference) alert udp any any -> any 53 ( msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos amplifier"; content:"|00 00 02 00 01|"; threshold:type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; reference:url,isc.sans.org/diary.html?storyid=5713; sid:XXXXXXXXXXXXX; rev:1; ) From inittab at jtan.com Mon Jan 19 15:22:10 2009 From: inittab at jtan.com (RPG) Date: Mon, 19 Jan 2009 15:22:10 -0500 Subject: [Emerging-Sigs] DNS single dot ddos amplifier In-Reply-To: <4974AC8A.9070404@jtan.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> <9d6a1ae60901170323l2e0b2c3cwfacb21228993683e@mail.gmail.com> <4974AC8A.9070404@jtan.com> Message-ID: <4974E0F2.2000005@jtan.com> I've modified it a bit based on few stray FP's , this works if you have a public facing DNS server. alert udp any any -> $HOME_NET 53 ( msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos"; content:"|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|"; threshold:type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; reference:url,isc.sans.org/diary.html?storyid=5713; sid:XXXXXXXXXXXXXXX; rev:2; ) RPG wrote: > My proposed rule for this little nasty (see reference) > > alert udp any any -> any 53 ( > msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos amplifier"; > content:"|00 00 02 00 01|"; > threshold:type limit, track by_src, count 1, seconds 120; > classtype:attempted-dos; > reference:url,isc.sans.org/diary.html?storyid=5713; > sid:XXXXXXXXXXXXX; > rev:1; > ) > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From emerging at emergingthreats.net Mon Jan 19 16:00:08 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 19 Jan 2009 16:00:08 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090119210008.F2F3545026@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Jan 19 16:00:08 2009 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (2): 2500076 || ET COMPROMISED Known Compromised or Hostile Host Traffic (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510076 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (77) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From pepperjack at afferentsecurity.com Mon Jan 19 23:17:50 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 19 Jan 2009 22:17:50 -0600 Subject: [Emerging-Sigs] conficker domain rules Message-ID: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> The previous conficker domain ruleset was 3750 rules. that seemed a bit much. I have created an alternate "regex from hell" version that uses PCRE to map the same 3750 domains into just 56 rules (at the price of some serious PCRE hashing). You do what works for you. Detailed rules: http://www.autoshun.org/downloads/conficker.rules PCRE based rules: http://www.autoshun.org/downloads/rconficker.rules don't load them both, that's just pointless. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jonkman at jonkmans.com Tue Jan 20 00:52:04 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 20 Jan 2009 00:52:04 -0500 Subject: [Emerging-Sigs] conficker domain rules In-Reply-To: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> References: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> Message-ID: <49756684.8090304@jonkmans.com> Great rules Jack. Surely useful, but I'd rather keep them out of the ruleset for the time being. They'll come and go quickly. :) Matt Jack Pepper wrote: > The previous conficker domain ruleset was 3750 rules. that seemed a > bit much. I have created an alternate "regex from hell" version that > uses PCRE to map the same 3750 domains into just 56 rules (at the > price of some serious PCRE hashing). You do what works for you. > > Detailed rules: http://www.autoshun.org/downloads/conficker.rules > > PCRE based rules: http://www.autoshun.org/downloads/rconficker.rules > > don't load them both, that's just pointless. > > > > jp > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Jan 20 01:09:45 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 20 Jan 2009 01:09:45 -0500 Subject: [Emerging-Sigs] DNS single dot ddos amplifier In-Reply-To: <4974E0F2.2000005@jtan.com> References: <4970FFC5.6050501@jtan.com> <49711622.8040406@jtan.com> <1232150440.11912.3.camel@localhost> <20090116224617.bnh7ibv9eswcoo8s@mail.afferentsecurity.com> <9d6a1ae60901170323l2e0b2c3cwfacb21228993683e@mail.gmail.com> <4974AC8A.9070404@jtan.com> <4974E0F2.2000005@jtan.com> Message-ID: <49756AA9.9000400@jonkmans.com> Looks very interesting RPG. Thanks for the effort. Posting it now. Matt RPG wrote: > I've modified it a bit based on few stray FP's , this works if you have > a public facing DNS server. > > alert udp any any -> $HOME_NET 53 ( > msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos"; > content:"|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|"; > threshold:type limit, track by_src, count 1, seconds 120; > classtype:attempted-dos; > reference:url,isc.sans.org/diary.html?storyid=5713; > sid:XXXXXXXXXXXXXXX; > rev:2; > ) > > > RPG wrote: >> My proposed rule for this little nasty (see reference) >> >> alert udp any any -> any 53 ( >> msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos amplifier"; >> content:"|00 00 02 00 01|"; >> threshold:type limit, track by_src, count 1, seconds 120; >> classtype:attempted-dos; >> reference:url,isc.sans.org/diary.html?storyid=5713; >> sid:XXXXXXXXXXXXX; >> rev:1; >> ) >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From inittab at jtan.com Tue Jan 20 07:55:50 2009 From: inittab at jtan.com (RPG) Date: Tue, 20 Jan 2009 07:55:50 -0500 Subject: [Emerging-Sigs] conficker domain rules In-Reply-To: <49756684.8090304@jonkmans.com> References: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> <49756684.8090304@jonkmans.com> Message-ID: <4975C9D6.9020500@jtan.com> I just cycled through each one looking for A records but none are alive. Does anyone know of a quick or bulk method of checking the whois on each of these? Any method I have is very clunky. TIA Matt Jonkman wrote: > Great rules Jack. Surely useful, but I'd rather keep them out of the > ruleset for the time being. They'll come and go quickly. :) > > Matt > > Jack Pepper wrote: >> The previous conficker domain ruleset was 3750 rules. that seemed a >> bit much. I have created an alternate "regex from hell" version that >> uses PCRE to map the same 3750 domains into just 56 rules (at the >> price of some serious PCRE hashing). You do what works for you. >> >> Detailed rules: http://www.autoshun.org/downloads/conficker.rules >> >> PCRE based rules: http://www.autoshun.org/downloads/rconficker.rules >> >> don't load them both, that's just pointless. >> >> >> >> jp >> > From pepperjack at afferentsecurity.com Tue Jan 20 09:13:14 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 20 Jan 2009 08:13:14 -0600 Subject: [Emerging-Sigs] conficker domain rules In-Reply-To: <4975C9D6.9020500@jtan.com> References: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> <49756684.8090304@jonkmans.com> <4975C9D6.9020500@jtan.com> Message-ID: <20090120081314.fkvw54do5c80c0gk@mail.afferentsecurity.com> Quoting RPG : > I just cycled through each one looking for A records but none are alive. > Does anyone know of a quick or bulk method of checking the whois on > each of these? Any method I have is very clunky. TIA each domain is only going to show up for 24 hours, then it's gone. I am working on a way to make the list "roll along" day to day with the active domain list. If I can get it down to 1000 domains in a rolling window, that would be good. The current ruleset is based on the generated names from Jan 17th - Jan 31st. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From pepperjack at afferentsecurity.com Tue Jan 20 09:14:24 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 20 Jan 2009 08:14:24 -0600 Subject: [Emerging-Sigs] conficker domain rules In-Reply-To: <49756684.8090304@jonkmans.com> References: <20090119221750.tv2ftz27408wswks@mail.afferentsecurity.com> <49756684.8090304@jonkmans.com> Message-ID: <20090120081424.z78loxbtw0gk4oo0@mail.afferentsecurity.com> Quoting Matt Jonkman : > Great rules Jack. Surely useful, but I'd rather keep them out of the > ruleset for the time being. They'll come and go quickly. :) they are definitely a moving target. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From emerging at emergingthreats.net Tue Jan 20 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 20 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090120210009.9E4F645026@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Jan 20 16:00:09 2009 [***] [+++] Added rules: [+++] 2009029 - ET WEB SQL Injection Attempt (Agent NV32ts) (emerging-web.rules) 2009030 - ET CURRENT_EVENTS NS query for a single dot, possible ddos (emerging.rules) 2009031 - ET TROJAN Possible Armitage Loader Request (emerging-virus.rules) 2009032 - ET TROJAN Armitage Exploit Request (emerging-virus.rules) 2009033 - ET POLICY Suspicious Executable (PE under 128) (emerging-policy.rules) 2009034 - ET POLICY Suspicious Executable (PE offset 160) (emerging-policy.rules) 2009035 - ET POLICY Suspicious Executable (PE offset 512) (emerging-policy.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-policy.rules (1): #by dxp -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 107 # Updated 2009-01-20 00:22:00 -> Added to emerging-rbn.rules (2): # VERSION 107 # Updated 2009-01-20 00:22:00 -> Added to emerging-sid-msg.map (11): 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 2009031 || ET TROJAN Possible Armitage Loader Request 2009032 || ET TROJAN Armitage Exploit Request 2009033 || ET POLICY Suspicious Executable (PE under 128) 2009034 || ET POLICY Suspicious Executable (PE offset 160) 2009035 || ET POLICY Suspicious Executable (PE offset 512) 2406213 || ET RBN Known Russian Business Network Monitored Domains (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407213 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (11): 2009029 || ET WEB SQL Injection Attempt (Agent NV32ts) 2009030 || ET CURRENT_EVENTS NS query for a single dot, possible ddos || url,isc.sans.org/diary.html?storyid=5713 2009031 || ET TROJAN Possible Armitage Loader Request 2009032 || ET TROJAN Armitage Exploit Request 2009033 || ET POLICY Suspicious Executable (PE under 128) 2009034 || ET POLICY Suspicious Executable (PE offset 160) 2009035 || ET POLICY Suspicious Executable (PE offset 512) 2406213 || ET RBN Known Russian Business Network Monitored Domains (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407213 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500077 || ET COMPROMISED Known Compromised or Hostile Host Traffic (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510077 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (78) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): #by dxp -> Added to emerging-web.rules (1): # By Frank Knobbe -> Added to emerging.rules (1): #by RPG [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 -> Removed from emerging-rbn.rules (2): # VERSION 106 # Updated 2009-01-17 10:28:54 From emerging at emergingthreats.net Wed Jan 21 16:00:09 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 21 Jan 2009 16:00:09 -0500 (EST) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090121210009.7727F45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Jan 21 16:00:09 2009 [***] [+++] Added rules: [+++] 2009036 - ET TROJAN Armitage Loader Check-in (emerging-virus.rules) [///] Modified active rules: [///] 2009031 - ET TROJAN Possible Armitage Loader Request (emerging-virus.rules) 2009032 - ET TROJAN Armitage Exploit Request (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2009036 || ET TROJAN Armitage Loader Check-in -> Added to emerging-sid-msg.map.txt (1): 2009036 || ET TROJAN Armitage Loader Check-in From famousjs at gmail.com Wed Jan 21 17:08:17 2009 From: famousjs at gmail.com (Josh Smith) Date: Wed, 21 Jan 2009 17:08:17 -0500 Subject: [Emerging-Sigs] Binary Packer Signatures Message-ID: I've been working (when I can get the chance from school) in my spare time on converting the PEiD packer database straight to snort signatures. I've refined them to specific byte patterns, but when I tested a pcap of a transferred binary packed with UPX, about 10 signatures fired off. There are a little over 1800 signatures that I have converted, but I feel they still need refining to reduce false positives. Attached is the snort signature database I have made, along with my PEiD database. -Josh Smith -------------- next part -------------- alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[!EP (ExE Pack) V1.0 -> Elite Coding Group] binary file"; flow:established,to_server; content: "|6068|";content: "|B8|"; distance: 4; within: 1;content: "|FF10|"; distance: 3; within: 2;sid: 20091; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[!EPack 1.4 lite (final) - by 6aHguT] binary file"; flow:established,to_server; content: "|33C08BC068|";content: "|68|"; distance: 7; within: 1;content: "|E8|"; distance: 3; within: 1;sid: 20092; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[$pirit v1.5] binary file"; flow:established,to_server; content: "|5B24555044FB322E315D|";sid: 20093; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[$PIRIT v1.5] binary file"; flow:established,to_server; content: "|B44DCD21E8|";content: "|FDE8|"; distance: 6; within: 2;content: "|B451CD21|"; distance: 3; within: 4;sid: 20094; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090|"; distance: 7; within: 17;sid: 20095; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [32Lite 0.03] --> Anorganix] binary file"; flow:established,to_server; content: "|6006FC1E07BE909090906A04689010909068|";content: "|E9|"; distance: 20; within: 1;sid: 20096; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [ACProtect 1.09] --> Anorganix] binary file"; flow:established,to_server; content: "|6090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090EB02000090909004909090909090909090909090909090909090909090|";sid: 20097; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Armadillo 3.00] --> Anorganix] binary file"; flow:established,to_server; content: "|60E82A0000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB85E9|";sid: 20098; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [ASPack 2.xx Heuristic] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090A8030000617508B801000000C20C006800000000C38B85260400008D8D3B0400005150FF95|"; distance: 7; within: 54;sid: 20099; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [ASProtect] --> Anorganix] binary file"; flow:established,to_server; content: "|609090909090905D909090909090909090909003DDE9|";sid: 200910; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Borland Delphi 3.0] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC83C49090909068|";content: "|9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090|"; distance: 12; within: 71;sid: 200911; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Borland Delphi 5.0 KOL/MCK] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC9090909068|";content: "|9090909090909090909090909090909090909090909090909090909000FF90909090909090900001909090909090909090EB0400000001909090909090900001909090909090909090|"; distance: 10; within: 73;sid: 200912; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Borland Delphi 6.0 - 7.0] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090538BD833C0A3090909006A00E8090900FFA309090900A109090900A30909090033C0A30909090033C0A309090900E8|"; distance: 7; within: 64;sid: 200913; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [CD-Cops II] --> Anorganix] binary file"; flow:established,to_server; content: "|5360BD909090908D45908D5D90E8000000008D01E9|";sid: 200914; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Code-Lock] --> Anorganix] binary file"; flow:established,to_server; content: "|434F44452D4C4F434B2E4F435800012801504B47054C3FB4044D4C474BE9|";sid: 200915; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [CodeSafe 2.0] --> Anorganix] binary file"; flow:established,to_server; content: "|90909090909090909090909090909090909090909090EB0B83EC10535657E8C4010085E9|";sid: 200916; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Crunch/PE Heuristic] --> Anorganix] binary file"; flow:established,to_server; content: "|55E80E0000005D83ED068BC5556089AD|";content: "|2B8500000000E9|"; distance: 18; within: 7;sid: 200917; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [DEF 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|BE000140006A0559807E070074118B46909090909090909090909090909090909083C101E9|";sid: 200918; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [DxPack 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8000000005D8BFD81ED909090902BB90000000081EF9090909083BD90909090900F8400000000E9|";sid: 200919; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [ExeSmasher] --> Anorganix] binary file"; flow:established,to_server; content: "|9CFE039060BE909041908DBE9010FFFF5783CDFFEB1090909090909090909090909090909090FE0BE9|";sid: 200920; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [FSG 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090BBD0014000BF00104000BE9090909053E80A00000002D275058A164612D2C3FCB280A46A025BE9|"; distance: 7; within: 56;sid: 200921; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [FSG 1.31] --> Anorganix] binary file"; flow:established,to_server; content: "|BE90909000BF90909000BB9090900053BB90909000B280E9|";sid: 200922; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Gleam 1.00] --> Anorganix] binary file"; flow:established,to_server; content: "|90909090909090909090909090909090909090909090EB0B83EC0C535657E8240200FFE9|";sid: 200923; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [JDPack 1.x / JDProtect 0.9] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8220000005D8BD581ED909090902B959090909081EA0690909089959090909083BD4500010001E9|";sid: 200924; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [LCC Win32 1.x] --> Anorganix] binary file"; flow:established,to_server; content: "|64A1010000005589E56AFF68|";content: "|689A10409050E9|"; distance: 14; within: 7;sid: 200925; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [LCC Win32 DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5535657837D0C017505E817909090FF7510FF750CFF7508A1|";content: "|E9|"; distance: 29; within: 1;sid: 200926; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Lockless Intro Pack] --> Anorganix] binary file"; flow:established,to_server; content: "|2CE8EB1A90905D8BC581EDF67390902B859090909083E8068985FF01ECADE9|";sid: 200927; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [LTC 1.3] --> Anorganix] binary file"; flow:established,to_server; content: "|54E8000000005D8BC581EDF67340002B858775400083E806E9|";sid: 200928; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Macromedia Flash Projector 6.0] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F19090909083EC4456FF15248149008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0CE9|"; distance: 7; within: 64;sid: 200929; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [MEW 11 SE 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|E909000000000000020000000C90E9|";sid: 200930; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual Basic 5.0 - 6.0] --> Anorganix] binary file"; flow:established,to_server; content: "|68|";content: "|E80A00000000000000000030000000E9|"; distance: 3; within: 16;sid: 200931; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual Basic 6.0 DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F1909090905A6890909090689090909052E99090FF|"; distance: 7; within: 33;sid: 200932; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual C++ 5.0+ (MFC)] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|68|"; distance: 8; within: 1;content: "|64A10000000050E9|"; distance: 3; within: 8;sid: 200933; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual C++ 6.0 (Debug Version)] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC5190909001019090909068|";content: "|90909090909090909090909000019090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909000019090909090|"; distance: 16; within: 67;sid: 200934; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual C++ 6.20] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090558BEC83EC50535657BE909090908D7DF4A5A566A58B|"; distance: 7; within: 39;sid: 200935; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Microsoft Visual C++ 7.0 DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|558D6C010081EC000000008B459083F801560F840000000085C00F84|";content: "|E9|"; distance: 30; within: 1;sid: 200936; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [MinGW GCC 2.x] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5E802000000C9C39090455845E9|";sid: 200937; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Morphine 1.2] --> Anorganix] binary file"; flow:established,to_server; content: "|90909090909090909090909090909090EB06009090909090909090EB08E890000000669090909090909090909090909090909090909090909090909090909090516690909059909090909090909090909090909090|";sid: 200938; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Neolite 2.0] --> Anorganix] binary file"; flow:established,to_server; content: "|E9A60000009090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090|";sid: 200939; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [NorthStar PE Shrinker 1.3] --> Anorganix] binary file"; flow:established,to_server; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB500000000E9|";sid: 200940; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Pack Master 1.0 (PEX Clone)] --> Anorganix] binary file"; flow:established,to_server; content: "|60E801010000E883C404E801909090E95D81EDD3224090E804029090E8EB08EB02CD20FF24249A66BE4746909090909090909090909090909090909090909090909090909090909090909090909090909090909090|";sid: 200941; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PE Intro 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|8B04249C60E8140000005D81ED0A45409080BD67444090900F8548FFED0AE9|";sid: 200942; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PE Pack 0.99] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8110000005D83ED0680BDE0049090010F84F2FFCC0AE9|";sid: 200943; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PE Protect 0.9] --> Anorganix] binary file"; flow:established,to_server; content: "|525155576467A1300085C0780DE8070000005883C007C690C3E9|";sid: 200944; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PECompact 1.4+] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090EB066890909090C39C60E80290909033C08BC483C004938BE38B5BFC81|"; distance: 7; within: 46;sid: 200945; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PENightMare 2 Beta] --> Anorganix] binary file"; flow:established,to_server; content: "|60E910000000EF4003A7078F071C375D43A704B92C3AE9|";sid: 200946; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PENinja 1.31] --> Anorganix] binary file"; flow:established,to_server; content: "|909090909090909090909090909090909090909090909090909090909090909090909090E9|";sid: 200947; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PESHiELD 0.25] --> Anorganix] binary file"; flow:established,to_server; content: "|60E82B0000009090909090909090909090909090909090909090909090909090909090909090909090909090909090CCCCE9|";sid: 200948; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PEtite 2.x (level 0)] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090B8009090006A00689090900064FF350000000064892500000000669C60508BD8030068|"; distance: 7; within: 52;sid: 200949; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [PEX 0.99] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8010000005583C404E801000000905D81FFFFFF0001E9|";sid: 200950; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [REALBasic] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5909090909090909090905090909090900001E9|";sid: 200951; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Ste at lth PE 1.01] --> Anorganix] binary file"; flow:established,to_server; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0BA|";content: "|FFE2BAE0104000B868241A40890283C203B84000E8EE890283C2FDFFE22D3D5B20486964655045205D3D2D90000000|"; distance: 19; within: 47;sid: 200952; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [UPX 0.6] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8000000005883E83D508DB8000000FF578DB0E8000000E9|";sid: 200953; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [VBOX 4.3 MTE] --> Anorganix] binary file"; flow:established,to_server; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0E9|";sid: 200954; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Video-Lan-Client] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E583EC08909090909090909090909090909001FFFF0101010001909090909090909090909090909000010001000190900001E9|";sid: 200955; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [VOB ProtectCD 5] --> Anorganix] binary file"; flow:established,to_server; content: "|363E268AC060E800000000E9|";sid: 200956; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [WATCOM C/C++ EXE] --> Anorganix] binary file"; flow:established,to_server; content: "|E900000000909090905741E9|";sid: 200957; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [XCR 0.11] --> Anorganix] binary file"; flow:established,to_server; content: "|608BF033DB83C30183C001E9|";sid: 200958; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.1 [Yoda's Protector 1.02] --> Anorganix] binary file"; flow:established,to_server; content: "|E803000000EB019090E9|";sid: 200959; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [.BJFNT 1.1b] --> Anorganix] binary file"; flow:established,to_server; content: "|EB01EA9CEB01EA53EB01EA51EB01EA52EB01EA5690|";sid: 200960; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [.BJFNT 1.2] --> Anorganix] binary file"; flow:established,to_server; content: "|EB0269B183EC04EB03CD20EBEB01EB9CEB01EBEB00|";sid: 200961; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [32Lite 0.03] --> Anorganix] binary file"; flow:established,to_server; content: "|6006FC1E07BE909090906A04689010909068|";sid: 200962; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Armadillo 3.00] --> Anorganix] binary file"; flow:established,to_server; content: "|60E82A0000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB85|";sid: 200963; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [ASProtect] --> Anorganix] binary file"; flow:established,to_server; content: "|609090909090905D909090909090909090909003DD|";sid: 200964; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Borland C++ 1999] --> Anorganix] binary file"; flow:established,to_server; content: "|EB1066623A432B2B484F4F4B90E990909090A1|";content: "|A3|"; distance: 21; within: 1;sid: 200965; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Borland C++ DLL (Method 2)] --> Anorganix] binary file"; flow:established,to_server; content: "|EB1066623A432B2B484F4F4B90E990909090|";sid: 200966; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Borland Delphi DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC83C4B4B890909090E800000000E8000000008D4000|";sid: 200967; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Borland Delphi Setup Module] --> Anorganix] binary file"; flow:established,to_server; content: "|558BEC83C49053565733C08945F08945D48945D0E800000000|";sid: 200968; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [CD-Cops II] --> Anorganix] binary file"; flow:established,to_server; content: "|5360BD909090908D45908D5D90E8000000008D01|";sid: 200969; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Code-Lock] --> Anorganix] binary file"; flow:established,to_server; content: "|434F44452D4C4F434B2E4F435800012801504B47054C3FB4044D4C474B|";sid: 200970; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [CodeSafe 2.0] --> Anorganix] binary file"; flow:established,to_server; content: "|90909090909090909090909090909090909090909090EB0B83EC10535657E8C4010085|";sid: 200971; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Crunch/PE Heuristic] --> Anorganix] binary file"; flow:established,to_server; content: "|55E80E0000005D83ED068BC5556089AD|";content: "|2B8500000000|"; distance: 18; within: 6;sid: 200972; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [DEF 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|BE000140006A0559807E070074118B46909090909090909090909090909090909083C101|";sid: 200973; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [DxPack 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8000000005D8BFD81ED909090902BB90000000081EF9090909083BD90909090900F8400000000|";sid: 200974; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [ExeSmasher] --> Anorganix] binary file"; flow:established,to_server; content: "|9CFE039060BE909041908DBE9010FFFF5783CDFFEB1090909090909090909090909090909090FE0B|";sid: 200975; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [FSG 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F190909090BBD0014000BF00104000BE9090909053E80A00000002D275058A164612D2C3FCB280A46A025B|"; distance: 7; within: 55;sid: 200976; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [FSG 1.31] --> Anorganix] binary file"; flow:established,to_server; content: "|BE90909000BF90909000BB9090900053BB90909000B280|";sid: 200977; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Gleam 1.00] --> Anorganix] binary file"; flow:established,to_server; content: "|90909090909090909090909090909090909090909090EB0B83EC0C535657E8240200FF|";sid: 200978; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [JDPack 1.x / JDProtect 0.9] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8220000005D8BD581ED909090902B959090909081EA0690909089959090909083BD4500010001|";sid: 200979; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [LCC Win32 1.x] --> Anorganix] binary file"; flow:established,to_server; content: "|64A1010000005589E56AFF68|";content: "|689A10409050|"; distance: 14; within: 6;sid: 200980; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [LCC Win32 DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5535657837D0C017505E817909090FF7510FF750CFF7508A1|";sid: 200981; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Lockless Intro Pack] --> Anorganix] binary file"; flow:established,to_server; content: "|2CE8EB1A90905D8BC581EDF67390902B859090909083E8068985FF01ECAD|";sid: 200982; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Macromedia Flash Projector 6.0] --> Anorganix] binary file"; flow:established,to_server; content: "|9090909068|";content: "|6764FF360000676489260000F19090909083EC4456FF15248149008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0C|"; distance: 7; within: 63;sid: 200983; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [MEW 11 SE 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|E909000000000000020000000C90|";sid: 200984; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Microsoft Visual Basic 5.0 - 6.0] --> Anorganix] binary file"; flow:established,to_server; content: "|68|";content: "|E80A00000000000000000030000000|"; distance: 3; within: 15;sid: 200985; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Microsoft Visual C++ 7.0 DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|558D6C010081EC000000008B459083F801560F840000000085C00F84|";sid: 200986; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [MinGW GCC 2.x] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5E802000000C9C39090455845|";sid: 200987; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [NorthStar PE Shrinker 1.3] --> Anorganix] binary file"; flow:established,to_server; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB500000000|";sid: 200988; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PE Intro 1.0] --> Anorganix] binary file"; flow:established,to_server; content: "|8B04249C60E8140000005D81ED0A45409080BD67444090900F8548FFED0A|";sid: 200989; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PE Pack 0.99] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8110000005D83ED0680BDE0049090010F84F2FFCC0A|";sid: 200990; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PE Protect 0.9] --> Anorganix] binary file"; flow:established,to_server; content: "|525155576467A1300085C0780DE8070000005883C007C690C3|";sid: 200991; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PENightMare 2 Beta] --> Anorganix] binary file"; flow:established,to_server; content: "|60E910000000EF4003A7078F071C375D43A704B92C3A|";sid: 200992; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PESHiELD 0.25] --> Anorganix] binary file"; flow:established,to_server; content: "|60E82B0000009090909090909090909090909090909090909090909090909090909090909090909090909090909090CCCC|";sid: 200993; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [PEX 0.99] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8010000005583C404E801000000905D81FFFFFF0001|";sid: 200994; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [REALBasic] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E5909090909090909090905090909090900001|";sid: 200995; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [UPX 0.6] --> Anorganix] binary file"; flow:established,to_server; content: "|60E8000000005883E83D508DB8000000FF578DB0E8000000|";sid: 200996; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [VBOX 4.3 MTE] --> Anorganix] binary file"; flow:established,to_server; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0|";sid: 200997; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Video-Lan-Client] --> Anorganix] binary file"; flow:established,to_server; content: "|5589E583EC08909090909090909090909090909001FFFF0101010001909090909090909090909090909000010001000190900001|";sid: 200998; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [VOB ProtectCD 5] --> Anorganix] binary file"; flow:established,to_server; content: "|363E268AC060E800000000|";sid: 200999; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Watcom C/C++ DLL] --> Anorganix] binary file"; flow:established,to_server; content: "|535657558B7424148B7C24188B6C241C83FF030F8701000000F1|";sid: 2009100; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [WATCOM C/C++ EXE] --> Anorganix] binary file"; flow:established,to_server; content: "|E900000000909090905741|";sid: 2009101; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [XCR 0.11] --> Anorganix] binary file"; flow:established,to_server; content: "|608BF033DB83C30183C001|";sid: 2009102; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [Yoda's Protector 1.02] --> Anorganix] binary file"; flow:established,to_server; content: "|E803000000EB019090|";sid: 2009103; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 0.2 [ZCode 1.01] --> Anorganix] binary file"; flow:established,to_server; content: "|E912000000000000000000000000000000E9FBFFFFFFC3680000000064FF3500000000|";sid: 2009104; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* [MSLRH] V0.31 -> emadicius] binary file"; flow:established,to_server; content: "|60D1CB0FCAC1CAE0D1CA0FC8EB01F1|";sid: 2009105; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[*** Protector v1.1.11 (DDeM->PE Engine v0.9, DDeM->CI v0.9.2)] binary file"; flow:established,to_server; content: "|535156E8000000005B81EB081000008DB334100000B9F3030000BA63172AEE311683C604|";sid: 2009106; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[.BJFnt v1.1b] binary file"; flow:established,to_server; content: "|EB01EA9CEB01EA53EB01EA51EB01EA52EB01EA56|";sid: 2009107; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[.BJFnt v1.2 RC] binary file"; flow:established,to_server; content: "|EB0269B183EC04EB03CD20EBEB01EB9CEB01EBEB|";sid: 2009108; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[.BJFnt v1.3] binary file"; flow:established,to_server; content: "|EB|";content: "|3A|"; distance: 1; within: 1;content: "|1EEB|"; distance: 2; within: 2;content: "|CD209CEB|"; distance: 2; within: 4;content: "|CD20EB|"; distance: 4; within: 3;content: "|CD2060EB|"; distance: 3; within: 4;sid: 2009109; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[32Lite v0.03a] binary file"; flow:established,to_server; content: "|6006FC1E07BE|";content: "|6A0468|"; distance: 8; within: 3;content: "|10|"; distance: 3; within: 1;content: "|68|"; distance: 2; within: 1;sid: 2009110; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[624 (Six to Four) v1.0] binary file"; flow:established,to_server; content: "|50554C5083|";content: "|FCBF|"; distance: 6; within: 2;content: "|BE|"; distance: 3; within: 1;content: "|B5|"; distance: 2; within: 1;content: "|57F3A5C333ED|"; distance: 1; within: 6;sid: 2009111; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AcidCrypt] binary file"; flow:established,to_server; content: "|60B9|";content: "|00BA|"; distance: 3; within: 2;content: "|00BE|"; distance: 3; within: 2;content: "|000238404E75FA8BC28A1832DFC0CB|"; distance: 3; within: 15;sid: 2009112; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AcidCrypt] binary file"; flow:established,to_server; content: "|BE|";content: "|0238404E75FA8BC28A1832DFC0CB|"; distance: 3; within: 14;sid: 2009113; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect 1.09g -> Risco software Inc.] binary file"; flow:established,to_server; content: "|60F950E8010000007C58584950E8010000007E5858790466B9B872E8010000007A83C40485C8EB01EBC1F8BE72037301740F8101000000F9EB0175F9E8010000|";sid: 2009114; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V1.3X -> risco] binary file"; flow:established,to_server; content: "|6050E8010000007583|";sid: 2009115; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect v1.41] binary file"; flow:established,to_server; content: "|60760377017B74037501784787EEE8010000007683C40485EEEB017F85F2EB01790F8601000000FCEB0178790287F261518F051938010160EB01E9E901000000|";sid: 2009116; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V1.4X -> risco] binary file"; flow:established,to_server; content: "|60E8010000007C83042406C3|";sid: 2009117; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect v1.90g -> Risco software Inc.] binary file"; flow:established,to_server; content: "|600F87020000001BF8E8010000007383042406C3|";sid: 2009118; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V2.0 -> risco] binary file"; flow:established,to_server; content: "|68|";content: "|68|"; distance: 3; within: 1;content: "|C3C3|"; distance: 3; within: 2;sid: 2009119; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ActiveMARK[TM] R5.31.1140 -> Trymedia] binary file"; flow:established,to_server; content: "|79117FAB9A4A83B5C96B1A48F927B425|";sid: 2009120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AdFlt2] binary file"; flow:established,to_server; content: "|6800019C0FA00FA860FD6A000FA1BE|";content: "|AD|"; distance: 16; within: 1;sid: 2009121; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ady's Glue 1.10] binary file"; flow:established,to_server; content: "|2E|";content: "|0E1FBF|"; distance: 3; within: 3;content: "|33DB33C0AC|"; distance: 4; within: 5;sid: 2009122; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ady`s Glue v0.10] binary file"; flow:established,to_server; content: "|2E8C06|";content: "|0E0733C08ED8BE|"; distance: 4; within: 7;content: "|BF|"; distance: 8; within: 1;content: "|FCB9|"; distance: 2; within: 2;content: "|56F3A51E075F|"; distance: 3; within: 6;sid: 2009123; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHPack 0.1 -> FEUERRADER] binary file"; flow:established,to_server; content: "|606854|";content: "|00B848|"; distance: 4; within: 3;content: "|00FF1068B3|"; distance: 4; within: 5;content: "|0050B844|"; distance: 6; within: 4;content: "|00FF106800|"; distance: 5; within: 5;sid: 2009124; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHpack 0.1 -> FEUERRADER] binary file"; flow:established,to_server; content: "|606854|";content: "|B848|"; distance: 4; within: 2;content: "|FF1068B3|"; distance: 3; within: 4;content: "|50B844|"; distance: 5; within: 3;content: "|FF106800|"; distance: 4; within: 4;content: "|6A40FFD08905CA|"; distance: 5; within: 7;content: "|89C7BE0010|"; distance: 8; within: 5;content: "|60FCB28031DBA4B302E86D00000073F631C9E864000000731C31C0E85B0000007323B30241|"; distance: 6; within: 37;sid: 2009125; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake ASPack 2.12) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE060E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB|"; distance: 24; within: 32;sid: 2009126; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake ASProtect 1.0) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE060E801000000905D81ED00000000BB0000000003DD2B9D|"; distance: 24; within: 26;sid: 2009127; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake Borland Delphi 6.0-7.0) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0538BD833C0A3000000006A00E8000000FFA300000000A100000000A30000000033C0A30000000033C0A300000000E8|"; distance: 24; within: 50;sid: 2009128; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake k.kryptor 9/kryptor a) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE060E8|"; distance: 24; within: 5;content: "|5EB9000000002BC002040ED3C04979F8418D7E2C3346|"; distance: 7; within: 22;content: "|66B9|"; distance: 22; within: 2;sid: 2009129; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake Microsoft Visual C++ 7.0) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE06A0068|"; distance: 24; within: 6;content: "|E8|"; distance: 8; within: 1;content: "|BF|"; distance: 3; within: 1;content: "|8BC7E8|"; distance: 3; within: 3;content: "|8965008BF4893E56FF15|"; distance: 5; within: 10;content: "|8B4E|"; distance: 12; within: 2;content: "|890D|"; distance: 2; within: 2;content: "|008B4600A3|"; distance: 3; within: 5;sid: 2009130; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0FC5550E8000000005DEB01E360E803000000D2EB0B58EB014840EB01|"; distance: 24; within: 31;sid: 2009131; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake PE Lock NT 2.04) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0EB03CD20C71EEB03CD20EA9CEB02EB01EB01EB60EB03CD20EBEB01EB|"; distance: 24; within: 31;sid: 2009132; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake PE-Crypt 1.02) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0E8000000005B83EB05EB04524E44|"; distance: 24; within: 17;sid: 2009133; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake PESHiELD 2.x) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE060E800000000414E414B494E5D83ED06EB02EA04|"; distance: 24; within: 23;sid: 2009134; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake PEtite 2.2) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0B800000000680000000064FF350000000064892500000000669C6050|"; distance: 24; within: 31;sid: 2009135; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake Spalsher 1.x-3.x) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE09C608B442424E8000000005D81ED0000000050E8ED0200008CC00F84|"; distance: 24; within: 31;sid: 2009136; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake Stone's PE Encryptor 2.0) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0535152565755E8000000005D81ED42304000FF9532354000B83730400003C52B851B34400089852734400083|"; distance: 24; within: 47;sid: 2009137; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake SVKP 1.3x) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE060E8000000005D81ED06000000EB05B80000000064A023000000EB03C784E884C0EB03C784E97567B9490000008DB5C50200005680064446E2FA8B8DC10200005E55516A00|"; distance: 24; within: 72;sid: 2009138; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake tElock 0.61) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0E90000000060E8000000005883C008F3EBFFE083C02850E8000000005EB3338D460E8D76312818F87300C38BFEB93C02|"; distance: 24; within: 51;sid: 2009139; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake VIRUS/I-Worm Hybris) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0EB16A85400004741424C4B43474300000000000052495300FC684C704000FF15|"; distance: 24; within: 35;sid: 2009140; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake VOB ProtectCD) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE05F81EF00000000BE000040008B870000000003C657568CA700000000FF108987000000005E5F|"; distance: 24; within: 41;sid: 2009141; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake Xtreme-Protector 1.05) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0E8000000005D8100000000006A45E8A30000006800000000E8|"; distance: 24; within: 28;sid: 2009142; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 0.3 (fake ZCode 1.01) -> FEUERRADER] binary file"; flow:established,to_server; content: "|90|";content: "|90FFE0E912000000000000000000000000000000E9FBFFFFFFC3680000000064FF35|"; distance: 24; within: 34;sid: 2009143; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AINEXE v2.1] binary file"; flow:established,to_server; content: "|A1|";content: "|2D|"; distance: 2; within: 1;content: "|8ED0BC|"; distance: 2; within: 3;content: "|8CD836A3|"; distance: 4; within: 4;content: "|05|"; distance: 5; within: 1;content: "|36A3|"; distance: 2; within: 2;content: "|2EA1|"; distance: 3; within: 2;content: "|8AD4B104D2EAFEC9|"; distance: 3; within: 8;sid: 2009144; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AINEXE v2.30] binary file"; flow:established,to_server; content: "|0E07B9|";content: "|BE|"; distance: 4; within: 1;content: "|33FFFCF3A4A1|"; distance: 2; within: 6;content: "|2D|"; distance: 7; within: 1;content: "|8ED0BC|"; distance: 2; within: 3;content: "|8CD8|"; distance: 4; within: 2;sid: 2009145; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alex Protector v1.0 -> Alex] binary file"; flow:established,to_server; content: "|60E8000000005D81ED06104000E824000000EB01E98B|";sid: 2009146; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alloy 4.x -> PGWare LLC] binary file"; flow:established,to_server; content: "|9C60E80200000033C08BC483C004938BE38B5BFC81EB0730400087DD6A04680010000068000200006A00FF95A83340000BC00F84F601000089852E33400083BDE832400001740D83BDE432400001742A8BF8EB3E68|";sid: 2009147; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alloy v1.x.2000] binary file"; flow:established,to_server; content: "|9C60E802|";content: "|33C08BC483C004938BE38B5BFC81EB072040|"; distance: 5; within: 18;content: "|87DD6A0468|"; distance: 18; within: 5;content: "|10|"; distance: 5; within: 1;content: "|68|"; distance: 2; within: 1;content: "|02|"; distance: 1; within: 1;content: "|6A|"; distance: 2; within: 1;content: "|FF95462340|"; distance: 1; within: 5;content: "|0B|"; distance: 5; within: 1;sid: 2009148; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Aluwain v8.09] binary file"; flow:established,to_server; content: "|8BEC1EE8|";content: "|9D5E|"; distance: 5; within: 2;sid: 2009149; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ANDpakk2 0.18 - by Dmitry "AND" Andreev] binary file"; flow:established,to_server; content: "|FCBED4004000BF00|";content: "|005783CDFF33C9F9EB05A402DB75058A1E4612DB72F433C04002DB75058A1E4612DB13C002DB75058A1E4612DB720E4802DB75058A1E4612DB13C0EBDC83E803720FC1E008AC83F0FF744DD1F88BE8EB0902DB75058A1E4612DB13C902DB75058A1E4612DB13C9751A4102DB75058A1E4612DB13C902DB75058A1E4612DB73EA83C10281FD00FBFFFF83D101568D342FF3A45EE973FFFFFFC3|"; distance: 9; within: 153;sid: 2009150; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anskya Binder v1.1 -> Anskya] binary file"; flow:established,to_server; content: "|BE|";content: "|00BBF811400033ED83EE04392E7411|"; distance: 2; within: 15;sid: 2009151; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anslym Crypter] binary file"; flow:established,to_server; content: "|558BEC83C4F05356B838170510E85A45FBFF33C05568211C051064FF30648920EB08FCFCFCFCFCFC2754E8854CFBFF6A00E80E47FBFF6A0AE82749FBFFE8EA47FBFF6A0A68301C0510A16056051050E86847FBFF8BD885DB0F84B602000053A16056051050E8F248FBFF8BF085F60F84A0020000E8F3|";sid: 2009152; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anslym FUD Crypter] binary file"; flow:established,to_server; content: "|558BEC83C4F05356B838170510E85A45FBFF33C05568211C051064FF30648920EB08FCFCFCFCFCFC2754E8854CFBFF6A00E80E47FBFF6A0AE82749FBFFE8EA47FBFF6A0A|";sid: 2009153; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anticrack Software Protector v1.09 (ACProtect)] binary file"; flow:established,to_server; content: "|60|";content: "|0000|"; distance: 5; within: 2;content: "|E801000000|"; distance: 8; within: 5;content: "|83042406C3|"; distance: 5; within: 5;content: "|00|"; distance: 7; within: 1;sid: 2009154; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 1.0 Beta -> SIS-Team] binary file"; flow:established,to_server; content: "|E8BBFFFFFF84C0742F680401000068C02360006A00FF1508106000E840FFFFFF506878116000686811600068C0236000E8ABFDFFFF83C41033C0C210009090908B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3908B4424045355568B483C5703C833D28B79548B71388BC7F7F685D2740C8BC733D2F7F68BF8470FAFFE33C033DB668B41148D54081833C0668B4106895424148D68FF85ED7C3733C0|";sid: 2009155; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 1.2 Beta (Demo) -> SIS-Team] binary file"; flow:established,to_server; content: "|6869D60000E8C6FDFFFF6869D60000E8BCFDFFFF83C408E8A4FFFFFF84C0742F680401000068B02160006A00FF1508106000E829FFFFFF506888106000687810600068B0216000E8A4FDFFFF83C41033C0C210009090909090909090909090908B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3908B4424045355568B483C5703C833D28B79548B71388BC7F7F685D2740C8BC733D2F7F68BF8470FAFFE33C033DB668B41148D54081833C0|";sid: 2009156; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 1.2/1.4 SE DLL -> SIS-Team] binary file"; flow:established,to_server; content: "|EB1066623A432B2B484F4F4B90E9083290909090909090909090807C2408010F85|";content: "|60BE|"; distance: 35; within: 2;content: "|8DBE|"; distance: 4; within: 2;content: "|5783CDFFEB0B908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73|"; distance: 4; within: 47;content: "|75|"; distance: 47; within: 1;content: "|8B1E83EEFC11DB|"; distance: 1; within: 7;sid: 2009157; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 1.4 SE -> SIS-Team] binary file"; flow:established,to_server; content: "|6890030000E8C6FDFFFF6890030000E8BCFDFFFF6890030000E8B2FDFFFF50E8ACFDFFFF50E8A6FDFFFF6869D60000E89CFDFFFF50E896FDFFFF50E890FDFFFF83C420E878FFFFFF84C0744F680401000068102260006A00FF15081060006890030000E868FDFFFF6869D60000E85EFDFFFF50E858FDFFFF50E852FDFFFFE8DDFEFFFF5068A410600068941060006810226000E858FDFFFF83C42033C0C210008B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3|";sid: 2009158; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiVirus Vaccine v.1.03] binary file"; flow:established,to_server; content: "|FA33DBB9|";content: "|0E1F33F6FCAD35|"; distance: 5; within: 7;content: "|03D8E2|"; distance: 8; within: 3;sid: 2009159; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[aPack v0.62] binary file"; flow:established,to_server; content: "|1E068CC88ED8|";content: "|8EC050BE|"; distance: 7; within: 4;content: "|33FFFCB6|"; distance: 5; within: 4;sid: 2009160; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[aPack v0.82] binary file"; flow:established,to_server; content: "|1E068CCBBA|";content: "|03DA8D|"; distance: 6; within: 3;content: "|FC33F633FF484B8EC08EDB|"; distance: 4; within: 11;sid: 2009161; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[APatch GUI v1.1] binary file"; flow:established,to_server; content: "|5231C0E8FFFFFFFF|";sid: 2009162; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[APEX_C (BLT Apex 4.0) -> 500mhz] binary file"; flow:established,to_server; content: "|68|";content: "|B9FFFFFF0001D0F7E2720148E2F7B9FF0000008B34248036FD46E2FAC3|"; distance: 3; within: 29;sid: 2009163; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Apex_c beta -> 500mhz] binary file"; flow:established,to_server; content: "|68|";content: "|B9FFFFFF0001D0F7E2720148E2F7B9FF0000008B34248036FD46E2FAC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 3; within: 80;sid: 2009164; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[App Encryptor -> Silent Team] binary file"; flow:established,to_server; content: "|60E8000000005D81ED1F1F4000B97B0900008DBD671F40008BF7AC|";sid: 2009165; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[App Protector -> Silent Team] binary file"; flow:established,to_server; content: "|E9970000000D0A53696C656E74205465616D204170702050726F746563746F720D0A437265617465642062792053696C656E7420536F6674776172650D0A5468656E6B7A20746F20446F6368746F7220580D0A0D0A|";sid: 2009166; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARC-SFX Archive] binary file"; flow:established,to_server; content: "|8CC88CDB8ED88EC089|";content: "|2BC3A3|"; distance: 10; within: 3;content: "|89|"; distance: 4; within: 1;content: "|BE|"; distance: 2; within: 1;content: "|B9|"; distance: 2; within: 1;content: "|BF|"; distance: 2; within: 1;content: "|BA|"; distance: 2; within: 1;content: "|FCAC32C28AD8|"; distance: 2; within: 6;sid: 2009167; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARM Protector 0.1 - by SMoKE] binary file"; flow:established,to_server; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005DEB010081ED5E1F4000EB0283098DB5EF1F4000EB028309BAA3110000EB01008D8D923140008B09E81400000083EB01008BFEE8000000005883C00750C300EB04584050C38A0646EB0100D0C8E81400000083EB01002AC2E8000000005B83C30753C300EB045B4353C3EB010032C2E80B0000000032C1EB0100C0C002EB092AC25BEB01004353C38807EB0100474A75B4|";sid: 2009168; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARM Protector v0.2-> SMoKE] binary file"; flow:established,to_server; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005DEB010081ED09204000EB0283098DB59A204000EB028309BA0B120000EB01008D8DA5324000|";sid: 2009169; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 3.00a -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|60E8000000005D5051EB0F|";content: "|EB0F|"; distance: 11; within: 2;content: "|EB07|"; distance: 2; within: 2;content: "|EB0F|"; distance: 2; within: 2;content: "|EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FC|"; distance: 2; within: 20;content: "|59585051EB0F|"; distance: 20; within: 6;content: "|EB0F|"; distance: 6; within: 2;content: "|EB07|"; distance: 2; within: 2;content: "|EB0F|"; distance: 2; within: 2;content: "|EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FC|"; distance: 2; within: 20;content: "|59585051EB0F|"; distance: 20; within: 6;sid: 2009170; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 3.X-5.X -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|60E8000000005D50510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D159586033C97502EB15EB33|";sid: 2009171; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 5.0 Dll -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|837C2408017505E8DE4B0000FF7424048B4C24108B54240CE8EDFEFFFF59C20C006A0C68|";content: "|E8E52400008B4D0833FF3BCF762E6AE05833D2F7F13B450C1BC040751FE88F150000C7000C0000005757575757E82015000083C41433C0E9D50000000FAF4D0C8BF18975083BF7750333F64633DB895DE483FEE07769833D|"; distance: 38; within: 88;content: "|03754B83C60F83E6F089750C8B45083B05|"; distance: 90; within: 17;content: "|77376A04E8D723000059897DFCFF7508E8EC530000598945E4C745FCFEFFFFFFE85F0000008B5DE43BDF7411FF75085753E82BC5FFFF83C40C3BDF7561566A08FF35|"; distance: 19; within: 66;content: "|FF15|"; distance: 68; within: 2;content: "|8BD83BDF754C393D|"; distance: 4; within: 8;content: "|743356E819EDFFFF5985C00F8572FFFFFF8B45103BC70F8450FFFFFFC7000C000000E945FFFFFF33FF8B750C6A04E87D22000059C3|"; distance: 10; within: 53;sid: 2009172; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 5.00 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|E8E3400000E916FEFFFF6A0C68|";content: "|E8441500008B4D0833FF3BCF762E6AE05833D2F7F13B450C1BC040751FE836130000C7000C0000005757575757E8C712000083C41433C0E9D50000000FAF4D0C8BF18975083BF7750333F64633DB895DE483FEE07769833D|"; distance: 15; within: 88;content: "|03754B83C60F83E6F089750C8B45083B05|"; distance: 90; within: 17;content: "|77376A04E84811000059897DFCFF7508E801490000598945E4C745FCFEFFFFFFE85F0000008B5DE43BDF7411FF75085753E866D3FFFF83C40C3BDF7561566A08FF35|"; distance: 19; within: 66;content: "|FF15|"; distance: 68; within: 2;content: "|8BD83BDF754C393D|"; distance: 4; within: 8;content: "|743356E8AFF9FFFF5985C00F8572FFFFFF8B45103BC70F8450FFFFFFC7000C000000E945FFFFFF33FF8B750C6A04E8EE0F000059C3|"; distance: 10; within: 53;sid: 2009173; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.60a] binary file"; flow:established,to_server; content: "|558BEC6AFF689871400068482D400064A100000000506489250000000083EC58|";sid: 2009174; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.71] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|68|"; distance: 8; within: 1;content: "|64A1|"; distance: 3; within: 2;sid: 2009175; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.72 - v1.73] binary file"; flow:established,to_server; content: "|558BEC6AFF68E8C1|";content: "|68F486|"; distance: 9; within: 3;content: "|64A1|"; distance: 4; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC58|"; distance: 6; within: 3;sid: 2009176; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.77] binary file"; flow:established,to_server; content: "|558BEC6AFF68B0714000686C37400064A100000000506489250000000083EC58|";sid: 2009177; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.80] binary file"; flow:established,to_server; content: "|558BEC6AFF68E8C1000068F486000064A100000000506489250000000083EC58|";sid: 2009178; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.82] binary file"; flow:established,to_server; content: "|558BEC6AFF68E0C14000687481400064A100000000506489250000000083EC58|";sid: 2009179; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.83] binary file"; flow:established,to_server; content: "|558BEC6AFF68E0C14000686484400064A100000000506489250000000083EC58|";sid: 2009180; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.84] binary file"; flow:established,to_server; content: "|558BEC6AFF68E8C1400068F486400064A100000000506489250000000083EC58|";sid: 2009181; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90] binary file"; flow:established,to_server; content: "|558BEC6AFF6810F2400068649A400064A100000000506489250000000083EC58|";sid: 2009182; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90a] binary file"; flow:established,to_server; content: "|558BEC64FF6810F2400068149B400064A100000000506489250000000083EC58|";sid: 2009183; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90b1] binary file"; flow:established,to_server; content: "|558BEC6AFF68E0C14000680489400064A100000000506489250000000083EC58|";sid: 2009184; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90b2] binary file"; flow:established,to_server; content: "|558BEC6AFF68F0C1400068A489400064A100000000506489250000000083EC58|";sid: 2009185; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90b3] binary file"; flow:established,to_server; content: "|558BEC6AFF6808E24000689495400064A100000000506489250000000083EC58|";sid: 2009186; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90b4] binary file"; flow:established,to_server; content: "|558BEC6AFF6808E2400068B496400064A100000000506489250000000083EC58|";sid: 2009187; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.90c] binary file"; flow:established,to_server; content: "|558BEC6AFF6810F2400068749D400064A100000000506489250000000083EC58|";sid: 2009188; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.9x] binary file"; flow:established,to_server; content: "|558BEC6AFF6898|";content: "|6810|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF15|"; distance: 6; within: 11;sid: 2009189; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1.xx - v2.xx] binary file"; flow:established,to_server; content: "|558BEC538B5D08568B750C578B7D1085F6|";sid: 2009190; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.00] binary file"; flow:established,to_server; content: "|558BEC6AFF680002410068C4A0400064A100000000506489250000000083EC58|";sid: 2009191; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.00b2-2.00b3] binary file"; flow:established,to_server; content: "|558BEC6AFF6800F2400068C4A0400064A100000000506489250000000083EC58|";sid: 2009192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.01] binary file"; flow:established,to_server; content: "|558BEC6AFF680802410068049A400064A100000000506489250000000083EC58|";sid: 2009193; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.10b2] binary file"; flow:established,to_server; content: "|558BEC6AFF68181241006824A0400064A100000000506489250000000083EC58|";sid: 2009194; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.20] binary file"; flow:established,to_server; content: "|558BEC6AFF681012410068F4A0400064A100000000506489250000000083EC58|";sid: 2009195; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.20b1] binary file"; flow:established,to_server; content: "|558BEC6AFF683012410068A4A5400064A100000000506489250000000083EC58|";sid: 2009196; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.50] binary file"; flow:established,to_server; content: "|558BEC6AFF68B8|";content: "|68F8|"; distance: 8; within: 2;content: "|64A100000000506489250000000083EC585356578965E8FF1520|"; distance: 3; within: 26;content: "|33D28AD48915D0|"; distance: 27; within: 7;sid: 2009197; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.50b3] binary file"; flow:established,to_server; content: "|558BEC6AFF68B8|";content: "|68F8|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1520|"; distance: 6; within: 12;content: "|33D28AD48915D0|"; distance: 13; within: 7;sid: 2009198; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.51] binary file"; flow:established,to_server; content: "|558BEC6AFF68B8|";content: "|68D0|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1520|"; distance: 6; within: 12;sid: 2009199; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.52] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|E0|"; distance: 8; within: 1;content: "|68D464A100000000506489250000000083EC585356578965E8FF|"; distance: 3; within: 26;content: "|1538|"; distance: 27; within: 2;sid: 2009200; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.52] binary file"; flow:established,to_server; content: "|558BEC6AFF68E0|";content: "|68D4|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1538|"; distance: 6; within: 12;sid: 2009201; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.52 beta2] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|B0|"; distance: 8; within: 1;content: "|686064A100000000506489250000000083EC585356578965E8FF|"; distance: 3; within: 26;content: "|1524|"; distance: 27; within: 2;sid: 2009202; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.52b2] binary file"; flow:established,to_server; content: "|558BEC6AFF68B0|";content: "|6860|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1524|"; distance: 6; within: 12;sid: 2009203; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.53] binary file"; flow:established,to_server; content: "|558BEC6AFF6840|";content: "|6854|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1558|"; distance: 6; within: 12;content: "|33D28AD48915EC|"; distance: 13; within: 7;sid: 2009204; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.53] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|40|"; distance: 8; within: 1;content: "|685464A100000000506489250000000083EC585356578965E8FF|"; distance: 3; within: 26;content: "|155833D28AD489|"; distance: 27; within: 7;sid: 2009205; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.53b3] binary file"; flow:established,to_server; content: "|558BEC6AFF68D8|";content: "|6814|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF15|"; distance: 6; within: 11;sid: 2009206; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.5x - v2.6x] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|68|"; distance: 8; within: 1;content: "|64A100000000506489250000000083EC585356578965E8FF1558|"; distance: 3; within: 26;content: "|33D28AD48915EC|"; distance: 27; within: 7;sid: 2009207; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.60] binary file"; flow:established,to_server; content: "|558BEC6AFF68D0|";content: "|6834|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1568|"; distance: 6; within: 12;content: "|33D28AD4891584|"; distance: 13; within: 7;sid: 2009208; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.60a] binary file"; flow:established,to_server; content: "|558BEC6AFF68|";content: "|6894|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF156C|"; distance: 6; within: 12;content: "|33D28AD48915B4|"; distance: 13; within: 7;sid: 2009209; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.60b1] binary file"; flow:established,to_server; content: "|558BEC6AFF6850|";content: "|6874|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1558|"; distance: 6; within: 12;content: "|33D28AD48915FC|"; distance: 13; within: 7;sid: 2009210; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.60b2] binary file"; flow:established,to_server; content: "|558BEC6AFF6890|";content: "|6824|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1560|"; distance: 6; within: 12;content: "|33D28AD489153C|"; distance: 13; within: 7;sid: 2009211; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.60c] binary file"; flow:established,to_server; content: "|558BEC6AFF6840|";content: "|68F4|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF156C|"; distance: 6; within: 12;content: "|33D28AD48915F4|"; distance: 13; within: 7;sid: 2009212; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.61] binary file"; flow:established,to_server; content: "|558BEC6AFF6828|";content: "|68E4|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF156C|"; distance: 6; within: 12;content: "|33D28AD489150C|"; distance: 13; within: 7;sid: 2009213; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.65b1] binary file"; flow:established,to_server; content: "|558BEC6AFF6838|";content: "|6840|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1528|"; distance: 6; within: 12;content: "|33D28AD48915F4|"; distance: 13; within: 7;sid: 2009214; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.75a] binary file"; flow:established,to_server; content: "|558BEC6AFF6868|";content: "|68D0|"; distance: 8; within: 2;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1528|"; distance: 6; within: 12;content: "|33D28AD4891524|"; distance: 13; within: 7;sid: 2009215; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.85] binary file"; flow:established,to_server; content: "|558BEC6AFF6868|";content: "|68|"; distance: 8; within: 1;content: "|64A1|"; distance: 3; within: 2;content: "|50648925|"; distance: 4; within: 4;content: "|83EC585356578965E8FF1528|"; distance: 6; within: 12;content: "|33D28AD4891524|"; distance: 13; within: 7;sid: 2009216; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2.xx (CopyMem II)] binary file"; flow:established,to_server; content: "|6A|";content: "|8BB5|"; distance: 1; within: 2;content: "|C1E6048B85|"; distance: 4; within: 5;content: "|2507|"; distance: 7; within: 2;content: "|8079054883C8F84033C98A88|"; distance: 3; within: 12;content: "|8B95|"; distance: 14; within: 2;content: "|81E207|"; distance: 4; within: 3;content: "|8079054A83CAF84233C08A82|"; distance: 4; within: 12;sid: 2009217; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3.00] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959586033C9|"; distance: 4; within: 41;sid: 2009218; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3.00a] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB|"; distance: 4; within: 41;sid: 2009219; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3.01, v3.05] binary file"; flow:established,to_server; content: "|60E8000000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB0F|";sid: 2009220; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3.10] binary file"; flow:established,to_server; content: "|558BEC6AFF68E09744006820C0420064A100000000506489250000000083EC585356578965E8FF154C41440033D28AD4891590A144008BC881E1FF000000890D8CA14400C1E10803CA890D88A14400C1E810A384A1|";sid: 2009221; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3.xx] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE95958|"; distance: 4; within: 38;sid: 2009222; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4.00.0053 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|558BEC6AFF68208B4B006880E4480064A100000000506489250000000083EC585356578965E8FF1588314B0033D28AD48915A4A14B008BC881E1FF000000890DA0A14B00C1E10803CA890D9CA14B00C1E810A398A1|";sid: 2009223; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4.10 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|558BEC6AFF68F88E4C0068D0EA490064A100000000506489250000000083EC585356578965E8FF1588314C0033D28AD489157CA54C008BC881E1FF000000890D78A54C00C1E10803CA890D74A54C00C1E810A370A5|";sid: 2009224; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4.20 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|558BEC6AFF68F88E4C0068F0EA490064A100000000506489250000000083EC585356578965E8FF1588314C0033D28AD4891584A54C008BC881E1FF000000890D80A54C00C1E10803CA890D7CA54C00C1E810A378A5|";sid: 2009225; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4.30 - v4.40 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|558BEC6AFF6840|";content: "|006880|"; distance: 8; within: 3;content: "|0064A100000000506489250000000083EC585356578965E8FF1588|"; distance: 4; within: 27;content: "|0033D28AD4891530|"; distance: 28; within: 8;content: "|008BC881E1FF000000890D2C|"; distance: 9; within: 12;content: "|00C1E10803CA890D28|"; distance: 13; within: 9;content: "|00C1E810A324|"; distance: 10; within: 6;sid: 2009226; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4.30 - v4.40 -> Silicon Realms Toolworks] binary file"; flow:established,to_server; content: "|60E8000000005D50510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08|";sid: 2009227; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASDPack 2.0 -> asd] binary file"; flow:established,to_server; content: "|8B442404565753E8CD010000C30000000000000000000000000010000000|";sid: 2009228; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.00b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81ED921A44|"; distance: 4; within: 6;content: "|B88C1A44|"; distance: 6; within: 4;content: "|03C52B85CD1D44|"; distance: 4; within: 7;content: "|8985D91D44|"; distance: 7; within: 5;content: "|80BDC41D44|"; distance: 5; within: 5;sid: 2009229; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.01b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81EDD22A44|"; distance: 4; within: 6;content: "|B8CC2A44|"; distance: 6; within: 4;content: "|03C52B85A52E44|"; distance: 4; within: 7;content: "|8985B12E44|"; distance: 7; within: 5;content: "|80BD9C2E44|"; distance: 5; within: 5;sid: 2009230; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.02a -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81ED3ED943|"; distance: 4; within: 6;content: "|B838|"; distance: 6; within: 2;content: "|03C52B850BDE43|"; distance: 3; within: 7;content: "|898517DE43|"; distance: 7; within: 5;content: "|80BD01DE43|"; distance: 5; within: 5;content: "|7515FE8501DE43|"; distance: 6; within: 7;content: "|E81D|"; distance: 7; within: 2;content: "|E87902|"; distance: 3; within: 3;content: "|E81203|"; distance: 4; within: 3;content: "|8B8503DE43|"; distance: 4; within: 5;content: "|038517DE43|"; distance: 5; within: 5;content: "|8944241C61FF|"; distance: 5; within: 6;sid: 2009231; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.02b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D81ED96784300B89078430003C5|";sid: 2009232; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.02b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81ED967843|"; distance: 4; within: 6;content: "|B8907843|"; distance: 6; within: 4;content: "|03C52B857D7C43|"; distance: 4; within: 7;content: "|8985897C43|"; distance: 7; within: 5;content: "|80BD747C43|"; distance: 5; within: 5;sid: 2009233; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.03b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81EDAE9843|"; distance: 4; within: 6;content: "|B8A89843|"; distance: 6; within: 4;content: "|03C52B85189D43|"; distance: 4; within: 7;content: "|8985249D43|"; distance: 7; within: 5;content: "|80BD0E9D43|"; distance: 5; within: 5;sid: 2009234; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.04b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81ED|"; distance: 4; within: 3;content: "|B8|"; distance: 5; within: 1;content: "|03C52B85|"; distance: 3; within: 4;content: "|129D|"; distance: 4; within: 2;content: "|89851E9D|"; distance: 2; within: 4;content: "|80BD089D|"; distance: 5; within: 4;sid: 2009235; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.05b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81EDCE3A44|"; distance: 4; within: 6;content: "|B8C83A44|"; distance: 6; within: 4;content: "|03C52B85B53E44|"; distance: 4; within: 7;content: "|8985C13E44|"; distance: 7; within: 5;content: "|80BDAC3E44|"; distance: 5; within: 5;sid: 2009236; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.061b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81EDEAA843|"; distance: 4; within: 6;content: "|B8E4A843|"; distance: 6; within: 4;content: "|03C52B8578AD43|"; distance: 4; within: 7;content: "|898584AD43|"; distance: 7; within: 5;content: "|80BD6EAD43|"; distance: 5; within: 5;sid: 2009237; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.07b (DLL) -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D|";content: "|B8|"; distance: 10; within: 1;content: "|03C5|"; distance: 3; within: 2;sid: 2009238; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.07b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8|";content: "|5D81ED|"; distance: 4; within: 3;content: "|B8|"; distance: 5; within: 1;content: "|03C52B85|"; distance: 3; within: 4;content: "|0BDE|"; distance: 4; within: 2;content: "|898517DE|"; distance: 2; within: 4;content: "|80BD01DE|"; distance: 5; within: 4;sid: 2009239; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.01 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981|";content: "|4400BB10|"; distance: 21; within: 4;content: "|440003DD2B9D|"; distance: 4; within: 6;sid: 2009240; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.01 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981|";content: "|44|"; distance: 21; within: 1;content: "|BB10|"; distance: 1; within: 2;content: "|44|"; distance: 2; within: 1;content: "|03DD2B9D|"; distance: 1; within: 4;sid: 2009241; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.01 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60EB|";content: "|5DEB|"; distance: 2; within: 2;content: "|FF|"; distance: 2; within: 1;content: "|E9|"; distance: 3; within: 1;sid: 2009242; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.02 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981ED236A4400BB10|";content: "|440003DD2B9D72|"; distance: 27; within: 7;sid: 2009243; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.03 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D81ED0A4A4400BB044A440003DD|";sid: 2009244; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.03 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D81ED0A4A4400BB044A440003DD2B9DB150440083BDAC50440000899DBB4E|";sid: 2009245; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.03 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D|";content: "|BB|"; distance: 10; within: 1;content: "|03DD|"; distance: 3; within: 2;sid: 2009246; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.03 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E8000000005D|";content: "|BB|"; distance: 10; within: 1;content: "|03DD2B9DB150440083BDAC50440000899DBB4E|"; distance: 3; within: 19;sid: 2009247; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.04 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E841060000EB41|";sid: 2009248; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1.08.x -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60EB035DFFE5E8F8FFFFFF81ED1B6A4400BB106A440003DD2B9D2A|";sid: 2009249; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.000 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E870050000EB4C|";sid: 2009250; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.001 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E872050000EB4C|";sid: 2009251; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.1 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E872050000EB3387DB9000|";sid: 2009252; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.11b -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E802000000EB095D5581ED39394400C3E93D040000|";sid: 2009253; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.11c -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E802000000EB095D5581ED39394400C3E959040000|";sid: 2009254; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.11d -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E802000000EB095D55|";sid: 2009255; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.12 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E803000000E9EB045D4555C3E801|";sid: 2009256; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.12 -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB|";sid: 2009257; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.xx -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|A8030000617508B801000000C20C006800000000C38B85260400008D8D3B0400005150FF95|";sid: 2009258; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2.xx -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|A803|";content: "|617508B801|"; distance: 3; within: 5;content: "|C20C|"; distance: 6; within: 2;content: "|68|"; distance: 2; within: 1;content: "|C38B852604|"; distance: 3; within: 5;content: "|8D8D3B04|"; distance: 6; within: 4;content: "|5150FF95|"; distance: 5; within: 4;sid: 2009259; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPR Stripper v2.x unpacked] binary file"; flow:established,to_server; content: "|BB|";content: "|E9|"; distance: 3; within: 1;content: "|609CFCBF|"; distance: 3; within: 4;content: "|B9|"; distance: 6; within: 1;content: "|F3AA9D61C3558BEC|"; distance: 3; within: 8;sid: 2009260; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|6801|";content: "|E801000000C3C3|"; distance: 3; within: 7;sid: 2009261; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect SKE 2.1x (dll) -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB00|";content: "|807D4D01750C8B74242883FE01895D4E75318D45535053FFB5ED0900008D453550E9820000000000000000000000000000000000|"; distance: 31; within: 52;sid: 2009262; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.0] binary file"; flow:established,to_server; content: "|60E801|";content: "|905D81ED|"; distance: 4; within: 4;content: "|BB|"; distance: 6; within: 1;content: "|03DD2B9D|"; distance: 3; within: 4;sid: 2009263; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.1] binary file"; flow:established,to_server; content: "|60E9|";content: "|04|"; distance: 2; within: 1;content: "|E9|"; distance: 2; within: 1;content: "|EE|"; distance: 4; within: 1;sid: 2009264; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.1 MTE] binary file"; flow:established,to_server; content: "|60E9|";content: "|9178797979E9|"; distance: 4; within: 6;sid: 2009265; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.1 MTEc] binary file"; flow:established,to_server; content: "|9060E81B|";content: "|E9FC|"; distance: 5; within: 2;sid: 2009266; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.23 RC1] binary file"; flow:established,to_server; content: "|6801|";content: "|00E801000000C3C3|"; distance: 3; within: 8;sid: 2009267; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.23 RC4 build 08.07 (dll) -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB00|";content: "|807D4D01750C8B74242883FE01895D4E75318D45535053FFB5D50900008D453550E9820000000000000000000000000000000000|"; distance: 31; within: 52;sid: 2009268; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.2x] binary file"; flow:established,to_server; content: "|00006801|";content: "|C3AA|"; distance: 5; within: 2;sid: 2009269; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v1.2x (New Strain)] binary file"; flow:established,to_server; content: "|6801|";content: "|E801|"; distance: 3; within: 2;content: "|C3C3|"; distance: 3; within: 2;sid: 2009270; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect V2.X DLL -> Alexey Solodovnikov] binary file"; flow:established,to_server; content: "|60E803000000E9|";content: "|5D4555C3E801000000EB5DBB|"; distance: 8; within: 12;content: "|03DD|"; distance: 14; within: 2;sid: 2009271; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect vx.x] binary file"; flow:established,to_server; content: "|60|";content: "|905D|"; distance: 3; within: 2;content: "|03DD|"; distance: 7; within: 2;sid: 2009272; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ass - crypter -> by santasdad] binary file"; flow:established,to_server; content: "|558BEC83C4EC53|";content: "|8945ECB898400010E8ACEAFFFF33C055687851001064|"; distance: 9; within: 22;content: "|206A0A6888510010A1E097001050E8D8EAFFFF8BD853A1E097001050E812EBFFFF8BF853A1E097001050E8DCEAFFFF8BD853E8DCEAFFFF8BF085F674268BD74AB8F0970010E8C9E7FFFFB8F0970010E8B7E7FFFF8BCF8BD6E8EEEAFFFF53E898EAFFFF8D4DECBA9C510010A1F0970010E822EBFFFF8B55ECB8F0970010E889E6FFFFB8F0970010E87FE7FFFFE86EECFFFF33C05A5959648910687F5100108D45ECE811E6FFFFC3E9FFDFFFFFEBF05F5E5BE80DE5FFFF0053455454494E475300000000FFFFFFFF1C000000454E54455220594F5552204F574E2050415353574F52442048455245|"; distance: 24; within: 231;sid: 2009273; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AverCryptor 1.0 -> os1r1s] binary file"; flow:established,to_server; content: "|60E8000000005D81ED751740008BBD9C1840008B8DA4184000B8BC18400003C580300583F9007471817F1CAB00000075628B570C0395A018400033C05133C966B9FA006683F90074498B570C0395A01840008B85A818400083F802750681C200020000518B4F1083F802750681E90002000057BFC80000008BF1E8270000008BC85FB8BC18400003C5E8240000005949EBB15983C72849EB8A8B85981840008944241C61FFE056574FF7D723F78BC65F5EC3|";sid: 2009274; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AverCryptor 1.02 beta -> os1r1s] binary file"; flow:established,to_server; content: "|60E8000000005D81ED0C1740008BBD331840008B8D3B184000B85118400003C580300583F9007471817F1CAB00000075628B570C03953718400033C05133C966B9F7006683F90074498B570C0395371840008B853F18400083F802750681C200020000518B4F1083F802750681E90002000057BFC80000008BF1E8270000008BC85FB85118400003C5E8240000005949EBB15983C72849EB8A8B852F1840008944241C61FFE056574FF7D723F78BC65F5EC3|";sid: 2009275; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AVPACK v1.20] binary file"; flow:established,to_server; content: "|501E0E1F160733F68BFEB9|";content: "|FCF3A506BB|"; distance: 12; within: 5;content: "|53CB|"; distance: 6; within: 2;sid: 2009276; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AZProtect 0001 - by AlexZ aka AZCRC] binary file"; flow:established,to_server; content: "|EB70FC608C804D110070258100400D91BB608C804D11007021811D610D810040CE608C804D11007025812581258125812961418131611D610040B73000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060BE00|";content: "|00BF00004000EB174B45524E454C33322E444C4C0000000000FF25|"; distance: 118; within: 27;content: "|008BC603C78BF857558BEC057F00000050E8E5FFFFFFBA8C|"; distance: 28; within: 24;content: "|008902E91A010000|"; distance: 25; within: 8;content: "|0000004765744D6F64756C6546696C654E616D654100476574566F6C756D65496E666F726D6174696F6E41004D657373616765426F7841004578697450726F63657373004765744D6F64756C6548616E646C6541|"; distance: 8; within: 84;sid: 2009277; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[bambam 0.01 -> bedrock] binary file"; flow:established,to_server; content: "|6A14E89A0500008BD85368|";content: "|E86CFDFFFFB9050000008BF3BF|"; distance: 13; within: 13;content: "|53F3A5E88D0500008B3D|"; distance: 15; within: 10;content: "|A1|"; distance: 12; within: 1;content: "|668B15|"; distance: 3; within: 3;content: "|B9|"; distance: 5; within: 1;content: "|2BCF8945E8890D|"; distance: 3; within: 7;content: "|668955EC8B413C33D203C183C410668B4806668B501481E1FFFF00008D5C02188D41FF85C0|"; distance: 9; within: 37;sid: 2009278; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[bambam 0.04 -> bedrock] binary file"; flow:established,to_server; content: "|BF|";content: "|83C9FF33C068|"; distance: 3; within: 6;content: "|F2AEF7D1495168|"; distance: 8; within: 7;content: "|E8110A000083C40C68|"; distance: 9; within: 9;content: "|FF15|"; distance: 11; within: 2;content: "|8BF0BF|"; distance: 4; within: 3;content: "|83C9FF33C0F2AEF7D149BF|"; distance: 5; within: 11;content: "|8BD168|"; distance: 13; within: 3;content: "|C1E902F3AB8BCA83E103F3AABF|"; distance: 5; within: 13;content: "|83C9FF33C0F2AEF7D1495168|"; distance: 15; within: 12;content: "|E8C0090000|"; distance: 14; within: 5;sid: 2009279; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[beria v0.07 public WIP --> symbiont] binary file"; flow:established,to_server; content: "|83EC18538B1D0030|";content: "|555657683007000033ED55FFD38BF03BF5740D89AE20070000E8880F0000EB0233F66A105589353040|"; distance: 9; within: 41;content: "|FFD38BF03BF57409892EE83CFEFFFFEB0233F66A18558935D843|"; distance: 42; within: 26;content: "|FFD38BF0|"; distance: 27; within: 4;sid: 2009280; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRo Tiny Pascal -> BeRo] binary file"; flow:established,to_server; content: "|E9|";content: "|20436F6D70696C65642062793A204265526F54696E7950617363616C202D2028432920436F7079726967687420323030362C2042656E6A616D696E20274265526F2720526F73736561757820|"; distance: 3; within: 76;sid: 2009281; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 DLL [LZBRR] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|837C2408010F85|";content: "|60BE|"; distance: 9; within: 2;content: "|BF|"; distance: 4; within: 1;content: "|FCB28033DBA4B302E8|"; distance: 3; within: 9;content: "|73F633C9E8|"; distance: 11; within: 5;content: "|731C33C0E8|"; distance: 7; within: 5;content: "|7323B30241B010|"; distance: 7; within: 7;sid: 2009282; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 DLL [LZBRS] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|837C2408010F85|";content: "|60BE|"; distance: 9; within: 2;content: "|BF|"; distance: 4; within: 1;content: "|FCAD8D1C07B0803BFB733BE8|"; distance: 3; within: 12;content: "|7203A4EBF2E8|"; distance: 14; within: 6;content: "|8D51FFE8|"; distance: 8; within: 4;content: "|568BF72BF2F3A45EEBDB02C07503AC12C0C333|"; distance: 6; within: 19;sid: 2009283; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 DLL [LZMA] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|837C2408010F85|";content: "|6068|"; distance: 9; within: 2;content: "|68|"; distance: 4; within: 1;content: "|68|"; distance: 3; within: 1;content: "|E8|"; distance: 3; within: 1;content: "|BE|"; distance: 3; within: 1;content: "|B9|"; distance: 3; within: 1;content: "|8BF981FE|"; distance: 3; within: 4;content: "|7F10AC4704182C0273F0293E03F103F9EBE8|"; distance: 6; within: 18;sid: 2009284; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 [LZBRR] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|60BE|";content: "|BF|"; distance: 4; within: 1;content: "|FCB28033DBA4B302E8|"; distance: 3; within: 9;content: "|73F633C9E8|"; distance: 11; within: 5;content: "|731C33C0E8|"; distance: 7; within: 5;content: "|7323B30241B010|"; distance: 7; within: 7;sid: 2009285; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 [LZBRS] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|60BE|";content: "|BF|"; distance: 4; within: 1;content: "|FCAD8D1C07B0803BFB733BE8|"; distance: 3; within: 12;content: "|7203A4EBF2E8|"; distance: 14; within: 6;content: "|8D51FFE8|"; distance: 8; within: 4;content: "|568BF72BF2F3A45EEBDB02C07503AC12C0C333|"; distance: 6; within: 19;sid: 2009286; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v1.00 [LZMA] -> BeRo / Farbrausch] binary file"; flow:established,to_server; content: "|6068|";content: "|68|"; distance: 4; within: 1;content: "|68|"; distance: 3; within: 1;content: "|E8|"; distance: 3; within: 1;content: "|BE|"; distance: 3; within: 1;content: "|B9040000008BF981FE|"; distance: 3; within: 9;content: "|7F10AC4704182C0273F0293E03F103F9EBE8|"; distance: 11; within: 18;sid: 2009287; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BlackEnergy DDoS Bot Crypter] binary file"; flow:established,to_server; content: "|55|";content: "|81EC1C0100005356576A04BE0030000056FF35002011136A00E8|"; distance: 2; within: 26;content: "|030000|"; distance: 26; within: 3;content: "|83C410|"; distance: 4; within: 3;content: "|FF897DF40F|"; distance: 3; within: 5;sid: 2009288; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Blade Joiner v1.5] binary file"; flow:established,to_server; content: "|558BEC81C4E4FEFFFF53565733C08945F08985|";sid: 2009289; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobPack v1.00 --> BoB / BobSoft] binary file"; flow:established,to_server; content: "|60E8000000008B0C2489CD83E90681ED|";content: "|E83D0000008985|"; distance: 18; within: 7;content: "|89C2B85D0A00008D0408E8E40000008B700401D6E876000000E851010000E80101|"; distance: 9; within: 33;sid: 2009290; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi -> BoB / BobSoft] binary file"; flow:established,to_server; content: "|558BEC83C4F05356B8|";content: "|E8|"; distance: 11; within: 1;content: "|33C05568|"; distance: 3; within: 4;content: "|64FF30648920B8|"; distance: 6; within: 7;sid: 2009291; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi -> BoB / BobSoft] binary file"; flow:established,to_server; content: "|558BEC83C4F053B8|";content: "|E8|"; distance: 10; within: 1;content: "|33C05568|"; distance: 3; within: 4;content: "|64FF30648920B8|"; distance: 6; within: 7;content: "|E8|"; distance: 9; within: 1;sid: 2009292; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi -> BoB / BobSoft] binary file"; flow:established,to_server; content: "|558BEC83C4F0B8|";content: "|E8|"; distance: 9; within: 1;sid: 2009293; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BopCrypt v1.0] binary file"; flow:established,to_server; content: "|60BD|";content: "|E8|"; distance: 4; within: 1;content: "|0000|"; distance: 2; within: 2;sid: 2009294; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CD-Cops II] binary file"; flow:established,to_server; content: "|5360BD|";content: "|8D45|"; distance: 5; within: 2;content: "|8D5D|"; distance: 2; within: 2;content: "|E8|"; distance: 2; within: 1;content: "|8D|"; distance: 3; within: 1;sid: 2009295; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CDS SS 1.0 beta1 -> CyberDoom] binary file"; flow:established,to_server; content: "|60E8000000005D81EDCA474000FF742420E8D30300000BC00F84130300008985B84E4000668CD8A804740CC7858C4E400001000000EB1264A1300000000FB640020AC00F85E80200008D85F64C400050FFB5B84E4000E8FC0300000BC00F84CE020000E81E0300008985904E40008D85034D400050FFB5B84E4000E8D70300000BC00F84A9020000E8F90200008985944E40008D85124D400050|";sid: 2009296; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CDS SS v1.0 Beta 1 -> CyberDoom / Team-X] binary file"; flow:established,to_server; content: "|60E8000000005D81EDCA474000FF742420E8D30300000BC00F84130300008985B84E4000668CD8A804740CC7858C4E400001000000EB1264A1300000000FB640020AC00F85E80200008D85F64C400050FFB5B84E4000E8FC0300000BC00F84CE020000E81E0300008985904E40008D85034D400050FFB5B8|";sid: 2009297; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Celsius Crypt 2.1 -> Z3r0] binary file"; flow:established,to_server; content: "|5589E583EC08C7042401000000FF1584924400E8C8FEFFFF908DB426000000005589E583EC08C7042402000000FF1584924400E8A8FEFFFF908DB42600000000558B0DC492440089E55DFFE18D742600558B0DAC92440089E55DFFE1909090905589E55DE977C20000909090909090905589E583EC288B4510890424E83F140100488945FC8B450C488945F48D45F4894424048D45FC890424E812A303008B008945F88B45FC8945F0C645EF01C745E8000000008B45E83B45F87339807DEF0074338B45F0894424048B4510890424E81C1A010089C18B45088B55E801C20FB6013A020F94C08845EF8D45F0FF088D45E8FF00EBBF837DF0007434807DEF00742E8B45F0894424048B4510890424E8DD19010089C18B45088B55F801C20FB6013A020F94C08845EF8D45F0FF08EBC6C7442404000000008B4510890424E8AE19010089C18B45088B55F801C20FB6013A027F0C0FB645EF83E0018845E7EB04C645E7000FB645E78845EF0FB645EFC9C3|";sid: 2009298; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CERBERUS v2.0] binary file"; flow:established,to_server; content: "|9C2BED8C|";content: "|8C|"; distance: 5; within: 1;content: "|FAE4|"; distance: 2; within: 2;content: "|88|"; distance: 2; within: 1;content: "|1607BF|"; distance: 2; within: 3;content: "|8EDD9BF5B9|"; distance: 4; within: 5;content: "|FCF3A5|"; distance: 6; within: 3;sid: 2009299; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CExe v1.0a] binary file"; flow:established,to_server; content: "|558BEC81EC0C02|";content: "|56BE0401|"; distance: 8; within: 4;content: "|8D85F8FEFFFF56506A|"; distance: 5; within: 9;content: "|FF15541040|"; distance: 9; within: 5;content: "|8A8DF8FEFFFF33D284C98D85F8FEFFFF7416|"; distance: 5; within: 18;sid: 2009300; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CHECKPRG (c) 1992] binary file"; flow:established,to_server; content: "|33C0BE|";content: "|8BD8B9|"; distance: 4; within: 3;content: "|BF|"; distance: 4; within: 1;content: "|BA|"; distance: 2; within: 1;content: "|474A74|"; distance: 2; within: 3;sid: 2009301; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ChSfx (small) v1.1] binary file"; flow:established,to_server; content: "|BA|";content: "|E8|"; distance: 2; within: 1;content: "|8BEC83EC|"; distance: 2; within: 4;content: "|8CC8BB|"; distance: 4; within: 3;content: "|B1|"; distance: 4; within: 1;content: "|D3EB03C38ED805|"; distance: 1; within: 7;content: "|89|"; distance: 8; within: 1;sid: 2009302; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CICompress v1.0] binary file"; flow:established,to_server; content: "|6A046800100000FF359C1440006A00FF1538104000A3FC10400097BE00204000E8710000003B059C14400075616A006A206A026A006A0368000000C06894104000FF152C104000A3F81040006A0068F4104000FF35|";sid: 2009303; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CipherWall Self-Extrator/Decryptor (Console) v1.5] binary file"; flow:established,to_server; content: "|9061BE001042008DBE0000FEFFC787C02002000B6E5B9B5783CDFFEB0E909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E4|";sid: 2009304; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CipherWall Self-Extrator/Decryptor (GUI) v1.5] binary file"; flow:established,to_server; content: "|9061BE001042008DBE0000FEFFC787C0200200F989C76A5783CDFFEB0E909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E4|";sid: 2009305; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Code-Lock vx.x] binary file"; flow:established,to_server; content: "|434F44452D4C4F434B2E4F435800|";sid: 2009306; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v0.14b] binary file"; flow:established,to_server; content: "|E9C5020000EB02833D58EB02FF1D5BEB020FC75F|";sid: 2009307; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v0.15b] binary file"; flow:established,to_server; content: "|E931030000EB02833D58EB02FF1D5BEB020FC75F|";sid: 2009308; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v0.164] binary file"; flow:established,to_server; content: "|E92E030000EB02833D58EB02FF1D5BEB020FC75FEB03FF1D34|";sid: 2009309; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v0.16b - v0.163b] binary file"; flow:established,to_server; content: "|E92E030000EB02833D58EB02FF1D5BEB020FC75F|";sid: 2009310; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[codeCrypter 0.31 -> Tibbar] binary file"; flow:established,to_server; content: "|5058535B90BB|";content: "|00FFE390CCCCCC558BEC5DC3CCCCCCCCCCCCCCCCCCCCCC|"; distance: 7; within: 23;sid: 2009311; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[COP v1.0 (c) 1988] binary file"; flow:established,to_server; content: "|BF|";content: "|BE|"; distance: 2; within: 1;content: "|B9|"; distance: 2; within: 1;content: "|AC32|"; distance: 2; within: 2;content: "|AAE2|"; distance: 3; within: 2;content: "|8B|"; distance: 2; within: 1;content: "|EB|"; distance: 2; within: 1;content: "|90|"; distance: 1; within: 1;sid: 2009312; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Copy Protector v2.0] binary file"; flow:established,to_server; content: "|2EA2|";content: "|5351521E06B4|"; distance: 3; within: 6;content: "|1E0E1FBA|"; distance: 6; within: 4;content: "|CD211F|"; distance: 5; within: 3;sid: 2009313; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CopyControl v3.03] binary file"; flow:established,to_server; content: "|CC9090EB0B0150515253546133612D35CAD10752D1A13C|";sid: 2009314; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CopyMinder -> Microcosm.Ltd] binary file"; flow:established,to_server; content: "|8325|";content: "|EF6A00E8|"; distance: 4; within: 4;content: "|E8|"; distance: 6; within: 1;content: "|CCFF25|"; distance: 3; within: 3;content: "|FF25|"; distance: 5; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;content: "|FF25|"; distance: 4; within: 2;sid: 2009315; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CPAV] binary file"; flow:established,to_server; content: "|E8|";content: "|4D5AB1019301000002|"; distance: 2; within: 9;sid: 2009316; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrackStop v1.01 (c) Stefan Esser 1997] binary file"; flow:established,to_server; content: "|B448BBFFFFB9EB278BECCD21FAFC|";sid: 2009317; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CreateInstall Stub vx.x] binary file"; flow:established,to_server; content: "|558BEC81EC200200005356576A00FF15186140006800704000894508FF151461400085C074276A00A10020400050FF153C6140008BF06A0656FF15386140006A0356FF1538614000E93603000068027F000033F656|";sid: 2009318; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crinkler V0.1-V0.2 -> Rune L.H.Stubbe and Aske Simon Christensen] binary file"; flow:established,to_server; content: "|B9|";content: "|01C068|"; distance: 3; within: 3;content: "|6A0058506A005F485DBB03000000BE|"; distance: 5; within: 15;content: "|E9|"; distance: 17; within: 1;sid: 2009319; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crinkler V0.3-V0.4 -> Rune L.H.Stubbe and Aske Simon Christensen] binary file"; flow:established,to_server; content: "|B80000420031DB43EB58|";sid: 2009320; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch v4.0] binary file"; flow:established,to_server; content: "|EB100000000000000000000000000000000055E8000000005D81ED180000008BC555609C2B85E90600008985E1060000FF74242CE8BB0100000F8292050000E8F1030000490F8886050000686CD9B29633C050E824|";sid: 2009321; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch v5 -> Bit-Arts] binary file"; flow:established,to_server; content: "|EB1503000000060000000000000000000000680000000055E8000000005D81ED1D0000008BC555609C2B85FC0700008985E8070000FF74242CE8200200000F8294060000E8F3040000490F88880600008BB5E80700|";sid: 2009322; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch/PE] binary file"; flow:established,to_server; content: "|55E8|";content: "|5D83ED068BC5556089AD|"; distance: 4; within: 10;content: "|2B85|"; distance: 12; within: 2;sid: 2009323; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch/PE v1.0.x.x] binary file"; flow:established,to_server; content: "|55E8|";content: "|5D83ED068BC5556089AD|"; distance: 4; within: 10;content: "|2B85|"; distance: 12; within: 2;content: "|8985|"; distance: 4; within: 2;content: "|80BD|"; distance: 4; within: 2;content: "|7509C685|"; distance: 4; within: 4;sid: 2009324; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch/PE v2.0.x.x] binary file"; flow:established,to_server; content: "|55E8|";content: "|5D83ED068BC5556089AD|"; distance: 4; within: 10;content: "|2B85|"; distance: 12; within: 2;content: "|8985|"; distance: 4; within: 2;content: "|55BB|"; distance: 4; within: 2;content: "|03DD536467FF36|"; distance: 4; within: 7;content: "|64678926|"; distance: 8; within: 4;sid: 2009325; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch/PE v3.0.x.x] binary file"; flow:established,to_server; content: "|EB10|";content: "|55E8|"; distance: 10; within: 2;content: "|5D81ED18|"; distance: 4; within: 4;content: "|8BC555609C2B85|"; distance: 5; within: 7;content: "|8985|"; distance: 9; within: 2;content: "|FF74|"; distance: 4; within: 2;sid: 2009326; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cruncher v1.0] binary file"; flow:established,to_server; content: "|2E|";content: "|2E|"; distance: 3; within: 1;content: "|B430CD213C0373|"; distance: 2; within: 7;content: "|BB|"; distance: 7; within: 1;content: "|8EDB8D|"; distance: 2; within: 3;content: "|B409CD210633C050CB|"; distance: 4; within: 9;sid: 2009327; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey v5 - v6] binary file"; flow:established,to_server; content: "|E8|";content: "|5883E805505F578BF781EF|"; distance: 3; within: 11;content: "|83C639BA|"; distance: 13; within: 4;content: "|8BDFB90B|"; distance: 6; within: 4;content: "|8B06|"; distance: 5; within: 2;sid: 2009328; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V5.6.X -> Kenonic Controls Ltd.] binary file"; flow:established,to_server; content: "|E8|";content: "|E8|"; distance: 3; within: 1;content: "|83F80075076A00E8|"; distance: 3; within: 8;sid: 2009329; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V5.6.X DLL -> Kenonic Controls Ltd.] binary file"; flow:established,to_server; content: "|8B1D|";content: "|83FB00750AE8|"; distance: 4; within: 6;content: "|E8|"; distance: 8; within: 1;sid: 2009330; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V6.1X DLL -> CrypKey (Canada) Inc.] binary file"; flow:established,to_server; content: "|833D|";content: "|00753468|"; distance: 4; within: 4;content: "|E8|"; distance: 6; within: 1;sid: 2009331; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPT Version 1.7 (c) Dismember] binary file"; flow:established,to_server; content: "|0E179C58F6|";content: "|74|"; distance: 6; within: 1;content: "|E9|"; distance: 1; within: 1;sid: 2009332; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cryptic 2.0 -> Tughack] binary file"; flow:established,to_server; content: "|B800004000BB|";content: "|00B900100000BA|"; distance: 7; within: 7;content: "|0003D803C803D13BCA74068031|"; distance: 8; within: 13;content: "|41EBF6FFE3|"; distance: 13; within: 5;sid: 2009333; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v2.02 (Eng) -> Ryan Thian] binary file"; flow:established,to_server; content: "|60BE159040008DBEEB7FFFFF5783CDFFEB109090909090908A0646880747|";sid: 2009334; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v2.02 (Eng) -> Ryan Thian] binary file"; flow:established,to_server; content: "|60BE159040008DBEEB7FFFFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0|";sid: 2009335; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v2.02 (Eng) -> Ryan Thian] binary file"; flow:established,to_server; content: "|60BE|";content: "|9040008DBE|"; distance: 2; within: 5;content: "|FFFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0|"; distance: 6; within: 75;sid: 2009336; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPToCRACk's PE Protector V0.9.2 -> Lukas Fleischer] binary file"; flow:established,to_server; content: "|E801000000E8585B81E300FFFFFF66813B4D5A753784DB75338BF303|";content: "|813E504500007526|"; distance: 29; within: 8;sid: 2009337; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPToCRACk's PE Protector V0.9.3 -> Lukas Fleischer] binary file"; flow:established,to_server; content: "|5B81E300FFFFFF66813B4D5A75338BF303733C813E5045000075260FB746188BC869C0AD0B0000F7E02DAB5D414B69C9DEC0000003C1|";sid: 2009338; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypWrap vx.x] binary file"; flow:established,to_server; content: "|E8B8|";content: "|E89002|"; distance: 3; within: 3;content: "|83F8|"; distance: 4; within: 2;content: "|75076A|"; distance: 2; within: 3;content: "|E8|"; distance: 3; within: 1;content: "|FF15498F40|"; distance: 3; within: 5;content: "|A9|"; distance: 5; within: 1;content: "|80740E|"; distance: 2; within: 3;sid: 2009339; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cygwin32] binary file"; flow:established,to_server; content: "|5589E583EC04833D|";sid: 2009340; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DAEMON Protect v0.6.7] binary file"; flow:established,to_server; content: "|60609C8CC932C9E30C520F014C24FE5A83C20C8B1A9D61|";sid: 2009341; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DalKrypt 1.0 - by DalKiT] binary file"; flow:established,to_server; content: "|68001040005868|";content: "|005F33DBEB0D8A140380EA0780F2048814034381FB|"; distance: 8; within: 21;content: "|0072EBFFE7|"; distance: 22; within: 5;sid: 2009342; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v1.53] binary file"; flow:established,to_server; content: "|9C5557565251539CFAE8|";content: "|5D81ED5B5340|"; distance: 12; within: 6;content: "|B0|"; distance: 6; within: 1;content: "|E8|"; distance: 1; within: 1;content: "|5E83C611B927|"; distance: 3; within: 6;content: "|3006464975FA|"; distance: 7; within: 6;sid: 2009343; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v2.10] binary file"; flow:established,to_server; content: "|9C6A10730BEB02C151E806|";content: "|C41173F75BCD83C404EB0299EBFF0C247101E879E07A017583C4049DEB0175685F2040|"; distance: 12; within: 35;content: "|E8B0EFFFFF7203730175BE|"; distance: 35; within: 11;sid: 2009344; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v2.10 -> Ding Boy] binary file"; flow:established,to_server; content: "|EB20|";content: "|9C5557565251539CE8|"; distance: 18; within: 9;content: "|5D81ED|"; distance: 11; within: 3;content: "|EB587573657233322E646C6C|"; distance: 5; within: 12;content: "|4D657373616765426F7841|"; distance: 12; within: 11;content: "|6B65726E656C|"; distance: 11; within: 6;sid: 2009345; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v2.33 -> Ding Boy] binary file"; flow:established,to_server; content: "|EB20|";content: "|40|"; distance: 3; within: 1;content: "|9C5557565251539CE8|"; distance: 15; within: 9;content: "|5D81ED|"; distance: 11; within: 3;content: "|9C6A10730BEB02C151E806|"; distance: 5; within: 11;content: "|C41173F75BCD83C404EB0299EBFF0C2471|"; distance: 12; within: 17;sid: 2009346; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE vx.xx -> Ding Boy] binary file"; flow:established,to_server; content: "|EB20|";content: "|40|"; distance: 3; within: 1;content: "|9C5557565251539CE8|"; distance: 15; within: 9;content: "|5D81ED|"; distance: 11; within: 3;sid: 2009347; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DCrypt Private 0.9b -> drmist] binary file"; flow:established,to_server; content: "|B9|";content: "|00E8000000005868|"; distance: 2; within: 8;content: "|0083E80B0F1800D00048E2FBC3|"; distance: 9; within: 13;sid: 2009348; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF 1.0 -> bart/xt] binary file"; flow:established,to_server; content: "|BE|";content: "|40006A|"; distance: 2; within: 3;content: "|59807E070074118B460C05000040008B56103010404A75FA83C628E2E468|"; distance: 3; within: 30;content: "|4000C300000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 31; within: 46;sid: 2009349; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF v1.0] binary file"; flow:established,to_server; content: "|BE|";content: "|0140006A0559807E070074118B46|"; distance: 1; within: 14;sid: 2009350; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF v1.00 (Eng) -> bart/xt] binary file"; flow:established,to_server; content: "|BE|";content: "|0140006A|"; distance: 1; within: 4;content: "|59807E070074118B460C05000040008B56103010404A75FA83C628E2E468|"; distance: 4; within: 30;content: "|4000C300000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 31; within: 46;sid: 2009351; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[dePACK -> deNULL] binary file"; flow:established,to_server; content: "|EB01DD606800|";content: "|68|"; distance: 7; within: 1;content: "|0000E8|"; distance: 2; within: 3;content: "|000000|"; distance: 3; within: 3;sid: 2009352; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[dePACK -> deNULL] binary file"; flow:established,to_server; content: "|EB01DD606800|";content: "|68|"; distance: 7; within: 1;content: "|00E8|"; distance: 2; within: 2;content: "|000000|"; distance: 2; within: 3;content: "|D2|"; distance: 67; within: 1;sid: 2009353; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Dev-C++ 4.9.9.2 -> Bloodshed Software] binary file"; flow:established,to_server; content: "|5589E583EC08C7042401000000FF15|";content: "|00E8C8FEFFFF908DB426000000005589E583EC08C7042402000000FF15|"; distance: 16; within: 29;content: "|00E8A8FEFFFF908DB42600000000558B0D|"; distance: 30; within: 17;content: "|0089E55DFFE18D742600558B0D|"; distance: 18; within: 13;sid: 2009354; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIET v1.00, v1.00d] binary file"; flow:established,to_server; content: "|BF|";content: "|3BFC72|"; distance: 2; within: 3;con